Ports Under Siege

By Luke King

From low-scale ransomware to state-backed attacks, maritime infrastructure is under siege. Breakbulk talks to leading ports to uncover the scale of the threat and what the industry must do to stay secure.

From Issue 6, 2025 of Breakbulk Magazine

(6-minute read)

“This is not peacetime anymore,” is the frank assessment of Jacques Vandermeiren, CEO of Port of Antwerp-Bruges. “We are somewhere between peace and real war, and cyberattacks are the first indications.”

Speaking to journalists during an online press briefing earlier this year, the chief executive said his port sees “regular, massive attacks on our data centers and services, particularly from Russian and Russian-friendly territories.” And he’s not alone: Rotterdam, Le Havre, Hamburg and Bremen all report similar attacks.

The statistics support Vandermeiren’s alarm. The International Chamber of Shipping’s Maritime Risk Barometer Report 2024-25 lists cyber-attacks as one of the top emerging risks for shipowners and ports, while a research group at the Netherlands’ NHL Stenden University of Applied Sciences found that shipping cyberattacks shot up from just 10 in 2021 to at least 64 in 2024. With approximately 80% of world trade carried by sea, the stakes couldn’t be higher.

Yannick Herrebaut, cyber resilience manager at Port of Antwerp-Bruges, confirms the escalation, telling Breakbulk: “Both the amount and frequency of cyberattacks [at Port of Antwerp-Bruges] have increased since 2022, mainly as a result of the Russian invasion of Ukraine and the subsequent help that countries like Belgium provide to Ukraine,” he says.

As a result, the port has invested significantly in cybersecurity since 2018, identifying it as a critical business risk. “Therefore, we have the necessary controls in place, and we’re able to severely limit the operational and financial impact of such attacks,” said Herrebaut.

Looking ahead, his main concern is the cyber arms race. “The bigger and more frequent cyberattacks get, the more resources companies will have to allocate to counter them. Not everyone will be able to follow in this cyber arms race, which will probably lead to more successful attacks,” Herrebaut warns.

He identifies two key vulnerabilities: operational technology running outdated software that controls critical functions like cranes and engines, and start-up companies offering IoT and AI-powered services without basic cybersecurity controls.

Global Systems Crippled

The industry’s vulnerability was brutally exposed in June 2017 when global shipping operator A.P. Moller-Maersk fell victim to the NotPetya ransomware attack. Within minutes, the malware crippled Maersk’s systems in offices and ports worldwide, rendering nearly 50,000 laptops inoperable and paralyzing 17 of the company’s 76 international ports. Without access to computer systems, Maersk literally didn’t know what was in its containers, forcing staff to carry out manual checks.

The attack, attributed to Russia’s military intelligence unit GRU as part of cyber warfare against Ukraine, cost Maersk an estimated US$250 million to US$300 million, with FedEx’s TNT Express losing US$400 million and pharmaceutical giant Merck incurring US$870 million in losses. Maersk declined to comment for this article.

Four years later, South Africa experienced what the Pretoria-based Institute for Security Studies, a nonprofit research organization that provides independent policy advice and analysis on African security matters, called an “unprecedented” disruption when state-owned ports operator Transnet was hit by ransomware in July 2021. The attack prompted force majeure declarations at key container terminals including the Port of Durban, which handles 60% of Southern Africa’s containerized trade.

Workers processed cargo manually at about three containers per hour — a fraction of their normal rate. The attack, linked to ransomware strains known as “Death Kitty” and “Hello Kitty,” likely originated from Russia or Eastern Europe, according to cybersecurity firm CrowdStrike.

Chris Wolski, adjunct professor of law at Texas A&M University School of Law and a maritime cybersecurity consultant, identifies a critical vulnerability: interconnections between organizations. “For example, stevedores may have access from their systems to a port-owned system. If the stevedore’s systems are not sufficiently hardened, then those systems have the potential to be the gateway into the port,” Wolski told Breakbulk.

It’s an area the U.S. Coast Guard is tackling through new cybersecurity rules effective July 2025, requiring vessels, ports and offshore facilities to assess and monitor the cyber resilience of third parties and contractors. Industry groups say compliance could prove challenging for smaller operators lacking dedicated IT security teams, yet the rules underscore growing recognition that supply chain partners often present the weakest link in port cybersecurity.

Well-Funded Threats Wolski identifies two main threat categories. “Cyber threats from well-funded threat actors, such as nation states, are the most worrisome. These threat agents have the patience and resources available to conduct thorough research.” However, cybercriminals remain persistent. “These actors are out to make money and work off a return on investment mentality. If the target of their attack is decently defended, they will move on to another less secure target.”

On preparedness levels, Wolski is candid: “Organizations with funds to purchase technology and sufficiently staff a cybersecurity team have better capabilities.” He points to the Port of Corpus Christi in Texas, which prioritized becoming the first U.S. port to achieve ISO 27001:2022 certification, considered the international gold standard for information security management systems.

For smaller ports, Wolski’s advice is straightforward: “Basic cyber hygiene is a good place for small entities to start. Consistently apply security patches to your systems. Replace systems before they become unsupported. Implement a decent endpoint detection and response capability.”

