Next Article in Journal
Research on Ship Automatic Berthing Algorithm Based on Flow Matching and Velocity Matching
Next Article in Special Issue
Deployment Strategy of Shore-Based Cooperative Units for the Internet of Inland Vessels
Previous Article in Journal
A Weakly Nonlinear System for Waves and Sheared Currents over Variable Bathymetry
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
JMSE
Volume 12
Issue 3
10.3390/jmse12030510
jmse-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles thumb_up
...
Endorse textsms
...
Comment
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Preventing Catastrophic Cyber–Physical Attacks on the Global Maritime Transportation System: A Case Study of Hybrid Maritime Security in the Straits of Malacca and Singapore

by
Adam James Fenton
Centre for Trust, Peace and Social Relations, Coventry University, Coventry CV1 5FB, UK
J. Mar. Sci. Eng. 2024, 12(3), 510; https://doi.org/10.3390/jmse12030510
Submission received: 21 January 2024 / Revised: 11 March 2024 / Accepted: 15 March 2024 / Published: 19 March 2024
(This article belongs to the Special Issue Advanced Research in Shipping Informatics and Communications—2nd Edition)
Browse Figures
Versions Notes

Abstract

:
This paper examines hybrid threats to maritime transportation systems and their governance responses; focusing on the congested Straits of Malacca and Singapore (SOMS) as an illustrative case study. The methodology combines secondary sources with primary data from 42 expert interviews, a 28 respondent survey, and two maritime security roundtables. Key findings were that ships’ critical systems are increasingly interconnected, yet aging IT infrastructure and minimal cybersecurity awareness among crews heighten risks. Meanwhile, regional terrorist groups have previously targeted shipping and shown considerable skill in exploiting online tools, aligning with broader calls for jihadist violence. Furthermore, opportunistic piracy persists in the SOMS with the potential to disrupt shipping. Experts confirmed that maritime cybersecurity lags behind other critical infrastructure sectors and needs updated governance. Initial International Maritime Organization (IMO) guidelines lack specificity but revisions and updated IMO guidance are in process, while Port state implementation of maritime cybersecurity standards varies. Crucially, information sharing remains inadequate, even as recorded attacks increase. Findings underscore that although major hybrid incidents have not occurred, simulations and threat actors’ capabilities demonstrate potential for catastrophic collisions or cascading disruption in congested waterways. Mitigating factors like redundancy and crew training are deficient currently. Some alignment between SOMS states on maritime security cooperation exists, but not on cyber threats specifically. Key recommendations include an anonymous cyber attack reporting system, reinforced training and shipboard systems, and consolidated regional frameworks. Until these priorities are addressed, the analysis concludes that hybrid vulnerabilities in this vital global chokepoint remain a serious concern.

1. Introduction

Incidents such as an escalation of Houthi attacks on shipping through the Red Sea [1], blockage of the Suez Canal by M.V. Ever Given in 2021 [2] and the paralysing malware attack on shipping giant Maersk in 2018 [3], underscore both the critical importance of the maritime transportation system (MTS) to global supply chains and its acute vulnerability to disruptive kinetic, cyber, or cyber–physical attack. This article will discuss hybrid threats to the MTS in response to three broad research questions: first, what are the greatest hybrid threats to maritime security, taking account of the unique nature of Information Technology (IT) and Operational Technology (OT) systems in ships? Second, who are the most likely non-state actors to exploit such weaknesses and what are the likely attack vectors? Third, what governance regimes exist at the intersection of maritime security and cybersecurity to protect or mitigate against hybrid attacks on shipping? As a lens through which to view and discuss hybrid maritime security and its governance the article focusses on shipping through one of the world’s most congested shipping chokepoints, the Straits of Malacca and Singapore (the “SOMS”). Policy recommendations arising from research are relevant and applicable to hybrid maritime security in international shipping in general, and to other strategic global chokepoints in particular, such as the Bab Al Mandeb strait, Suez Canal, Panama Canal, and others [4].
Following a literature review setting out the background and current landscape in the field of maritime hybrid security in general, the results of the mixed-methodology research combining primary sources (survey, interview and roundtable discussions) and secondary sources (academic literature, grey literature and media reporting) groups its findings into five broad categories forming the overall structure of the article as follows.
Results informed by survey: (1) broad industry and academic views on the current state of Information and Communication Technology (ICT) and emerging technology, security, and governance in the maritime sector. Results from the survey then guided more in-depth exploration of issues informed by interview and roundtable discussion results: (2) threat analysis of global shipping; (3) threat analysis focussed on the SOMS littoral states of Indonesia, Singapore, and Malaysia (and activities in adjacent countries that impact security in the SOMS such as terrorist and pirate activity originating from the Southern Philippines); (4) global governance (that is results that apply to the governance of hybrid security in international shipping in general); and (5) regional governance (results that are specific to the governance of hybrid maritime security in the region of Southeast Asia and the SOMS littoral states in particular).
Survey results indicate strong support for several key findings: (1) Information and Communication Technology (ICT), networked devices, and emerging technology onboard ships creates new challenges for maritime security; (2) current levels of cybersecurity in ships are insufficient; (3) criminal cyber attacks on the maritime sector have occurred in the past and will continue to be exploited by criminal groups; (4) cybersecurity in the maritime sector lags behind other sectors; and (5) current regulations are insufficient to address challenges posed by new technology.
Interview and roundtable results support several key findings relevant to categories 2, 3, 4, and 5 above: multiple factors contribute to vulnerabilities of ships to cyber attack—a convergence of IT and OT systems, greater connectivity through Low Earth Orbit (LEO) satellites, outdated legacy software and hardware, and a paucity of information sharing about cyber attacks in the maritime sector. Likely attack vectors in the maritime sector include all of the same threats to land-based businesses—ransomware, phishing, Business Email Compromise (BEC)—and several more that are unique to the sector; for example, malware capable of disabling a ship’s navigational interfaces or critical OT systems such as steering and engines, and/or AIS/GPS spoofing or jamming causing confusion and potential for collisions at sea. With regard to the convergence of cyber and physical systems, a key finding of the research is that Cyber/online/IT/software systems cannot and must not be considered in isolation, rather they must be analysed and managed in the context of the physical/OT systems to which they are connected—hence this article’s emphasis on hybrid threats rather than purely cybersecurity or cyber threats. Furthermore, regional threat actors in Southeast Asia have in the past specifically targeted and sought to disrupt shipping and a number of key terrorist and criminal attacks on regional shipping—some of which have spanned the cyber–physical divide—are examined. Regional threat actors show a greater proficiency in the use of digital technology to achieve their goals. However, whereas some incidents of cyber–physical interference on ships’ critical systems have been recorded, to date there has not been a catastrophic cyber–physical attack on shipping, but such attacks are theoretically proven to be possible and have been simulated in laboratory tests. Finally, some international governance measures are underway to mitigate hybrid threats to shipping, but they are in the early stages of development and need to be further consolidated through key bodies like the IMO and leading national governments such as the UK, US, and EU—some recommendations are made in this regard. In the absence of a universal framework for maritime cybersecurity, the article recommends SOMS littoral states rapidly build upon existing solid multi-lateral regional cooperation initiatives such as the Malacca Straits Patrols (MSP), the Regional Cooperation Agreement on Combating Piracy and Armed Robbery against Ships in Asia (ReCAAP), and frameworks under the auspices of the Association of Southeast Asian Nations (ASEAN) such as the ASEAN Coastguard Forum (ACF), ASEAN Maritime Outlook (AMO), ASEAN Defence Ministers Meeting (ADMM), and others. This rapid, regional-focussed approach may be relevant for consideration to other global shipping chokepoints mentioned above.

