Experts Warn of Maritime Industry’s Cyber Vulnerabilities

Experts Warn of Maritime Industry’s Cyber Vulnerabilities
George I. Seffers Feb 27, 2025 https://www.afcea.org/signal-media/cyber-edge/experts-warn-maritime-indu...

Maritime businesses invest in drones and unmanned vessels, expanding cyber exposure.

The U.S. maritime industry is vulnerable to potential cyber attacks, according to a panel of experts at the AFCEA Atlanta Chapter’s Homeland Security Conference in Atlanta, Georgia, February 26-27.

The panel included moderator Daniel Turissini, a cybersecurity specialist with a Merchant Marine background, Rick Siebenaler, CEO of the nonprofit Maritime Cybersecurity Institute, and Rear Adm. John Mauger, USCG (Ret.).

The panelists issued the warning in part because of the economic impact a successful cyber attack could have on shipping activities. According to Siebenaler, the United States also has 18 strategic ports for shipping military goods. Also, 90% of U.S. imports and exports flow through a port. That represents about 25%-35% of the nation’s gross domestic product. Mauger added that the maritime industry contributes $5.4 trillion annually to the gross domestic product and that one in eight Americans can “tie their work in some way back to the maritime transportation system.”

The cybersecurity challenges include complex jurisdiction issues. The Coast Guard has jurisdiction on or around U.S. waterways, but “as soon as you get to the land, the jurisdiction and control kind of breaks down pretty quickly,” Siebenaler said. “Adding complexity to that, most of our ports or the related businesses around them, to trucking companies, etc., are owned either at the state level or the city or the county, the port authority, or the small and medium-sized businesses that surround that: the tugboat operators, the trucking lines, the warehouse companies, etc.”

Siebenaler stated that the small and medium-sized businesses that make up the vast majority of the maritime industry underinvest in cybersecurity, even though they likely wouldn’t survive a major attack. “All I have to do is go after one or two of those [businesses]. If I pick the right ones, say, for example, I pick the people who put fuel on a ship. If I go after that group, I can get in there. I can stop the ability to fuel a ship. Suddenly, commerce isn't happening at that location. Do a ransomware attack, whatever it may be,” he said.

The GPS technology that ships use can be spoofed. “If I can tell the ship that it’s 500 feet over there, and it's two o'clock in the morning and it’s foggy, we have another Key Bridge incident that happens, and there's not a lot that can be done to protect against that right now,” Siebenaler warned.

Other technologies, such as the automatic identification systems used to identify ships, can compound the problem. Like GPS, identification systems can be spoofed and attacked and used to create all kinds of nefarious scenarios. Siebenaler likened the terminal operating systems to an enterprise resource planning (ERP) system. The terminal operating systems use radio frequency identification tags to track shipping containers, for example. “So, there's a big ERP system that typically runs a port authority or is used by a port authority, and there are a variety of vulnerabilities within that technology that aren’t fully understood and fully disclosed.”

Furthermore, he said, the maritime industry wouldn’t be considered “sexy” to many cyber experts, making it hard for the industry to hire. Those who are hired may be familiar with common systems, such as Windows and Unix platforms, but they have to be trained on maritime-specific systems.

Siebenaler estimated the maritime industry is 20 years behind on cybersecurity but is investing in other technologies. “We have autonomous vehicles in ports. We have remote underwater autonomous vehicles that are being deployed, lots of drones that are starting to be deployed, big data systems, ERP systems, as I mentioned earlier, [radio frequency identification] data.”

And much of the technology is provided by nations that compete with the United States, such as China. “There's a big linkage in tracking of shipping data that is all based upon technology and services and systems that are provided by China. So, pretty much any ship and the goods that are on that ship is known and understood by China as a free service that they offer to the industry. So we have a bunch of very unique issues and challenges that aren't well understood.”

The country has made some progress, Mauger noted. The Coast Guard’s 2021 cybersecurity strategy document included protecting the maritime transportation system. Once we put that framework of protecting the maritime transportation system in place and set out those goals, then we started working through the policies and regulations needed to make that happen. In 2024, you saw an executive order come out of the White House to reinforce how important the maritime transportation system is,” he said, adding that the executive order emphasized the cyber threat posed by China-manufactured cranes that were used at many ports.

“And then last year, the Coast Guard published a notice of proposed rulemaking that applies to ships and port facilities. And then, in January this year, they published a final rulemaking. So now, the framework has been set, but there are still many gaps along the way,” Mauger offered.