His overriding message to port leaders? “The adage of “not if, but when” is still accurate. Reduce risk to organizational operations by addressing cyber risk through proper cyber hygiene. Cyber risk is a risk that can be controlled.”

Austin Reid, senior consultant at ABS Consulting, a Houston-based global risk management and safety consultancy, focuses on the operational reality of attacks. “When a cyberattack hits a port, the disruption usually begins with the business network. Most attacks target IT systems first. As a precaution, or due to the cascading impacts, key operational technology systems are often stopped,” Reid explains.

Systems critical to terminal operations, such as gates, scheduling and inventory management, are closely tied to IT networks. “If these IT systems are compromised, an accurate accounting of cargo movement becomes impossible.”

Long-Term Impact

This loss of visibility is why port operations can grind to a halt, says Reid. “Falling back to manual or nondigital processes is a highly challenging and potentially costly response. If ports and terminals are not adequately prepared with backup systems and recovery procedures, this type of disruption can lead to significant financial losses, reputational damage and long-term operational impacts.”

Reid notes that preparedness varies significantly. “While some operators have developed mature cyber programs, many struggle to keep pace with evolving threats and emerging regulations. The primary challenge is managing complex environments where new IT and OT technologies have been layered onto legacy infrastructure without comprehensive asset inventories.”

On weak points, Reid identifies inadequate preparation for system failures. “Many operators focus on preventing breaches but haven’t adequately planned for what happens when, not if, systems fail. Even capable cybersecurity teams are ineffective without proper tools, documented processes and organizational empowerment to act during crises.”

His advice for resource-limited ports is practical: “Focus on drilling, exercising and training your team. Take advantage of free or low-cost resources offered by government organizations like the United States Coast Guard. Don’t wait for perfect visibility before you start improving. Begin with tabletop exercises that identify gaps, then systematically address the highest-priority vulnerabilities.”

Reid urges port executives: “Treat cyber incidents as operational emergencies, not IT problems. Invest in your people and verify that your organization deeply understands both the environment you’re protecting and the specific steps to take when an incident occurs. The difference between successful and failed incident responses comes down to whether your people and processes are prepared.”

Critical Infrastructure

Pete Rucinski, managing director at Assure Technical Ltd., a UK-based cybersecurity and compliance consultancy, emphasizes that ports must be treated as critical national infrastructure. “Ports sit at the intersection of the physical and digital worlds, where maritime logistics, industrial control systems and corporate IT converge. This convergence creates enormous efficiency but it also introduces an entirely new attack surface.”

For Rucinski, resilience means sustaining operations during disruption. “A cyber event that halts gate operations or vessel movement can paralyze trade and ripple through national economies within hours.”

On threats, he notes that criminal groups dominate in volume, launching ransomware and extortion campaigns, while state-aligned actors view port infrastructure as both an intelligence source and geopolitical lever. “The evolution of supply-chain attacks is particularly concerning. Ports are deeply interconnected ecosystems: shipping lines, customs systems, freight forwarders all share data. A compromise in one node can cascade across the network.”

When cyberattacks hit, the impact is immediate and physical. “The moment systems go down, cranes stop moving, gates close and the flow of goods halts. Critical data such as cargo manifests, customs declarations, vessel schedules, may become inaccessible or corrupted. The consequences ripple through the wider economy: supply chains are delayed, perishable goods spoil and manufacturing lines pause. Cyber incidents at ports cannot be measured solely in terms of IT recovery; their true cost is systemic, spanning trade, commerce and even national security.”

Rucinski sees the biggest weaknesses in the interfaces between technology, systems and people. “Legacy OT assets are notoriously difficult to secure. Many cannot be patched, run unsupported software, or rely on outdated network protocols. The divide between IT and OT teams remains entrenched: IT prioritizes confidentiality while OT prioritizes uptime (continuous operations), and this cultural gap often leaves vulnerabilities unaddressed.”

His practical advice: “Segmentation between IT and OT networks, strict control of remote access, and implementation of multifactor authentication can dramatically limit attacker mobility. Regular, tested backups stored offline are critical. Conducting a simple mapping exercise of all connected assets is one of the most powerful, low-cost steps available.”

On regulations, Rucinski believes frameworks like IMO guidelines and NIS2 have elevated cybersecurity to boardroom level, but effectiveness depends on implementation. “When applied mechanically, regulation risks becoming a tick-box exercise that adds paperwork without reducing risk. The opportunity lies in using these standards as catalysts for cultural change.”

His message to port CEOs: “Cybersecurity is now a business continuity issue, not a technical one. It directly determines a port’s ability to operate, trade and maintain trust. Focus on visibility, integration and preparedness. Ports are the beating hearts of global trade. Protecting them from cyber disruption is about ensuring that the world keeps moving, even when under attack.

“The question is no longer if a port will face a cyber incident, but how well it can sustain operations when it does.”

Top photo: Havenhuis, the HQ of the Port of Antwerp-Bruges, reports regular cyberattacks. Credit: Port of Antwerp-Bruges