2. Literature Review

Conducting “a systematic literature review and bibliometric analysis of the available academic research studies in the discipline of maritime cybersecurity” Bolbot et. al. note that with an increase in publications beginning in 2017, this field of research has “only recently received appropriate attention” and that the broad themes of the published academic literature to date include “the regulatory framework in connection to maritime cybersecurity, the vulnerabilities in maritime systems, potential cyber attack scenarios, and risk assessment techniques” [5]. Bolbot et. al. further conclude that the leading countries publishing in this field are “Norway, the United Kingdom, France and the USA” [5] indicating a lack of analysis from other areas such as Asia and Africa. As such, this study, which focusses on a specific geographical region in Southeast Asia, the SOMS, provides a novel perspective on the themes of regulatory frameworks, and threat analysis. Drummond and Machado [6] provide a systematic literature review of Port Facility Cyber Risk Management and highlight a range of International Standards Organisation (ISO), and National Institute of Standards and Technology (NIST) approaches to cyber risk management in ports. Svilicic et. al. [7] examine penetration testing of an Integrated Navigation System (INS) and identify technical vulnerabilities and “point out cyber threats related to weaknesses of the INS underlying operating system, suggesting a need for occasional preventive maintenance”. As such, the focus of this and many other papers identified by Bolbot are operational or technical in nature. Of the “few identified studies” [5] that focus on maritime law and insurance framework studies identified in the literature review from Bolbot, Al Ali et. al. [8] identifies “there is still no proper legal mechanism for regulating cybersecurity due to the lack of universal approach to the conceptual apparatus of cybersecurity and international cooperation in this area”. De Faria recommends “a robust and well-defined “code” that broadens and concretises a “new” concept of maritime safety in the broad sense” [9]. Hopcraft and Martin argue the case for “a standalone Cyber Code” under the auspices of the International Maritime Organization (IMO) noting “it is often a specific newsworthy event, or disaster, which acts as a catalyst for discussion and change within the IMO” citing the Titanic disaster of 1912 and the Deepwater Horizon explosion of 2010 as two notable examples leading to the Safety of Life at Sea (SOLAS) Convention and “the instigation of numerous amendments to IMO regulations relating to oil spills” [10].
Multiple sources, summarised below, have discussed hybrid vulnerabilities within the Maritime Transportation System (MTS) and the potential for a catastrophic attack and disruption to global supply chains. The complex “system of systems” [11] that comprises the global Maritime Transportation System (MTS) is critical to the smooth running of global trade and commerce. In the words of the UN Conference on Trade and Development (UNCTAD), it is “the backbone of international trade and the global economy” [12]. As is often noted in discussions around maritime security and “sea blindness” [13], “around 90% of traded goods are carried over the waves” [14]. If the MTS were to suffer a catastrophic breakdown it could potentially result in severe disruption to global supply chains and concomitant economic, political, and social disorder. Key stakeholders are now beginning to understand the MTS’s growing dependence on complex digital and automated systems [15,16,17], and the vulnerabilities of those systems to malicious cyber–physical interference [18] capable of causing a catastrophic collision or simultaneous cascading disruption to fleets of ships, or a major port.
The pursuit of enhanced efficiency, decarbonisation, cost reduction, and improved safety necessitates technological solutions. In the words of UNCTAD: “beyond cleaner fuels, the industry needs to move faster towards digital solutions like AI and blockchain to improve efficiency as well as sustainability” [12]. Enormous investment is being poured into developing autonomous ships [19,20,21,22,23,24], and other ways AI can be applied to the MTS [25,26]; such as improved ship design, streamlining work processes, automated monitoring of critical systems like engines, ballast and navigation, and optimised voyage planning, to name a few. While automation can improve efficiency, situational awareness, and safety, the increasing dependence on networks comprising sensors, communication, and Internet of Things (IoT) devices is driving a convergence of IT and OT. In the words of leading UK researchers “this convergence can provide useful monitoring and fine-grained control, sometimes even remotely, but also increases the possibility a cyber-attack could have physical consequences” [27].
Kinetic impacts on a ship’s OT have been demonstrated in the laboratory, proving a capability to alter the rudder angle and engine function. Using a known Common Vulnerability and Exposure (CVE) and a firmware update attack on a Programmable Logic Controller (PLC) the malicious firmware is able to use geo-fencing to define the entry coordinates to a port and begin to manipulate NMEA Data (The National Marine Electronics Association (NMEA) NMEA 0183 and NMEA 2000 are standards for electronic communication between devices in ships. NMEA allows equipment to exchange information over a single communication network allowing the integration of multiple devices including navigation, sensors, engine monitoring and others). A number of simulated studies have attempted to estimate the potential economic impacts of the shutdown of a major port or strait, such as Seville or the Straits of Malacca and Singapore (the SOMS) [28,29]. A real-world demonstration of the enormous economic costs from a blockage of a major chokepoint came with the grounding of the giant container ship M/V Ever Given in 2021 [2]. While some speculated that the Ever Given grounding could have been due to a cyber attack [30] the official report concluded that the root cause of the incident was “loss of maneuverability of the ship” due to “wind speed, wind direction, squat, bank suction” and communication difficulties between the two pilots and the master and bridge crew [31]. Regardless of the cause, losses from the grounding were estimated at USD 400 m (GBP 290 m) per hour or USD 9.6 bn (GBP 7 bn) in trade and goods per day [2]. In comparison to the Suez canal which has around 50 ships transiting each day, the SOMS has around 90,000 ships per year or up to 300 ships per day [32] which would make a blockage potentially six times worse by volume.
Multiple sources confirm that disruptive attacks on shipping using cyber and cyber–physical attack vectors are increasing and evolving. The Maritime Cyber Attack Database (MCAD) (https://maritimecybersecurity.nl/, accessed on 15 December 2023) [33] compiled by researchers at NHL Stenden University, Netherlands, provides an interactive global representation of open-source discrete cyber attacks on the maritime transportation sector. At the time of writing, researchers have catalogued around 165 incidents of cyber attack on the MTS, with further attacks being added through continuous updating. See Figure 1.
Given the sometimes secretive nature of responses to cyber attack, the creators of the MCAD admit that these open-source recorded incidents are just the “tip of the iceberg” [33,34]. This foreshadows one of the main challenges in maritime cybersecurity, a lack of information sharing, discussed further below.
On the evolving nature of attacks, maritime cybersecurity expert Kessler commented:
One of the things that has really dramatically changed over the years is the attacker’s strategy. In the old days, attacks tended to be opportunistic, if an attacker could get into your network, they would immediately roll over a server, they would deface a website, put up some porn, that sort of stuff. But attackers don’t do that anymore, and they haven’t done that for at least a decade. If attackers can get into your network now, they basically sit and they exfiltrate data, perhaps they do destroy a server or take you off the air, but they do it at a time of their choosing, and we’ve had all sorts of examples of this from the last couple of years.
[35]
A number of notable attacks on the MTS in recent years include the following: a ransomware attack on “well-established IT consulting firm” Danaos, which “hit multiple Greek shipping companies” in November 2021 [36]; cruise line operator Carnival Corp was fined USD 5 million for “significant” cybersecurity violations, following four security breaches from 2019 to 2021 [37]; a “serious cyberattack” which “disrupted operations at several of Australia’s largest ports, causing delays and congestion” in November 2023 [38]; multiple cyber attacks on northern European ports in Germany, Netherlands, and Belgium “targeting the region’s oil operations” [39]; cyber attacks on merchant ships off the coast of Somalia by pirate groups able to remotely disable ships transiting past Djibouti [33], and the oft-cited Notpetya attack on Maersk in 2018 [40]. Other notable categories of attack on the MTS are spoofing of Automatic Identification System (AIS) signals [3,41,42], and GPS jamming including mass jamming of GPS signals of South Korean vessels allegedly by North Korea [43], hybrid pirate attack combining hacking of a shipping company’s database then boarding a vessel transiting the SOMS and using barcode readers to target specific containers on the ship [44], and spoofing of AIS signals of two NATO warships to make it appear as though they were approaching a Russian naval base [45,46].

3. Methodology

This research utilised a mixed methods approach combining secondary sources with primary data collected through a survey, semi-structured interviews, and expert roundtable discussions. This methodology enabled investigating the research questions from different perspectives and gathering insights from diverse experts across countries and sectors.
The research design involved first conducting a review of the relevant literature to establish a base level of understanding of current state of the art in the field. Through an initial review of the background literature, including peer-reviewed academic articles, International Maritime Organization (IMO) guidelines, international laws, treaties, and case law, on the broad themes of maritime cybersecurity, maritime hybrid security, threats to shipping, and maritime security threats in Southeast Asia, as well as the grey literature, industry reports, media reporting, and relevant databases, the researcher identified key themes leading to the formulation of research questions. The research questions guided the formulation of survey and interview questions along several key themes including the following: the nature of technological developments in the maritime sector, the security implications of technology in the maritime sector, the nature and sufficiency of governance frameworks in relation to technological developments, and analysis of threat actors in the maritime sector. This led to formulation of three overarching key research questions for this study:
RQ1: Taking account of technological advancements in ICT systems in ships, what are the greatest cyber and hybrid threats to maritime transportation systems, specifically to ships transiting congested waterways?
RQ2: What threat actors are most likely to exploit cyber vulnerabilities in shipping and what attack vectors might they employ?
RQ3: What existing international, national, regional or domestic governance regimes address maritime cybersecurity and where are the gaps or weaknesses?
Secondary data included academic articles, international law texts such as the International Safety Management code (ISM), the Safety of Life at Sea convention (SOLAS), other international maritime treaties, case law, media reports, the grey literature, and data from the Maritime Cyber Attack Database (MCAD) compiled by NHL Stenden University of Applied Sciences, Netherlands.
Primary data sources are detailed in the following sections.

3.1. Survey

An anonymous online survey using Joint Information Systems Committee (JISC) Online Surveys (JOS formerly BOS) sought generic views from 28 respondents on issues of emerging technology in the maritime sector and related policy and legal challenges. The initial literature review informed the drafting of a set of 15 questions plus one final open-ended option to give “any further comments”. The survey was piloted and revised before deployment. Each question sought a response on a five-point Likert scale from Strongly Disagree/Disagree/Neutral/Agree/Strongly Agree for each response. Respondents were also given the option to select Other, in addition to the Likert response and a text box allowed comments to be typed in response to each question. Several qualitative comments were collected this way. Responses were requested only from respondents who had expert knowledge of maritime security and for that reason participants were invited to complete the survey via LinkedIn professional groups and JISC professional Maritime Security mailing list ([email protected]). As a result, the survey was completed by 28 practitioners, experts, and academics working in the field of maritime security. While the survey was anonymous, some respondents provided their contact details in the comments section, leading to further contact and interview.
Results of the survey were compiled into pie chart representations for the responses to Likert scale questions and text comments were compiled for qualitative analysis into themes and used to inform the development of questions for phase 2 of data collection: interviews. Relevant survey findings are integrated in the results and discussion sections below.

3.2. Interviews

Primary data were collected through 42 in-depth semi-structured interviews lasting 60–90 min with experts in security, law, policy, maritime security, and cybersecurity from academia, government, and NGOs in two sets from Southeast Asia and Europe/UK. Interviewees were based in multiple relevant countries including the following: Indonesia, Singapore, Malaysia, UK, Netherlands, and US. Participants were identified using a purposive sampling strategy based on a combination of key factors: the individuals’ employing organisation, the relevance of their role/remit, their career history and experience in respect of engaging with law, policy, and regulation in cybersecurity, technology, shipping, and maritime security, to ensure informed responses to the research questions. A semi-structured approach including a variety of mainly open-ended questions meant the line of questioning was consistent while allowing for elaboration in response to a participant’s particular area of expertise. Participants came from a cross-section of government and regulators, including representatives from national government agencies and NGOs in the littoral states of Indonesia, Singapore and Malaysia, including the National Maritime Institute (NAMARIN Indonesia), the Indonesian Coast Guard agency (Badan Keamanan Laut, BAKAMLA), Indonesian National Police (POLRI), Indonesian Navy (TNI AL), the Maritime Institute of Malaysia (MIMA), the S. Rajaratnam School of International Studies (RSIS) Singapore, as well as other representatives from industry, academia, and independent researchers and authors, in the UK, Europe, and Southeast Asia.
All interviews were conducted either face to face at the interviewees’ workplace, or by videoconference using Microsoft Teams Version 24033.811.2738.2546. Potential interviewees were provided with a standardised project information sheet and inclusion was contingent on prior informed consent. Interviews were anonymised using ‘broad role descriptors’ (except where subjects elected to be identified) and transcribed for data analysis. Transcripts were thematically coded. Iterative interview transcribing and coding ran in parallel with conducting interviews.
Questions were reactive to the information provided by the interviewee so could not be fully prescribed in advance, but addressed relevant key themes of emerging technologies, security challenges arising from such technologies, threats to maritime security, cybersecurity law, regulation and policy, and recommendations to improve security outcomes in the field. An indicative outline interview schedule was prepared in advance and used as a guide for individually tailored interviews. While the research included examination of the threat from terrorist groups in the countries of South East Asia (SEA) bordering the Malacca Strait, i.e., Indonesia, Malaysia, and Singapore, it focussed solely on the legal, policy, judicial, and regulatory aspects of these criminal phenomena and did not involve directly interviewing vulnerable subjects such as convicted criminals or suspects.
Interviews were audio recorded and notes were taken during each interview as a backup. Transcripts were thematically analysed using Nvivo 14 (see below). Relevant interview insights are incorporated across discussion sections below and key quotations provided.

3.3. Roundtables

The research project also organised two 90 min moderated roundtable discussions with experts in maritime and cybersecurity and related fields, one focussed on international maritime governance, and one focussed on hybrid maritime security and governance in the SOMS littorals of Indonesia, Singapore, and Malaysia. Each roundtable was attended by four key informant discussants with specific expert knowledge of the areas discussed. Some excerpts from these discussions are used to inform this article. Discussions were audio recorded with prior consent and transcribed and analysed thematically as with the interview transcripts. The lead discussants were representatives from maritime stakeholders in the Netherlands, Indonesia, Malaysia, and Singapore. Detailed notes and transcriptions were reviewed to identify key themes. Roundtable excerpts provide expert perspectives across discussion sections below.

