iStock photo

It is always interesting to see how threat actors are portrayed in movies. Often, they are depicted as an anti-social lone figure intensely typing for a few minutes before dramatically breaking into a system with the classic declaration of “I’m in.”

The results can be dramatic. In the 1997 movie “Speed 2: Cruise Control,” the hacker John Geiger sought revenge on his previous employers by attempting to crash a cruise vessel into a tanker. His ultimate goal was to use the chaos as a distraction for a diamond heist.

While entertaining, this isn’t quite the reality. It is important to understand the realistic motivations of threat actors. Cybercriminals can be grouped into three main categories: state-affiliated groups and hacktivists, criminal organizations, and lone criminals.

[This article was published exclusively for Space Security Sentinel, a new monthly newsletter at the intersection of cybersecurity and space. Subscribe to the newsletter here.]

State-affiliated groups and independent hacktivists have a variety of motives, including political coercion, economic gain, information gathering, and disruptive attacks on critical infrastructure. Criminal organizations primarily seek financial gain, operating with a business-like structure and utilizing ransomware-as-a-service (RaaS) models. Individual threat actors have more elusive motivations, often financial, but can also include ideological beliefs or the thrill of hacking a system.

While the possibility of vessels made to intentionally collide or used to attack a port cannot be entirely ruled out, it is often an improbable scenario. Cybercriminals are much more likely to priorities exploitation over sabotage, as a vessel is a powerful financial asset.

Nevertheless, the risk to crew and vessel safety should not be dismissed, especially as critical operational technology (OT) systems become increasingly connected.

Risks are Increasing, Driven by Connectivity

Connectivity at sea has dramatically increased from traditional L-band systems to higher-speed Low-Earth Orbit (LEO) services such as Starlink and OneWeb.

Before a vessel was connected it was simply not possible for a threat actor to commit a cyber-attack. The shift to high bandwidth environments supports more advanced operational capabilities and improves crew connectivity but also creates new vulnerabilities.

One example is the increasing take-up of smart shipping technologies, primarily driven by their cost-saving potential. These technologies improve operational efficiencies, reduce fuel consumption, enhance crew safety, and enable data-led decision-making. However, employing these services increased the attack surface for cybercriminals, as they require extensive data exchange between IT and OT networks.

In addition, crew connectivity is rising. Reports state that Starlink’s LEO services are installed upon approximately 75,000 vessels at the end of 2024. Starlink is often utilized to provide the crew with high bandwidth connectivity. With greater access to the internet, crew members are highly susceptible to social engineering attacks as they are more likely to download content and click on potentially harmful links.

Social engineering, particularly phishing, is one of the most prevalent types of cyberattacks both within and beyond the maritime sector. The danger of phishing is that it can serve as an attack vector that leads to other types of cyber incidents, for example, a ransomware attack. By deceiving individuals into revealing credentials or downloading malicious files, cybercriminals can gain unauthorized access to networks. Connectivity service provider Marlink reported in October 2024 that its Security Operations Centre (SOC) monitored 1,800 vessels in the first half of 2024 and found phishing to be the most common method used to access networks.

Maritime Industry Rises to Meet the Challenge

Cybersecurity services can be likened to the Wall in Game of Thrones, the first line of defense against the White Walkers. Subscriptions to these services are growing. In its report The Future of Maritime Cybersecurity, Valour Consultancy estimates that the commercial market for cybersecurity services stood at approximately $190 million at the end of 2024.

The solutions on offer are diverse, but they can be narrowed down into four categories: consulting and training, endpoint protection, network and infrastructure security, as well as security and operations monitoring.

Endpoint protection and network and infrastructure security provide fundamental protections required for a vessel to remain secure, encompassing a broad spectrum of services. This includes more basic protections such as antivirus, antispam, and firewalls, extending to more sophisticated services such as unified threat management (UTM) and endpoint detection and response (EDR).

Security operations and monitoring services act as the ‘Night’s Watch’, guarding the perimeter and monitoring activity. There is an increasing trend to outsourcing cybersecurity monitoring to SOCs, as this can ensure threats can be identified and mitigated in real-time. This growing demand is highlighted by the fact that providers are actively investing in and developing these services. For example, connectivity service provider Tototheo Global SOC offers continuous threat monitoring, detection, and response services, including threat hunting, endpoint management, and incident containment. In addition, CyberOwl’s Medulla offers monitoring and analytics for operational assets, including managed services, for real-time visibility and threat intelligence.

Finally, consulting and training services play an intriguing role in the cybersecurity market as effective protection extends beyond technology. Awareness itself can be a significant factor in cyber defenses. These services include training for crew, executive-level education, gap analysis, penetration testing, along with bespoke project-based consulting.

Protecting a vessel’s digital infrastructure extends beyond subscriptions to cybersecurity services. Cybersecurity starts with effective IT management and is often embedded into other digital offerings. An example is Dualog’s email product, ‘Dualog Mail’, a core part of its business. It is a fleet-wide email management system that provides email services with unlimited user accounts per ship and remote configuration from shore. Its security features include malware and phishing protection, domain authentication, anti-spam filtering, and attachment verification. Emails are scanned for threats, phishing links are flagged, and suspicious messages can be quarantined.

Appetites for cybersecurity services vary greatly across the industry. The decision to implement advanced security measures lies with IT managers as well as budget holders, who can have conflicting priorities. For more cost-sensitive companies, the priority is achieving compliance with growing regulations with minimal expenditure. Large shipping companies and those operating in high-risk environments are more likely to implement services that go beyond basic protection.

However, as awareness of threats increases across the industry, so does the demand for stronger security measures.

Alishia Sims is a Market Research Analyst on the Valour Consultancy maritime team and the author of our digitalization reports. Valour Consultancy’s latest study, The Future of Maritime Cybersecurity – 2025 offers detailed insights into the market dynamics: drivers, inhibitors, technology trends, and the competitive environment, with market estimates and forecasts provided out to 2034.