Maritime cybersecurity has a definition problem: few of us try to define what maritime cybersecurity actually means, writes Dinos Kerigan-Kyrou AmRINA, co-founder of the RINA Cybersecurity Task Force. The term has become synonymous with computers and IT paraphernalia but, while IT is clearly a critical component of cybersecurity, what is not fully realised – including by many in the ‘cybersecurity industry’ – is that cybersecurity also includes the disciplines of law, criminology, business, politics and international relations, organisational behaviour, psychology and human interactions (aka human factors).
Cybersecurity can be defined as the security of cyberspace, the online environment in which everyone now lives and works. In the maritime environment, cybersecurity is part of everything we do – in port, on rivers and at sea, within the shipyards and within our supply chains. Cybersecurity also concerns our critical maritime infrastructure, including our underwater critical infrastructure, such as subsea communications and energy cables, offshore energy platforms and underwater sensors.
Nefarious actors – be they hostile states, terrorists, activist extremists or criminals – target the maritime environment in a combination of ways. Firstly, cyberspace is the facilitator for all nefarious maritime activity. Human trafficking, narcotics, wildlife and antiques smuggling facilitates the financing of organised crime and terrorist activity. Cyberspace also provides ‘gateways’ for nefarious actors to target maritime activity. One gateway is the targeting of connected devices – sometimes called the Internet of Things (IoT).
Vessels are increasingly equipped with IoT-enabled control systems connected to online networks. They include: power management systems; loading, stability and container monitoring systems; alarms and the bridge control consoles; ECDIS, AIS and navigation decision support (NAVDEC); voyage data recorders; computerised automatic steering; and the global maritime distress and safety system (GMDSS). Ports also increasingly comprise multiple examples of IoT, including: port security; access control and ID cards; CCTV; automated cargo-handling equipment; terminal operating centres; cranes; and integrated supply chain logistical systems. Moreover, port IoT devices are directly interacting with vessels’ IoT, including communications, the GPS, lock operations, maintenance and management, pollution and environmental control systems.
Extensive maritime IoT testing has found significant vulnerabilities, creating a situation where connected devices can be directly targeted. This includes device ‘spoofing’, where vessels’ positions can be faked. For example: the photo below, taken by the author at a European university maritime cybersecurity research lab, shows a buoy fitted with an inexpensive Raspberry Pi computer. This can easily create a fictitious ‘spoof’ vessel wherever the buoy is located. Moreover, the cybersecurity risks created by personal devices – laptops, tablet computers, smartwatches, virtual assistants, and smartphones, all of which have cameras and microphones – can be as great as those of the devices built into vessels.
A buoy, fitted with a Raspberry Pi, can create a fictitious ‘spoof’ vessel wherever the buoy is located (image: Dinos Kerigan-Kyrou)
So, what is being done? IMO has produced Guidelines on Maritime Cyber Risk Management (updated in 2025), which provides a framework for the maritime industry to progress cybersecurity. This IMO document is greatly expanded upon by the UK and the EU – both of whom are making cybersecurity requirements legally enforceable.
Legislation in the EU and, soon, the UK is transforming the cybersecurity responsibilities of directors and boards. The EU’s ‘NIS 2’ Directive, EU Cyber Resilience At, and soon the UK’s Cyber Security and Resilience Bill place cybersecurity responsibilities squarely on directors, including for the security of their supply chains (the EU legislation applies to any company with even just one EU / European Economic Area customer, regardless of its global location). In other words, failure of maritime board directors to address their cybersecurity and that of their supply chains in the EU (and soon the UK) is now a criminal offence.
The Royal Institution of Naval Architects (RINA) is playing an increasingly critical role in developing maritime cybersecurity, having established a Maritime Cybersecurity Task Force in the past year. The group aims to bring together RINA members with world-leading expertise, to share information and make cyberspace safer for everyone in the maritime environment. Crucially important is that RINA supports and endorses the Maritime Cyber Baseline certification established by IASME (a UK cybersecurity certification company that is also the delivery partner for the UK National Cyber Security Centre’s ‘Cyber Essentials’ certification).
For the full, in-depth article, don’t miss the August 2025 issue of The Naval Architect