3.4. Data Analysis

This combination of the literature analysis, survey responses, interview findings, and roundtable discussions enabled triangulation on the core issues examined. The interviews and roundtables also informed expansion of the survey and the literature review. By gathering perspectives from diverse experts across sectors and regions, backed by data analysis, this mixed methods approach yielded a multifaceted understanding of hybrid threats and governance gaps in maritime cybersecurity. Transcribed interviews and roundtable discussions were thematically coded for data analysis. A first quick reading provided initial coding, enhanced with a second more detailed reading and coding process utilising Nvivo qualitative data analysis software. Recurring themes from interviews were identified and highlighted within the interview transcripts. This was followed by categorisation and thematic analysis for each transcript, and these were considered across multiple transcripts to identify emergent areas of consistencies, connections and core findings. Transcribing and coding the interviews was an iterative process, running in parallel with conducting the interviews.

4. Terminology

In this paper, these terms are used as follows: “kinetic” refers to actions, forces, or movements in the physical world. It commonly denotes phenomena involving actual motion or energy transfer. “Cyber” pertains to the virtual or digital domain, encompassing activities, systems, or elements related to computers, information technology, networks, and digital communication. “Cyber-physical” describes the integration or intersection between the cyber (digital) and physical (real-world) domains. It signifies systems, technologies, or environments where digital components interact with and impact physical entities. In the maritime sector, IT systems which interact with OT systems, such as rudders, engines, ballast, causing and monitoring physical motion and energy transfer, are good examples of systems that are cyber–physical. Similarly, the term “hybrid” is used to refer to a combination or fusion of digital (cyber) and physical elements within a single system or environment. It implies a convergence of technologies where digital components interact with physical entities. A hybrid attack on shipping is one that involves elements of cyber and physical vectors: a criminal group that hacks the database of a shipping company to search for high value cargo, then boards a specific vessel at sea and uses barcode readers to physically search for the targeted cargo (based on a real incident [44]) is an example of a hybrid mode of attack.

5. Results

5.1. Survey Results

Based on survey data from practitioners and academics specialising in maritime security, 93% of respondents agreed or strongly agreed with the statement “ICT (Information and Communications Technology) in ships, that is, automated, computer-based systems such as Electronic Chart Displays (ECDIS), Automatic Identification Systems (AIS), satellite communications, on-board networks of Information Technology (IT) and Operational Technology (OT) and others, create new threats, vulnerabilities and challenges for maritime security”.
Furthermore, while this article will not give detailed consideration to emerging technology such as autonomous ships, it may be noted that 90% of respondents agreed or strongly agreed with the statement “Emerging technology—such as autonomous ‘uncrewed’ or ‘unmanned’ ships, automated, computer-based processes, machine learning, SCADA, sensors, algorithms etc., operating onboard ships—create new threats, vulnerabilities and challenges for maritime security”.
Survey results are presented in Figure 2, Figure 3, Figure 4, Figure 5, Figure 6, Figure 7 and Figure 8 and discussed, with some direct excerpts from respondents, below.
Figure 4 shows that 96% of respondents disagreed or strongly disagreed that current levels of cybersecurity in ships are sufficient to counter or defend against threats from criminal groups. In Figure 5, it is confirmed that awareness of attacks that have occurred on the maritime sector is high among respondents, with 90% agreeing or strongly agreeing that they are aware of cyber attacks against ships, ports and shipping companies. From Figure 6, 89% agreed or strongly agreed that criminal groups such as pirates, terrorists and transnational organised crime groups will utilise cyber and other emerging maritime technology to further their criminal enterprises. From Figure 7, there was slightly less consensus for the statement “cybersecurity in the maritime sector lags behind cybersecurity in other areas of critical infrastructure” with 15% responding neutral; however, 81% agreed or strongly agreed with the statement.
Regarding governance, Figure 8, (discussed in part 4 below), 89% of respondents disagreed or strongly disagreed that current legal/regulatory regimes accounting for new technology in shipping are sufficient and will not require revision or reform.
Respondents in the survey were given the option of providing further comments to each of the statements and a number of key illuminating comments are provided in full in italics below:
  • The crucial question is not the systems onboard but the level of interfaces ship to shore and vice versa.
  • Increasing reliance on these new technologies and loss of institutional knowledge of how to operate without them is a risk.
  • Most of these systems are technically vulnerable and have been found to be compromised for years.
  • These systems provide a false sense of security for the mariner.
  • It would be necessary also to implement software quality assurance (SQA) in shipping. Many systems do not work because of software problems and not of cyber attack.
  • What regulations? It’s still the wild Wild West.
  • Mandate cyber-security training as part of STCW and the various model courses associated with port security. Add security and specifically cybersecurity to the areas included in the IMSAS Audit scheme.
  • Certainly more study groups are required and international agreement on national policies because IMO cannot do it all…

5.2. Interview and Roundtable Results

As one of the compilers of the MCAD explained in interview “there were some challenges around how you discretely define an incident … one of the common things that happens is ships ‘going dark’ where they turn their AIS off. If you tracked each one of those as individual incidents, there would be thousands of those alone” [34]. The approach of the MCAD is therefore, where a similar attack is perpetrated simultaneously from the same source on multiple targets it is recorded as a single incident.
Finally, as with other land-based industries, cyber-criminal activities such as phishing, Business Email Compromise (BEC), and ransomware are equally as damaging to the maritime sector. Some research indicates that specific targeting of maritime businesses is increasing, and that the frequency and amounts of ransomware payments are increasing with one 2023 report recording that “the average cost of a ransom payment is US $3.2 m” [47]. Several sources noted a lack of information sharing. On the need for sharing of cyber threat intelligence, Kessler noted: “Cyber-attacks are all exploiting vulnerabilities. What we need in the industry is better information sharing of the vulnerabilities…we have some agencies that are doing that in a small way now. But we really need to improve that” [35].
While mandatory reporting of cyber incidents may not be feasible or desirable, a mechanism for voluntary, anonymous reporting of cyber incidents would be a positive development for cybersecurity and could possibly be introduced on the back of the MCAD and the Structured Threat Information Expression (STIX, https://stixproject.github.io/about/, accessed on 15 December 2023) format for reporting cyber threat intelligence.
Several of these points were confirmed in interviews providing further support for the following conclusions:
(a) Traditionally, ships with highly intermittent satellite internet connections provided relative isolation and security for outdated and unpatched IT systems. However, this is changing with the advent of LEO satellite providers—Scanlan et. al. have noted the “transformative impact” of LEO satellites and the “likely increase in cyber-attacks on ill-prepared industries” such as the maritime sector [48]. The point was reiterated in interview with a representative of the UK Chamber of Shipping who commented “Starlink is a game changer it’s now so cheap that there’s all sorts of stuff going on that wasn’t before in terms of remote connectivity, bandwidth” [49]. And, a maritime cyber practitioner made the following comment:
The big thing was that ships traditionally were always standalone environments…We are now into the realms of being connected. And by virtue of the fact of the way the internet and network connectivity works, there is the ability to be seen. So the last 10 years has been a wakeup call… We have a disconnect between the real world and the maritime world. We’re now using equipment that could be on there for 10 years and would be obsolete within one.
[50]
LEO always-on internet connections are highly desirable for ships’ crews seeking entertainment and connectivity; however, it drastically increases the attack surface for remote cyber attack, especially on outdated and unpatched IT systems. This is exacerbated by ‘just-in-time’ approaches to shipping which minimise time spent in ports but maximise the difficulty of patching and updating hardware and software, and this difficulty is further exacerbated by budgetary constraints from ship owners reluctant to invest in updating hardware and software.
(b) Whereas this article will not discuss emerging technology such as autonomous vessels, which is discussed at length elsewhere [20,21,51], there is broad consensus that a convergence of IT and OT systems is occurring. Also, that crews are increasingly reliant on sophisticated interconnected bridge systems for navigation and monitoring of critical systems and while there is awareness of attacks on the maritime sector at a management/strategic level, there is a lack of preparedness or maturity with regard to cyber hygiene and cybersecurity among “understaffed and overworked” [52,53] ships’ crews, who see their primary function as sailing the ship. Furthermore, some software systems may be prone to failure without cyber attack. This reinforces the conclusion that crews may not be aware in many cases when a cyber attack is occurring and underlines the need for training and simulations of cyber attacks on ships.
(c) An “increasing reliance” on digital systems, a “loss of institutional knowledge of how to operate without them” and “a false sense of security for the mariner” all contribute to the conclusion that to cause a catastrophic incident in shipping, in particular in a highly congested shipping lane, all that is needed is to cause confusion. As commented by a professor of maritime cybersecurity:
You don’t actually have to cause a ship to have an accident. You just need to confuse the crew…around 80% of maritime accidents are human error…you just need to bring on that human error…this can be done through false or spoofed AIS or GPS signals, you just need two conflicting sources of information to cause confusion… another thing is younger crews tend to be very focussed on the technology on the bridge. And this is something we’ve observed in simulations. They’re all looking down. Whilst, traditionally mariners, they look out, they’re looking at the real world.
[34]
These comments underline common themes from interviews that there is a need for simulation-based training to prepare crews for both malfunctions of IT and OT systems and cyber attacks, and the ability to tell when a cyber attack has occurred. It also underscores the need for redundant systems, and triangulation and cross-checking of data from multiple independent sources.

6. Discussion

6.1. Threat Analysis of Shipping in the SOMS

Having discussed the nature of cyber and hybrid threats to the MTS in the preceding section, this section will focus on a specific geographic zone (the SOMS) to present an analysis of the likely non-state threat actors and their motivations and vectors for targeting international shipping (This article does not include discussion of threats to shipping from state actors).
Taking account of past incidents and capabilities of malicious actors in and around the SOMS, how likely is it that they would seek to, or could, conduct kinetic, cyber or cyber–physical attacks on shipping? Interviews indicate that Indonesian terrorist groups—the country with the most active terror networks and cells in the SOMS littoral states—have some level of skill in using online tools for recruitment and financing; however, they are unlikely to have the necessary knowledge or background in conducting attacks on the maritime sector. Whereas “the maritime terrorism threat [in the SOMS region] is largely a Southern Philippines phenomenon” and proven links exist between regional groups in Philippines and the SOMS littorals [54], Indonesian terrorist groups Jemaah Islamiyah (JI), Jemaah Anshorut Daulah (JAD), and others have directly targeted the maritime domain in the past. Van Dijk notes an aborted JI attack “against three American warships and a Coast Guard vessel docked at Surabaya in May 2002 during a CARAT (Cooperation Afloat Readiness and Training) American Indonesian naval exercise” [55]. In 2005, JI planned a USS Cole-style attack on shipping in the Sembawang region of the Johor strait separating Singapore from Malaysia in a “strategic kill zone where…a warship would not have room to avoid a collision with an explosive-filled suicide boat” [56].
An advanced plot in August 2016 by an Indonesian group linked to ISIS, Katibah Gonggong Rebus (KGR), led by Gigih Rahmat Dewa, planned to shoot a rocket from the Indonesian island of Batam, across the Singapore Strait to strike the landmark Marina Bay Sands (MBS) resort [57]. One of Bahrun Naim’s protégés, Dodi Suridi, “had been able—based on information gleaned from YouTube—to build and successfully test-fire a makeshift rocket launcher employing a plastic tube, potassium nitrate extracted from fertilizer, and other substances” [57]. In February 2004, the Philippines-based Abu Sayyaf Group (ASG) committed its most lethal attack, a striking example of maritime terrorism, the attack on SuperFerry 14 in Manila Harbour, which killed 116 and wounded many others. The attack was far more lethal than other frequently cited maritime terrorist attacks, such as the following: the USS Cole in 2000, which killed 17 US sailors and severely damaged the ship; the 2002 attack on the M/V Limburg, a tanker chartered to Malaysian state-petroleum agency, Petronas, which “blew a gaping hole in the side of the tanker” [58] off the coast of Yemen, killing one crew member and causing a massive and disruptive oil spill; and the hijacking of cruise ship Achille Lauro in 1985, resulting in one fatality [59].
From the foregoing discussion of regional terrorist threats to shipping, several points are evident. First, it is difficult to avoid the conclusion that if any of the aforementioned terror attacks had been successfully committed in or around the SOMS, they would have severely impacted the flow of shipping through the region causing knock-on effects similar to that of the 2021 M/V Ever Given incident. The scope and scale of the disruption would depend on the incident and there have been attempts to estimate the economic disruption from such attacks [28].
Second, these examples illustrate the desire to target the maritime space and that, if the opportunity presented itself to commit a large-scale cyber attack on shipping, it would be strongly in line with the general call to jihad that is characteristic of regional terror groups.
As a professor of regional security commented in interview:
ISIS and Al Qaeda, they make general calls to carry out operations wherever you are. The general idea is, if you cannot make hijrah or migration to a land of active jihad, you can carry out your jihad right where you are. I mean, your enemy is on your right and on your left, and you can carry out jihad through various means. The main thing they usually call for is outright violence, using knives, using vehicles, using fire. So it’s about do-it-yourself jihadism in terms of the weaponising of everyday items. We do know that in other parts of the world, ISIS has had very capable cyber militants, for example, Junaid Hussein… I haven’t seen any specific call for using cyberattacks… but in principle, I wouldn’t see why not. Why wouldn’t they want to do that? In principle, I believe that they would definitely be very much in favour of it, if anybody, any brother, has the ability to carry out a cyber-attack, I think they would be all for it.
[54]
Such a cyber-based attack, whether on the maritime domain or on land, would be very much in line with the general call to terrorist followers to commit attacks of any kind, using whatever resources are available to hand.
Third, while a catastrophic cyber attack on shipping has yet to be seen, it does not preclude the possibility of a “black swan event”, nor that regional groups are not developing the necessary cyber skills. The advent of generative artificial intelligence that is able to create computer code, deepfake images, text, and video, compounds the likelihood of malicious groups using innovative ways of committing cyber and cyber–physical attacks as outlined in recent reports from the UK’s Turing Institute and EUROPOL [60,61]. Also, events in other parts of the globe, such as increased attacks on shipping in the Bab el-Mandeb strait committed by Houthi groups in response to violence against fellow Muslims in Gaza [1,62], influence events in Southeast Asia.
On this point, a representative of Indonesia’s National Counter-terrorism Agency (BNPT) intelligence division commented in interview:
The threat of terrorism in Indonesia cannot be separated from the global situation. Whatever happens in the global terrorism situation, will have an impact on network movements in Asia and in Southeast Asia in particular. Then from talking to them they’ve experienced a shift to the online space, so that previously all terrorist activities were done conventionally or physically. They’ve also moved from physical space to cyber space. Like starting from recruitment, propaganda, military training and training to make explosives, and the provision of logistics. Then planning attacks also and up to hiding their funding. All the activities that were done in a conventional way are now done in cyberspace. They use it a lot for propaganda, glorification of all their activities they do it in the cyberspace.
[63] (emphasis added)
Finally, a cyber attack on shipping in the SOMS would not necessarily originate in the adjacent littorals, rather, depending on the nature of the attack, it could be conducted remotely from any part of the world. An attack that was hybrid in nature would likely require some kind of physical presence in the region—to covertly install malware on a ship’s bridge using a USB drive, for example [27].

6.2. Piracy and Other Crime

Like terrorism, the threat of piracy in Southeast Asia continues to be of concern. Data from the ReCAAP Information Sharing Centre (ISC) show the total number of piracy and armed robbery against ships (ARAS) incidents hovering in the range of 70–100 incidents per year for five years, from 2017 to 2022 [64].
At time of writing, data from January to June 2023 showed 59 incidents, “this accounts for a 40% increase in incidents compared to 42 incidents reported during January–June 2022” [65] making it likely the total number for 2023 will increase from 2022 but remain in the same range of 70–100. The report further notes:
The increase of incidents during January–June 2023 occurred in the Philippines, Straits of Malacca and Singapore (SOMS), Thailand and Vietnam. Of concern was the continued occurrence of incidents in the SOMS, with 41 incidents reported compared to 27 incidents during the same period in 2022.
[65]
It can be noted that all of the incidents occurred while vessels were underway, and in the majority of cases (61%) the perpetrators were unarmed and did not harm crew (90%). Those that did carry weapons most commonly used knives and machetes. Only one report in 2022 noted perpetrators carrying guns. In two incidents, crew members were taken hostage but were able to escape, and in two other cases, crew members were assaulted. Items stolen were ship’s property, engine spares, and unsecured items. This picture largely confirms the comments of one Indonesian Coast Guard source, who stated the following in an interview: “These incidents are not piracy, they are more like petty theft, petty crime. It’s also not uncommon that the crew themselves steal the items and report it as being stolen.” The coast guard went on to say the following: “The information from the IMB and the IFC is often not accurate. We want to give seafarers a correct picture that’s we why we set up the Indonesia Maritime Information Centre (IMIC)” [66].
A monthly report from the IMIC for June 2023 records a number of different maritime incidents including drug trafficking, IUU fishing, irregular human migration, and maritime accidents, but does not record any piracy or ARAS incidents for the period. It does include a category for ‘petty theft’ [67].
The Head of the Indonesian Maritime Institute, when asked about piracy in the SOMS, made the following comment:
The Singapore Strait is very busy, so the vessel must be in low speed. So it is very attractive for these guys to onboard your vessels. They take laptops, watches and then fly back to their boat. This is not piracy. But is sometimes reported as piracy to hurt Indonesia’s feelings. It’s spontaneous and not well organized. There is another type which has international connections that target tankers. This is not locals, this is beyond their capacity. To hijack tankers and extract the fuel is a tricky business. This is very rare in Indonesia and always involves international actors. The bosses are in Singapore, and the operators are in Batam.
[68]
While the levels of piracy in and around the SOMS remain at a level that would be of concern to any reasonable captain transiting the straits, it may be said that they are largely of a type that consists of opportunistic petty theft while underway, rather than acts of extreme violence. However, occasional acts of assault and hostage taking still occur. Regardless, it may be observed that in all cases the goal of pirates and armed robbers is not to block traffic in the strait; indeed, they profit from increased traffic as it enlarges the number of their potential targets. While ReCAAP issues regular advice and updates to captains of ships transiting the SOMS; if levels of piracy and crime were to significantly increase in frequency and violence it could severely disrupt shipping through the straits. At present this is not the case. Indeed, a Singaporean academic and expert in regional maritime security pointed out that the targets of piracy in the SOMS are, in a majority of cases, vessels plying regional routes rather than ultra large international tankers and cargo ships, stating “when we look at maritime crimes and the victims, the victims are usually those plying regional routes only, not those of international trade… if you go through the last 20 years data, most of them are interregional or going between Indonesian ports” [69]. These are the so-called ‘rust buckets’, very small tankers, and small general cargo vessels that are ‘low and slow’ and present the easiest targets to board while underway. “When you read headlines like ‘Tanker Hijacked in the Strait of Malacca’ look into the detail of how big the tanker is” she advises [68]. However, the motivation for targeting interregional shipping is due to the vulnerability of the ‘low and slow’ targets. If regional pirate groups discovered an easy method of remotely disabling a larger international tanker or cargo ship, they may be bold enough to attempt to exploit it. However, any attempt to target international shipping and the subsequent media attention it would generate would certainly lead to a response from the authorities in the littoral states, likely coordinated under the auspices of ASEAN, and executed under the framework of the Malacca Straits Patrols [70] (MSP), a regional grouping tasked with securing the SOMS.
Statistics issued by ReCAAP show that there were two violent crew abduction incidents (Category 1 incidents) per year in 2018 and 2019, and a single incident in 2020. At the time of writing, the most recent ReCAAP quarterly report states “There was no report of incident of abduction of crew for ransom during January–September 2023. The last known incident occurred on 17 January 2020. No crew is currently held in captivity by the ASG. The Philippines, Malaysian and Indonesian authorities continued to maintain surveillance and military operations to neutralise the ASG.” [64] However, ReCAAP advises “with the presence of the remnants of the ASG in the area, the threat of abduction of crew for ransom in Sulu and TawiTawi continues to remain” [65].
Particularly relevant to this discussion of maritime cybersecurity is the use of technology employed in piracy and robbery. In one notable case, criminals hacked into the shore side computer systems of a shipping company to identify high value cargo. While the ship was transiting, the SOMS pirates boarded, armed with barcode readers, proceeded to scan containers looking for the particular cargo they wanted, in this case jewels, forced open the container, stole the cargo, and made their escape. It is a good example of a criminal enterprise using digital technology to augment their attacks on shipping [44]. It is difficult to gauge to what extent pirate groups are using cyber capabilities; however, this paper warns, as above, that developments in generative artificial intelligence—to write code, create realistic deepfake images, videos, audio, and text—will be adapted by criminal groups in innovative ways to augment their criminal activities [60,61]. The ReCAAP ISC report which catalogues and dissects multiple aspects of the recorded cases from the time of day of the attack to the size of the group, the weapons they carried, etc., makes no mention of ‘cyber’ aspects in any of the cases presented [65]. It is recommended that ReCAAP report cyber–physical incidents of attacks on shipping as part of their reporting mechanisms.

6.3. Governance

Discussions around cybersecurity vulnerabilities in ships, and the likelihood of them being exploited by malicious actors, prompts a discussion around what is being achieved in terms of regulation to address the challenge and shore up vulnerabilities. In this regard, there are a number of developments that can be pointed to; however, the challenge of raising the bar of maritime cybersecurity in the real world remains significant, as discussed below.

6.3.1. International Governance of Cybersecurity in Ships

In 2017, the IMO Maritime Safety Committee (MSC) issued Resolution MSC.428(98) Maritime Cyber Risk Management in Safety Management Systems [71]. This was the first attempt of the international governing body to address maritime cybersecurity in a formal way. It is a brief one-page document which issues “high level guidance” under the framework of the International Safety Management (ISM) Code, affirming that cyber risk management should be taken into account as part of a ship’s overall safety management systems. It also “encourages” administrations to ensure that cyber risks are “appropriately addressed in safety management systems” no later than the ship’s first annual inspection of documents after January 2021 [71]. In June 2022, the IMO Facilitation (FAL) committee issued MSC-FAL.1-Circ.3 Guidelines on Maritime Cyber Risk Management [72], again a brief document at four pages, but one that provides further guidance, insofar as it lists potential vulnerable systems, specifically identifies that a “distinction between information technology and operational technology” should be considered, identifies malware, outdated software, weak passwords, network segregation, ineffectual firewalls, and others as vulnerabilities that can be exploited. The document identifies five “functional elements” of cybersecurity and directs users to further guidance from shipping organisations like BIMCO, the International Standards Organization (ISO), International Electrotechnical Commission (IEC), and the NIST framework.
Key to understanding the impact of these regulations is paragraph 2.2.2 of [72] which states the following:
Recognizing that no two organizations in the shipping industry are the same, these Guidelines are expressed in broad terms in order to have a widespread application. Ships with limited cyber-related systems may find a simple application of these Guidelines to be sufficient; however, ships with complex cyber-related systems may require a greater level of care and should seek additional resources through reputable industry and Government partners.
[72]
As one source confirmed in interview:
This is very high level signpost guidance. And one of the reasons it was done in that way is because there’s a huge amount of guidance out there that’s been developed by industry and various national governments. So it was felt that the IMO provides the high level guidance and of course it is up to member states then to read through the detailed guidance and adopt what they want to, to implement effective cybersecurity.
[73]
These passages underline two important aspects of international maritime cyber regulation: First, some flexibility is needed as not all ships (or shipping companies) are the same. Second, states will implement these requirements in their own way, according to their own needs and practices.
In practice, in most jurisdictions this means that ships and ports, must be able to show that cyber risk has been included as part of an overall risk assessment, and that a minimum level of cybersecurity is in place. As MSC 428(98) [71] points out, as part of the ship’s safety inspection and documentation, cybersecurity must be included in the risk management plan—to some extent. Classification societies, which have the task of certifying ship safety, must incorporate cyber risk into their inspections. As a representative of the Dutch ship-owners association put it when asked about cybersecurity regulation in ships:
There are guidelines, but straight forward rules about how to implement cybersecurity are actually not there. It’s like you need to be aware, you need to have thought through all the elements onboard where your risks are and you need to have written it down in your SMS [Safety Management System]. How you handle them, what your judgment is on those risks, but there’s no regulations, as such.
[74]
In the UK for example, pursuant to The Merchant Shipping (Recognised Organisations) (Amendment) (EU Exit) Regulations 2019 [75], six registered organisations (ROs) including Lloyd’s Register, American Bureau of Shipping, and others, are authorised to conduct surveys and inspections of ships on behalf of the Maritime and Coastguard Agency (MCA). In the UK, MCA regulation MSIS 02 [76] Instructions for the guidance of surveyors sets out at paragraph 4.2.3 the obligation “that an approved SMS should take into account cyber risk management”, in conjunction with the Department for Transport (DfT) Cyber Security Code of Practice for ships [77]. Where an RO is not satisfied that cybersecurity has been sufficiently covered it could deny issuing the Safety Management System (SMS) certificate and the ship will be prevented from sailing until the deficiency is rectified.
In June 2023, the IMO announced that the cybersecurity circulars will be undergoing a comprehensive revision. The revision will be led by member states who will present a proposal to the MSC, and it is too early to tell to what degree of specificity the revision will go, or when it will be complete. At a minimum, the revision will update the links to the industry guidelines to ensure they are updated to the latest versions available. It should be noted that the idea of “a standalone Cyber Code” has been raised “based on a framework created by previous IMO Codes such as the Polar Code. Since the IMO uses Codes as a legally binding instrument, this would help to ensure the continued safety and efficiency of the maritime industry in the face of threats from cyberspace” [10]. As the IMO works on the consensus of member states this would be a highly ambitious project—and would take years to complete—but ultimately could be an effective way of combining all cyber regulations and requirements into one instrument.

6.3.2. ISPS Code

Created in the post-9/11 years, the International Ship and Port Security Code (ISPS) focusses on the prevention of a terrorist attack against shipping. Enacted under SOLAS chapter XI-2, on 1 July 2004, the ISPS provides a comprehensive framework for the security of ports and ships, including mandatory (Part A) and recommendatory (Part B) provisions. As one EU-based legal expert interviewee noted, the ISPS was primarily concerned with physical security; however, there has been discussion in recent years about whether it also applies to digital security.
The European Union did pick up ISPS as a whole and translated it into European law and that had to be picked up by Member States and had to be implemented into the various national legislations in Europe. We sought a robust answer of whether digital security is part of ISPS. There was some nervousness about whether it was or not, if it was not it could require new legislation, and that might not come or it could take a long time. So everybody now takes the stance, ‘yes’ it is in ISPS and we hope that if there is a case before a court and a judge has to give an opinion, an interpretation, he or she will come to the conclusion, ‘yes, digital security is also part of ISPS’.
[78]
The ISPS was clearly not written to give detailed guidance on cybersecurity. The words ‘cyber’ or ‘digital’ do not appear in the document. However, as the ISPS is written in fairly broad terms, and the spirit of the document is clear (that is, to comprehensively assess security vulnerabilities and create plans to address them), it is possible to imply its mandatory application to cyber systems. For example, article 8.4.3 of the Ship Security Assessment mandates “identification of possible threats to the key ship board operations”. Taking account of technological developments in shipping since 2004, this surely must include cyber threats. Indeed, in Part B, the recommendatory provisions specifically include computer networks. In Part B, Section 8 of the Ship Security Assessment (SSA), article 8.3.5 states “radio and telecommunication systems, including computer systems and networks” should be addressed in the SSA among other essential systems. Likewise, the Port Facility Security Assessment (PFSA) provisions include, at article 15.3.5, “computer systems and networks” in the same way. It is therefore reasonable to conclude that the ISPS does require security assessments to include cyber systems, and this appears to be the approach in the EU; however, a test case has not yet confirmed the point.

6.3.3. International Association of Classification Societies (IACS)

In April 2022, the International Association of Classification Societies (IACS) issued Unified Requirements (UR) E26—Cyber Resilience of Ships [79] and E27—Cyber Resilience of On-board Systems and Equipment [80]. The purpose of the URs is to “provide a minimum set of requirements” for cyber resilience of “the ship as a collective entity” (E26) and for “on-board systems and equipment” (E27). At pages 32 (E26) and 14 (E27), respectively, the URs provide much more detailed guidance than the IMO Circulars or the ISPS, covering specific aspects of cybersecurity like firewalls, segregation, air gapping, data diodes, and maps out sub-goals for each functional element: identify, protect, detect, respond, and recover. Both URs note that they are “to be uniformly implemented by IACS Societies on ships contracted for construction on or after 1 January 2024 and may be used for other ships as non-mandatory guidance.” [79] Implementation of the two URs was subsequently postponed until 1 July 2024, and they have undergone “extensive changes” including dividing the requirements into mandatory and non-mandatory depending on the size and type of ship [81].
Implementing the URs in practice may present a challenge for ship owners, particularly smaller operators with limited cyber knowledge, as expressed by one interviewee:
You get a new system from a supplier and it’s put onboard and then you need to make sure that it becomes cyber secure when it’s connected to all the other systems onboard. That’s an issue especially on older ships where many ship owners do not exactly know how to handle that and because they do not have the knowledge about that system and about the technical aspects of the other systems and how they can make them cyber secure.
[74]
It should be clarified here, that the mandatory aspects of UR E26 and E27 only apply to newly built ships, and as such will not cause regulatory deficiencies in existing ships. However, they provide a useful guide of where maritime cybersecurity regulation is heading; that is, a requirement that Original Equipment Manufacturers (OEMs) provide devices where cybersecurity is an inherent aspect of their design, and that, when installed alongside other ship systems, the cybersecurity of the whole is assured.

6.3.4. Port State Controls

Port State Controls (PSCs) are an important element in enforcing safety in shipping, and they will play an important role in maritime cybersecurity. As a representative of the Netherlands ship-owners association informed “we have members who have gone to the US for example who tell us that they have been questioned for two hours about their cybersecurity on arrival in the port. In other countries it might be quite basic. You have the port state control system and then you have all kinds of reasons for a deficiency, but there’s not a specific rule for cyber security.” [74] Some port states are clearly implementing stringent inspections on cybersecurity. However, to date it does not appear that there has been a detention based on a cybersecurity deficiency. For a Port State Control Officer (PSCO) to detain a ship requires “clear grounds” of a breach. For physical systems like fire safety, or lifeboats, where clear requirements are set out, this is much easier to prove or show with photographic evidence for example. Ship cybersecurity breaches are much more difficult to prove, and the regulations and overall expertise from both sides, i.e., the inspection side and the ship operator side, is not yet sufficient. A PSCO who detained a ship based on alleged cybersecurity defects would be at risk of legal challenge by the ships owners and the possibility of liability for losses arising from the ship’s detention [74]. For that reason, it is unlikely that ship detentions will occur as part of PSC unless there is very clear evidence of a deficiency. Further, a detention would seem unlikely until there are clearer practical guidelines on what exactly would constitute clear grounds of a cyber deficiency.

6.3.5. Maritime Single Window

The Maritime Single Window (MSW) is an IMO initiative to streamline ship documentation processes when coming into port, whereby all documentation will be submitted online through a single portal. Whereas safety certificates are among the bundle of documents required—including passenger lists, a pre-arrival security form listing previous ports of call, and others—there is no current requirement for a specific cybersecurity, or cyber qualification certificate as part of that bundle. As one interviewee noted, “there is no specific form to say that the ship is cyber secure. That’s not one of the existing file forms. And as mentioned, there’s no plan in the short term at least to introduce such a form. But what we do have is the MSC resolution” [73]. As noted above, if the ship does not have a valid ship safety assessment and plan, issued by their class society, which should incorporate cybersecurity, this would be grounds for detention. At the time of writing, there is an initiative to require “systematic and mandatory attention for cybersecurity” as part of the implementation of the MSW [78]. This could be achieved through the regular amendments to FAL (the Annex to the Convention on Facilitation of International Maritime Traffic, 1965 (FAL Convention)) by inserting into Section 1 C., Systems for the electronic exchange of information, a new paragraph, as follows:
1.4 Cybersecurity—Contracting Governments shall safeguard the cybersecurity of entities operating and being connected to the system for the electronic exchange of Information by creating a mandatory framework.
[78]
As the MSW will require centralisation and digitalisation of documentation for ships entering and departing international ports, it would seem a pertinent requirement for national governments of port operators to incorporate cybersecurity into the designs, frameworks, portals, and online infrastructure of such processes, in much the same way as the IACS UR E26 and 27 do for shipboard devices and systems.

6.4. Regional Governance of Threats to Maritime Security

A detailed discussion of the domestic approaches of each of the littoral states to maritime security and cybersecurity is beyond the scope of this paper. Instead, this section discusses the regional cooperative efforts to secure shipping through the SOMS and some major developments in the governance structures of the littorals.
Significant progress in regional cooperative measures for maritime security has been made in the past two decades, since the Malacca Strait Patrols (MSP, originally named MALSINDO) began operations in 2004 [81]. The MSP entails coordinated naval patrols, Eyes in the Sky (EiS) aerial surveillance, and intelligence exchange and sharing. This collective approach to maritime security was praised in 2008 by then-IMO Secretary-General Efthimios Mitropoulos as “a model to emulate in addressing the Gulf of Aden piracy problems. This accolade was also echoed by the US Pacific Command in 2012” [82].
In 2022, Indonesia’s foreign minister Retno Marsudi stressed the need to enhance maritime cooperation through the ASEAN Maritime Outlook (AMO) [69]. Indonesia has also been instrumental in driving the ASEAN Coast Guard Forum (ACGF) [83].
Indonesia, often criticised for a lack of inter-agency coordination and cooperation between its maritime security authorities [84], is in the process of revising the legal basis of its Coast Guard agencies, that is Badan Keamanan Laut (BAKAMLA), a non-ministerial agency reporting directly to the president; and the Kesatuan Penjagaan Laut dan Pantai (KPLP), a maritime security agency within the Ministry of Transportation [68]. The current administration supports a revision to Law Number 32 of 2014 on Maritime Affairs which would make the KPLP subordinate to BAKAMLA and consolidate the position of BAKAMLA as the lead agency for maritime security [84]. This appears to be a positive development in streamlining Indonesia’s approach to maritime security governance. And could create a “single point of contact” for inter-regional or ASEAN-based cooperation on maritime security issues. On this point, a roundtable participant commented on the need for “a national single point of contact in each ASEAN country” [68] to simplify and streamline regional cooperation initiatives. However, another participant cautioned of the difficulty of achieving this due to competing interests and approaches from multiple stakeholder agencies.
There is currently no regional framework to specifically address maritime cybersecurity; however, multiple sources confirmed in interview that cybersecurity has received considerable attention from the government agencies mentioned above in the three littoral states. The BAKAMLA, for example, confirmed in interview that “in 2021 cybersecurity was added to the nine threat types that we focus on” and furthered the intention to strengthen regional cooperation through the ACGF, which was seen as a truly regional initiative [66]. On the question of cyber threats to the maritime sector, including ports, an interviewee from the Maritime Institute of Malaysia (MIMA) commented on their discussions with port operators:
One of their main concerns is on phishing threats, especially cyber terror and hacktivism, hacktivism towards the navigational systems, just like I’ve mentioned before, there’s a future adoption of the MASS and also fully autonomous ERTG [Electrified Rubber Tire Gantry Cranes] and also E-Prime-movers in port activities. So, the hacktivism has become one of the major threats that might be very impactful towards the port activities and also the recent vessel traffic in the Strait of Malacca [85].
Hence “cybersecurity especially in the maritime domain has become one of the main concerns” of the Malaysian Marine Department, especially with regard to the Vessel Traffic System (VTS) in the straits of Malacca and the implementation of Maritime Autonomous Surface Vessels (MASS) and automated port operations, for example in Tanjung Pelepas [85]. Another Malaysian source noted there is currently no specific law on maritime cybersecurity, that the maritime industry is “self-regulating” to a large extent, and that “it would be great to have a standard policy with certain guidelines or a policy framework” [85]. Such a regional framework could conceivably be designed to cover related maritime technology and infrastructure concerns such as MASS and subsea pipelines and cables, which were also identified as a priority area of concern [85].
This article submits that on the back of the successes of regional initiatives such as the MSP, EiS, AMF, ACGF, and AMO mentioned above, a regional approach that emphasises raising awareness within the commercial shipping sector, law enforcement practitioners and policy makers, could achieve significant and real results for improved maritime hybrid security through the SOMS. The approach should encompass technical training on cyber–physical vulnerabilities and mitigations (including simulation scenario training), capacity building, and information sharing for and by stakeholder agencies. Regional cooperative measures within the framework of the ASEAN Convention on Counter Terrorism (ACCT) and the ASEAN Comprehensive Plan of Action on Counter Terrorism (ACPoA on CT) are also relevant to this kind of initiative and should emphasise both the maritime dimensions and the hybrid, cyber–physical dimensions of past and future terrorist attacks.
Furthermore, this approach could achieve rapid results from regional stakeholder countries, with support from international agencies, such as the IMO and leading national governments and groupings such as the UK, US, EU, and ASEAN through joint bilateral capacity building and training exercises. This directly aligns with the UK’s 2022 National Strategy for Maritime Security which specifically identifies maritime cybersecurity as a key challenge [86] and furthermore, the UK’s reliance on “the strategically important Straits of Malacca” [86]. The strategy sets out the UK’s strong support “for ASEAN’s Outlook on the Indo-Pacific” and its commitment to using “our new Dialogue Partnership with ASEAN to further strengthen maritime cooperation in Southeast Asia and help build the capabilities of member states through education, training and exercising” [86]. The US Coast Guard has also made maritime cybersecurity a priority (See for example the Coast Guard Maritime Industry Cybersecurity Resource Centre including a cyber incident reporting portal: https://www.uscg.mil/MaritimeCyber/, accessed on 15 December 2023), and has significant investment in capacity building for maritime law enforcement in Southeast Asian countries [87]. Other international bodies offer capacity building and support such as the United Nations Office on Drugs and Crime (UNODC), the Global Maritime Crime Programme (GMCP) (https://www.unodc.org/unodc/en/piracy/index.html, accessed on 15 December 2023), and the IMO’s International Maritime Security Trust (IMST) Fund (https://www.imo.org/en/ourwork/security/pages/maritimesecurity.aspx, accessed on 15 December 2023). Compared with the lengthy processes involved in creating international legal instruments through consensus-based processes of the IMO, a regionally focussed approach such as this may be able to achieve significant “quick wins” by “piggy-backing” off existing international cooperative structures, and could serve as a model for other regional chokepoints faced with similar security challenges. In this regard, a supporting regional cooperative memorandum, statement or convention specifically on maritime cyber and cyber–physical security should be formulated and issued under the auspices of ASEAN. Further research is needed to examine how a SOMS model might be applied to other regional contexts in this way.

7. Conclusions and Recommendations

The preceding analysis, drawing on primary data from surveys, interviews, roundtable discussions, conference papers, reports, and insights from the Maritime Cybersecurity Database, yields critical conclusions and recommendations for the maritime sector’s cybersecurity landscape.
Firstly, it is evident that cybersecurity attacks on the maritime industry are on the rise and evolving in sophistication, with a noticeable increase in ransomware payments. This escalating threat is exacerbated by challenges such as aging, outdated, and unpatched IT systems on ships, the growing connectivity from Low Earth Orbit (LEO) satellite internet, the convergence of IT and Operational Technology (OT) systems, and a deficiency in cyber awareness and hygiene among ships’ crews. The shortage of IT and cybersecurity staff onboard ships further compounds these vulnerabilities. Data from surveys and interviews confirm a number of points in regard to cybersecurity in the maritime sector, briefly listed as follows: an increasing reliance on ICT and networked devices in shipping creates challenges for traditional ships’ crews; current levels of cybersecurity in ships are insufficient, as are current regulations; and criminal groups will leverage cyber vectors and new technology to pursue innovative ways of conducting their illicit activities.
Addressing these issues requires a multifaceted approach. One key recommendation is the imperative need for comprehensive cybersecurity training and simulations to enhance preparedness and awareness among ships’ crews. This becomes particularly crucial in light of the potential for catastrophic accidents, especially in congested shipping lanes such as the Strait of Malacca and Singapore (SOMS). The injection of confusion into a ship’s bridge could lead to collisions or accidents, underscoring the urgency of heightened preparedness.
In the SOMS region, the looming threat of terrorist actors targeting shipping persists, with a history of malicious attacks on critical infrastructure. While piracy remains largely opportunistic, security organisations warn of the continued possibility of violent crew abductions. In response, the maritime industry must remain vigilant and cooperative within regional frameworks like the MSP, ReCAAP, ACG, and ASEAN Maritime Outlook. A regional statement, convention or code, focussed specifically on cyber and cyber–physical maritime security should be formulated and issued under the auspices of ASEAN.
On the regulatory front, progress is being made with initiatives like the IMO’s circulars, mandating cybersecurity integration into a ship’s overall risk assessment processes. The International Ship and Port Facility Security (ISPS) Code and the International Association of Classification Societies (IACS) Universal Requirements (UR E26 and E27) are pushing for mandatory cybersecurity in device design, albeit with a realisation that enforcement and real-world results will take time. Nevertheless, the regulations highlight cybersecurity as an aspect of ship design, and the important point that a device is only as secure as the systems that it is connected to.
However, challenges persist in the practical implementation of regulations. Port state controls, while demanding clear evidence of a cyber breach, lack practical guidelines for Port State Control Officers (PSCOs). The beginnings of PSCs in some jurisdictions, such as questioning ship masters about shipboard cybersecurity during port visits, can be seen and will raise industry awareness. Still, PSC detentions on cybersecurity grounds are unlikely in the near term due to a lack of clarity on breach definitions and concerns about liability.
To fortify the maritime cybersecurity ecosystem, enhanced cooperation and coordination among domestic governmental agencies in the SOMS littorals are imperative. Information sharing of cyber threat intelligence should be prioritised, and the establishment of a non-mandatory, anonymous reporting framework is crucial to fostering a proactive and collaborative response to emerging threats. Building on existing regional cooperative frameworks for information sharing and coordinated law enforcement, SOMS littoral countries could achieve significant “quick wins” for improved hybrid maritime security by emphasising cooperative capacity building, awareness raising, training, and maritime domain awareness.
While a catastrophic, cascading cyber attack on a shipping chokepoint like the SOMS has not occurred, laboratory tests have proven the potential for such a “black swan” event. The serious and coordinated attention of maritime security stakeholders is required to mitigate the risks associated with disrupting multiple ships simultaneously or causing collisions in strategic shipping lanes. As the industry navigates these challenges, proactive measures, cooperative frameworks, and regulatory enhancements will be paramount in safeguarding the maritime sector against evolving cyber threats.

Funding

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under the Marie Sklodowska-Curie grant agreement No 101029232.

Institutional Review Board Statement

The study was conducted in accordance with the Declaration of Helsinki and approved by the Ethics Committee of Coventry University, UK reference number: P136040 June 2022.

Informed Consent Statement

Informed consent was obtained from all subjects involved in the study.

Data Availability Statement

Data from this study are not publicly available due to ethics requirements.

Conflicts of Interest

The author declares no conflicts of interest.

References

  1. The Maritime Executive. MSC and CMA CGM Suspend Red Sea Transits, Joining Hapag and Maersk. The Maritime Executive, 17 December 2023. [Google Scholar]
  2. Jain, A. Suez Canal blockage by Ever Given may cost up to $1bn, say authorities. The Independent, 1 April 2021. [Google Scholar]
  3. Zorri, D.; Kessler, G.C. Cyber Threats and Choke Points: How Adversaries are Leveraging Maritime Cyber Vulnerabilities for Advantage in Irregular Warfare—Modern War Institute. Modern War Institute at West Point, 9 August 2021. [Google Scholar]
  4. Akarca, O. The World’s Top 10 Strategic Straits and Channels. More Than Shipping, 24 May 2019. [Google Scholar]
  5. Bolbot, V.; Kulkarni, K.; Brunou, P.; Banda, O.V.; Musharraf, M. Developments and research directions in maritime cybersecurity: A systematic literature review and bibliometric analysis. Int. J. Crit. Infrastruct. Prot. 2022, 39, 100571. [Google Scholar] [CrossRef]
  6. Drummond, B.M.; Machado, R.C.S. Cyber Security Risk Management for Ports—A Systematic Literature Review. In Proceedings of the 2021 International Workshop on Metrology for the Sea; Learning to Measure Sea Health Parameters (MetroSea), Reggio Calabria, Italy, 4–6 October 2021. [Google Scholar]
  7. Svilicic, B.; Rudan, I.; Jugović, A.; Zec, D. A Study on Cyber Security Threats in a Shipboard Integrated Navigational System. J. Mar. Sci. Eng. 2019, 7, 364. [Google Scholar] [CrossRef]
  8. Al Ali, N.A.R.; Chebotareva, A.A.; Chebotarev, V.E. Cyber security in marine transport: Opportunities and legal challenges. Pomorstvo 2021, 35, 248–255. [Google Scholar] [CrossRef]
  9. de Faria, D.L. The impact of cybersecurity on the regulatory legal framework for maritime security. JANUS.NET 2020, 11, 163–184. [Google Scholar] [CrossRef]
  10. Hopcraft, R.; Martin, K.M. Effective maritime cybersecurity regulation—The case for a cyber code. J. Indian Ocean. Reg. 2018, 14, 354–366. [Google Scholar] [CrossRef]
  11. Kessler, G.C.; Shepard, S.D. Maritime Cybersecurity: A Guide for Leaders and Managers, 2nd ed.; Independent Publisher: Chicago, IL, USA, 2022. [Google Scholar]
  12. UNCTAD. Review of Maritime Transport Challenges Faced by Seafarers in View of the COVID-19 Crisis. In Proceedings of the UN Conference on Trade and Development, Bridgetown, Barbados, 3–8 October 2021. [Google Scholar]
  13. Bueger, C.; Edmunds, T.; McCabe, R. Into the sea: Capacity-building innovations and the maritime security challenge. Third World Q. 2020, 41, 228–246. [Google Scholar] [CrossRef]
  14. OECD. Ocean Shipping and Shipbuilding—OECD; OECD Better Policies Better Lives: Paris, France, 2023. [Google Scholar]
  15. Höyhtyä, M.; Huusko, J.; Kiviranta, M.; Solberg, K.; Rokka, J. Connectivity for Autonomous Ships: Architecture, Use Cases, and Research Challenges. In Proceedings of the 2017 International Conference on Information and Communication Technology Convergence (ICTC), Jeju Island, Republic of Korea, 18–20 October 2017. [Google Scholar]
  16. Tam, K.; Jones, K. Maritime cybersecurity policy: The scope and impact of evolving technology on international shipping. J. Cyber Policy 2018, 3, 147–164. [Google Scholar] [CrossRef]
  17. Yağdereli, E.; Gemci, C.; Aktaş, A.Z. A study on cyber-security of autonomous and unmanned vehicles. J. Def. Model. Simul. 2015, 12, 369–381. [Google Scholar] [CrossRef]
  18. Hemminghaus, C.; Bauer, J.; Padilla, E. BRAT: A BRidge Attack Tool for cyber security assessments of maritime systems. TransNav Int. J. Mar. Navig. Saf. Sea Transp. 2021, 15, 35–44. [Google Scholar] [CrossRef]
  19. Askari, H.R.; Hossain, M.N. Towards utilizing autonomous ships: A viable advance in industry 4.0. J. Int. Marit. Saf. Environ. Aff. Shipp. 2022, 6, 39–49. [Google Scholar] [CrossRef]
  20. Fenton, A.J.; Chapsos, I. Ships without crews: IMO and UK responses to cybersecurity, technology, law and regulation of maritime autonomous surface ships (MASS). Front. Comput. Sci. 2023, 5, 1151188. [Google Scholar] [CrossRef]
  21. Fenton, A.J.; Chapsos, I. Robot Boats: Use of Autonomous ‘Ships’ in Law Enforcement, Terrorism and Counter-Terrorism. Marit. Interdiction Oper. J. 2022, 24, 12–17. [Google Scholar]
  22. L3HARRIS. C-WORKER 7 Autonomous Surface Vehicle (ASV) Offshore Work-Class ASV; L3HARRIS: Melbourne, FL, USA, 2021. [Google Scholar]
  23. MSubs. Interview with Representative from UK Autonomous Vessel Manufacturer; Fenton, A., Ed.; MSubs: Plymouth, UK, 2022. [Google Scholar]
  24. UKRN. Experts in innovation take the Royal Navy’s newest vessel to sea. Royal Navy News, 21 February 2023. [Google Scholar]
  25. Palmejar, E.; Chubb, N. The Learning Curve: The State of Artificial Intelligence in Maritime; Register, T.-L.S., Ed.; Thetius: London, UK, 2023. [Google Scholar]
  26. Sivori, H.; Brunton, L. Out of the Box: Implementing Autonomy and Assuring Artificial Intelligence in the Maritime Industry; Thetius Lloyd’s Register: London, UK, 2023. [Google Scholar]
  27. Tam, K.; Hopcraft, R.; Moara-Nkwe, K.; Misas, J.P.; Andrews, W.; Harish, A.V.; Giménez, P.; Crichton, T.; Jones, K. Case study of a cyber-physical attack affecting port and ship operational safety. J. Transp. Technol. 2022, 12, 1–27. [Google Scholar] [CrossRef]
  28. Qu, X.; Meng, Q. The economic importance of the Straits of Malacca and Singapore: An extreme-scenario analysis. Transp. Res. Part E Logist. Transp. Rev. 2012, 48, 258–265. [Google Scholar] [CrossRef]
  29. Tam, K.; Chang, B.; Hopcraft, R.; Moara-Nkwe, K.; Jones, K. Quantifying the econometric loss of a cyber-physical attack on a seaport. Front. Comput. Sci. 2023, 4, 1057507. [Google Scholar] [CrossRef]
  30. Weiss, J. Was the Ever Given hacked in the Suez Canal? Control, 13 April 2021. [Google Scholar]
  31. PMA. Marine Safety Investigation Report Grounding of MV Ever Given at Suez Canal Egypt on March 23, 2021 M/V “EVER GIVEN” IMO No. 9811000 R-026-2021-DIAM CASUALTY DATE: March 23rd, 2021; Panama Maritime Authority: Panama City, Panama, 2023. [Google Scholar]
  32. Nofandi, F.; Widyaningsih, U.; Rakhman, R.A.; Mirianto, A.; Zuhri, Z.; Harini, N.V. Case Study of Ship Traffic Crowds in The Malacca Strait-Singapore by Using Vessel Traffic System. IOP Conf. Ser. Earth Environ. Sci. 2022, 1081, 012009. [Google Scholar] [CrossRef]
  33. NHL. Maritime Cyber Attack Database MCAD; NHL Stenden University of Applied Science: Leeuwarden, The Netherlands, 2023. [Google Scholar]
  34. NHL. Interview with Professor of Maritime Cybersecurity Netherlands NHL Stenden University; Fenton, A., Ed.; NHL Stenden University of Applied Science: Leeuwarden, The Netherlands, 2023. [Google Scholar]
  35. Kessler, G.C. What’s the Worst Cyber Attack You Can Imagine Striking a Shipping Vessel? And How Can You Keep It from Hitting Your Fleet? Available online: https://www.linkedin.com/posts/garykessler_askgary-what-is-the-worst-cyberattack-you-activity-7068955197598781440-UmoI/ (accessed on 15 May 2023).
  36. The Maritime Executive. Cyberattack Hits Multiple Greek Shipping Firms. The Maritime Executive, 3 November 2021. [Google Scholar]
  37. Stempel, J. Carnival is fined $5 million by New York for cybersecurity violations. Reuters, 24 June 2022. [Google Scholar]
  38. Tuffley, D. Major cyberattack on Australian ports suggests sabotage by a ‘foreign state actor’. The Conversation, 13 November 2023. [Google Scholar]
  39. The Maritime Executive. Cyberattack Disrupting Northern European Oil Hubs in Major Ports. The Maritime Executive, 4 February 2022. [Google Scholar]
  40. Greenberg, A. The Untold Story of NotPetya, the Most Devastating Cyberattack in History. Wired, 22 August 2018. [Google Scholar]
  41. USCG. Proceedings of the Marine Safety & Security Council: Uncharted Waters: Navigating the integration of autonomous vessels. Coast Guard. J. Saf. Secur. Sea 2022, 79, 1–80. [Google Scholar]
  42. Anthony, I.; Su, F.; Saalman, L. Naval Incident Management in Europe, East Asia and South East Asia Naval Incident Management in Europe, East Asia and South East Asia; SIPRI Stockholm International Peace Research Institute: Stockholm, Sweden, 2023. [Google Scholar]
  43. Reuters. Reuters South Korea tells U.N. that North Korea GPS jamming threatens boats, planes. Reuters, 11 April 2016. [Google Scholar]
  44. Murdock, J. Sea pirates ditch guns for computer hacking to plunder booty from cargo ships. International Business Times, 3 March 2016. [Google Scholar]
  45. Harris, M. Phantom Warships are Courting Chaos in Conflict Zones: The latest weapons in the global information war are fake vessels behaving badly. Wired, 29 July 2021. [Google Scholar]
  46. Sutton, H.I. Positions of Two NATO Ships Were Falsified Near Russian Black Sea Naval Base. USNI News, 21 June 2021. [Google Scholar]
  47. Kenney, M.; Macdonald, F. Shifting Tides, Rising Ransoms and Critical Decisions: Progress on Maritime Cyber Risk Management and Maturity; Cyber Owl: London, UK; Thetius: London, UK; HFW: London, UK, 2023. [Google Scholar]
  48. Scanlan, J.; Styles, J.; Lyneham, D.; Lützhöft, M. New Internet Satellite Constellations to Increase Cyber Risk in Ill-Prepared Industries. In Proceedings of the 70th International Astronautical Congress (IAC), Washington, DC, USA, 21–25 October 2019. [Google Scholar]
  49. PA. Interview with Representative of UK Chamber of Shipping; Fenton, A., Ed.; 2023. [Google Scholar]
  50. ER. Interview with Representative from Yangosat Maritime Cybersecurity Practitioner; Fenton, A., Ed.; 2022. [Google Scholar]
  51. Fenton, A.J. Ukraine: How uncrewed boats are changing the way wars are fought at sea. The Conversation, 21 March 2023. [Google Scholar]
  52. The Maritime Executive. GAO: Understaffed, Overworked Crews Slow Down U.S. Navy Maintenance. The Maritime Executive, 10 February 2022. [Google Scholar]
  53. Nautilus Federation. Accidents and Ill-Health: The Forgotten Covid Crisis; Nautilus Federation: Basel, Switzerland, 2021. [Google Scholar]
  54. KR. Interview with Professor of Security Studies Singapore; Fenton, A., Ed.; 2023. [Google Scholar]
  55. van Dijk, C. Religious Authority and the Supernatural. In Varieties of Religious Authority: Changes and Challenges in 20th Century Indonesian Islam; IIAS: Leiden, The Netherlands, 2010; p. 177. [Google Scholar]
  56. Farrell, R. Maritime Terrorism: Focusing on the Probable. Nav. War Coll. Rev. 2007, 60, 46–60. [Google Scholar]
  57. Ramakrishna, K. The Threat of Terrorism and Extremism: “A Matter of ‘When’, and Not ‘If’”. Southeast Asian Aff. 2017, 2017, 335–350. [Google Scholar] [CrossRef]
  58. Henley, J.; Stewart, H. Al-Qaida suspected in tanker explosion. The Guardian, 7 October 2002. [Google Scholar]
  59. Kuhn, K.; McIlhatton, D.; Malcolm, J.A.; Chapsos, I. Protective security at sea: A counter terrorism framework for cruise and passenger ships. WMU J. Marit. Aff. 2023, 22, 345–363. [Google Scholar] [CrossRef]
  60. Janjeva, A.; Harris, A.; Mercer, S.; Kasprzyk, A.; Gausen, A. The Rapid Rise of Generative AI: Assessing Risks to Safety and Security; Centre for Emerging Technology and Security, Turing Institute: London, UK, 2023. [Google Scholar]
  61. Europol. ChatGPT The Impact of Large Language Models on Law Enforcement, in Tech Watch Flash; Publications Office of the European Union: Luxembourg, 2023. [Google Scholar]
  62. Al Jazeera News. AJ Yemen’s Houthis ‘will not stop’ Red Sea attacks until Israel ends Gaza war. Al Jazeera News, 19 December 2023.
  63. BNPT. Interview with Representative of Intelligence Division of National Counter-Terrorism Agency (BNPT); Fenton, A., Ed.; 2023. [Google Scholar]
  64. ReCAAP. 3rd Quarter Report Piracy and Armed Robbery against Ships in Asia; ReCAAP Information Sharing Centre: Singapore, 2023. [Google Scholar]
  65. ReCAAP. Half Yearly Report January–June 2023 Piracy and Armed Robbery against Ships in Asia; ReCAAP Information Sharing Centre: Singapore, 2023. [Google Scholar]
  66. BAKAMLA. Interview with Representatives from Badan Keamanan Laut (BAKAMLA Indonesian Coast Guard); Fenton, A., Ed.; 2022. [Google Scholar]
  67. IMIC. Monthly Report June 2023, Indonesia Maritime Information Centre Badan Keamanan Laut Indonesian Coast Guard; IFC: Singapore, 2023. [Google Scholar]
  68. AF. Coventry CTPSR MSCA Roundtable discussion on Maritime Hybrid Security in Southeast Asia. 2023.
  69. JC. Interview with Singapore Academic Expert in Regional Maritime Security; Fenton, A., Ed.; 2023. [Google Scholar]
  70. KEMLU. ASEAN Maritime Outlook (AMO): Indonesia’s Initiative to Strengthen Comprehensive ASEAN Maritime Cooperation; KEMLU: Jakarta Pusat, Indonesia, 2023. [Google Scholar]
  71. IMO. Resolution MSC.428(98) Maritime Cyber Risk Management in Safety Management Systems in MSC. 428(98); IMO: London, UK, 2017. [Google Scholar]
  72. IMO. MSC-FAL.1-Circ.3 Guidelines on Maritime Cyber Risk Management; International Maritime Organization: London, UK, 2022. [Google Scholar]
  73. AB. Interview with Maritime Industry Commentator; Fenton, A., Ed.; 2023. [Google Scholar]
  74. CB. Interview with Representative of Dutch Shipowners Association; Fenton, A., Ed.; 2023. [Google Scholar]
  75. The National Archives. The Merchant Shipping (Recognised Organisations) (Amendment) (EU Exit) Regulations 2019; The National Archives: Richmond, UK, 2019. [Google Scholar]
  76. MCA. Instructions for the Guidance of Surveyors on International Management Code for the Safe Operation of Ships and for Pollution Prevention (The ISM Code); MSIS02 Rev 07-2023; Maritime and Coastguard Agency: Southampton, UK, 2023. [Google Scholar]
  77. DfT. Cyber Security Code of Practice for Ships; Department for Transport: London, UK, 2023. [Google Scholar]
  78. Zoelen, F.V. Cybersecurity and the Maritime Single Window (MSW, Mandatory from 2024). In Proceedings of the Cyber-SHIP Lab/International Maritime Organization Annual Symposium, London, UK, 1–2 November 2023. [Google Scholar]
  79. IACS. E26—Cyber Resilience of Ships; International Association of Classification Societies: London, UK, 2022. [Google Scholar]
  80. IACS. E27—Cyber Resilience of On-board Systems and Equipment; International Association of Classification Societies: London, UK, 2022. [Google Scholar]
  81. IACS. IACS UR E26 and E27 Press Release; International Association of Classification Societies: London, UK, 2024. [Google Scholar]
  82. Collin, K.S.L. The Malacca Strait Patrols: Finding Common Ground; RSIS Commentaries; Nanyang Technological University: Singapore, 2016. [Google Scholar]
  83. Antara News. Indonesia-led ASEAN Coast Guard Forum discusses protection of waters. Antara News, 7 June 2023.
  84. BPHN. Pemerintah Mendukung Perubahan UU Nomor 32 Tahun 2014 Tentang Kelautan. 2023. [Google Scholar]
  85. MIMA. Interview with Malaysian Institute of Maritime Affairs (MIMA); Fenton, A., Ed.; 2023. [Google Scholar]
  86. HMG. National Strategy for Maritime Security. Presented at Parliament by the Secretary of State for Transport by Command of Her Majesty, London, UK, 1 August 2022; Department for Transport: London, UK, 2022. [Google Scholar]
  87. Searight, A. Statement before the House Committee on Transportation and Infrastructure Subcommittee on Coast Guard and Maritime Transportation Hearing on “The International Role of the U.S. Coast Guard” “U.S. Coast Guard cooperation with Southeast Asia: Maritime Challenges and Strategic Opportunities”; Center for Strategic and International Studies (CSIS): Washington, DC, USA, 2020. [Google Scholar]
Jmse 12 00510 g001
Figure 1. Maritime Cyber Incidents by Year 2001–2023. Recreated by author based on data from Maritime Cyber Attack Database (MCAD) NHL Stenden University, Netherlands www.maritimecybersecurity.nl, accessed on 15 December 2023.
Figure 1. Maritime Cyber Incidents by Year 2001–2023. Recreated by author based on data from Maritime Cyber Attack Database (MCAD) NHL Stenden University, Netherlands www.maritimecybersecurity.nl, accessed on 15 December 2023.
Jmse 12 00510 g001
Jmse 12 00510 g002
Figure 2. Survey responses to the statement “ICT (Information and Communications Technology) in ships, that is, automated, computer-based systems such as Electronic Chart Displays (ECDIS), Automatic Identification Systems (AIS), satellite communications, on-board networks of Information Technology (IT) and Operational Technology (OT) and others, create new threats, vulnerabilities and challenges for maritime security”.
Figure 2. Survey responses to the statement “ICT (Information and Communications Technology) in ships, that is, automated, computer-based systems such as Electronic Chart Displays (ECDIS), Automatic Identification Systems (AIS), satellite communications, on-board networks of Information Technology (IT) and Operational Technology (OT) and others, create new threats, vulnerabilities and challenges for maritime security”.
Jmse 12 00510 g002
Jmse 12 00510 g003
Figure 3. Survey responses to the statement “Emerging technology—such as autonomous ‘uncrewed’ or ‘unmanned’ ships, automated, computer-based processes, machine learning, SCADA, sensors, algorithms etc., operating on board ships—create new threats, vulnerabilities and challenges for maritime security”.
Figure 3. Survey responses to the statement “Emerging technology—such as autonomous ‘uncrewed’ or ‘unmanned’ ships, automated, computer-based processes, machine learning, SCADA, sensors, algorithms etc., operating on board ships—create new threats, vulnerabilities and challenges for maritime security”.
Jmse 12 00510 g003
Jmse 12 00510 g004
Figure 4. Survey responses to the statement “Current levels of cybersecurity in ships are sufficient to counter or defend against threats from criminal groups”.
Figure 4. Survey responses to the statement “Current levels of cybersecurity in ships are sufficient to counter or defend against threats from criminal groups”.
Jmse 12 00510 g004
Jmse 12 00510 g005
Figure 5. Survey responses to the statement “I am aware of cyber attacks that have occurred against the maritime sector, including ships, ports and shipping companies”.
Figure 5. Survey responses to the statement “I am aware of cyber attacks that have occurred against the maritime sector, including ships, ports and shipping companies”.
Jmse 12 00510 g005
Jmse 12 00510 g006
Figure 6. Survey responses to the statement “Pirate, terrorist or transnational organised criminal groups will utilise these kinds of new technology (autonomous craft, AI, cyber attacks) to further their criminal operations”.
Figure 6. Survey responses to the statement “Pirate, terrorist or transnational organised criminal groups will utilise these kinds of new technology (autonomous craft, AI, cyber attacks) to further their criminal operations”.
Jmse 12 00510 g006
Jmse 12 00510 g007
Figure 7. Survey responses to the statement “Cybersecurity in the maritime sector lags behind cybersecurity in other areas of critical infrastructure”.
Figure 7. Survey responses to the statement “Cybersecurity in the maritime sector lags behind cybersecurity in other areas of critical infrastructure”.
Jmse 12 00510 g007
Jmse 12 00510 g008
Figure 8. Survey responses to the statement “Current legal/regulatory regimes are sufficient to account for changes in new technology and will not need to be revised or reformed to adapt”.
Figure 8. Survey responses to the statement “Current legal/regulatory regimes are sufficient to account for changes in new technology and will not need to be revised or reformed to adapt”.
Jmse 12 00510 g008
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Fenton, A.J. Preventing Catastrophic Cyber–Physical Attacks on the Global Maritime Transportation System: A Case Study of Hybrid Maritime Security in the Straits of Malacca and Singapore. J. Mar. Sci. Eng. 2024, 12, 510. https://doi.org/10.3390/jmse12030510

AMA Style

Fenton AJ. Preventing Catastrophic Cyber–Physical Attacks on the Global Maritime Transportation System: A Case Study of Hybrid Maritime Security in the Straits of Malacca and Singapore. Journal of Marine Science and Engineering. 2024; 12(3):510. https://doi.org/10.3390/jmse12030510

Chicago/Turabian Style

Fenton, Adam James. 2024. "Preventing Catastrophic Cyber–Physical Attacks on the Global Maritime Transportation System: A Case Study of Hybrid Maritime Security in the Straits of Malacca and Singapore" Journal of Marine Science and Engineering 12, no. 3: 510. https://doi.org/10.3390/jmse12030510

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop