Cybersecurity lapses in Maritime region

ABSTRACT:

The swift digitalization of the marine sector has exposed it to previously unheard-of cyberthreats that jeopardize the security, safety, and functionality of ports and ships. Cyber events have the power to halt international trade, from ransomware assaults and GPS spoofing to the interruption of port logistics. The international legal system is still undeveloped and disjointed in spite of this mounting threat. This essay critically analyzes maritime cybersecurity shortcomings from a legal standpoint, emphasizing the shortcomings of current tools, including IMO regulations, the SOLAS Convention, and UNCLOS. Flag state accountability, jurisdiction, attribution, and culpability are examined, and the regulatory flaws brought about by an excessive dependence on non-binding standards are emphasized. The study identifies critical reform areas and suggests a course of action through legal analysis and real-world case references. These areas include the need for stronger state commitments, more enforceable international standards, and increased accountability from the private sector. According to the study, in order to protect the global shipping ecosystem in the digital age, cybersecurity must be incorporated into standard marine legal frameworks.

KEYWORDS: SOLAS, UNCLOS, Cyberattack, IMO, Cyberdefense

Introduction

With 90% of worldwide trade being carried out by sea, the maritime industry is the backbone of world trade. The sector has seen a revolutionary change toward digitization within the last 20 years. Automated port terminals, cloud-based logistics platforms, integrated control systems, and advanced navigational technology have transformed maritime operations, making them more efficient, connected, and quick. Yet, a new class of risk has emerged as a result of this technical advancement: cybersecurity dangers. Equipped with satellite-linked navigation technologies such as Electronic Chart Display and Information technologies (ECDIS), Automatic Identification Systems (AIS), and Global Positioning Systems (GPS), modern ships have evolved into floating data centers. Ports are also largely dependent on automated cranes, digitally coordinated supply chain platforms, and customs procedures. While these technologies increase operational efficiency, they also make maritime infrastructure more susceptible to ransomware, phishing schemes, malware infestations, GPS spoofing, and denial-of-service (DoS) attacks. These cyberattacks have the potential to cause environmental catastrophes, operational delays, cargo theft, and even hazards to marine life. High-profile incidents that highlight the scope and effect of cyber threats in the marine industry include the 2017 NotPetya malware assault on Maersk, which interrupted operations at 76 ports and resulted in estimated losses of over USD 300 million. These vulnerabilities are real, persistent, and globally significant, as evidenced by more recent instances of GPS spoofing in conflict-prone regions like the South China Sea and the Red Sea, as well as cyber disruptions at major international ports. Nevertheless, the international legal system that oversees maritime cybersecurity is still ill-prepared to handle the intricate and pressing nature of these threats. Prior to the emergence of the internet, treaties like the Safety of Life at Sea (SOLAS) Convention and the United Nations Convention on the Law of the Sea (UNCLOS) were drafted. The absence of legally enforceable obligations, compliance systems, and enforcement authority continues to impede the establishment of a strong legal framework, despite the International Maritime Organization’s (IMO) efforts to close this gap through voluntary frameworks and guidelines. With a focus on the shortcomings of existing tools, the difficulties of governmental and private accountability, questions of jurisdiction and attribution, and the gaps in liability and insurance legislation, this study aims to investigate the shortcomings in maritime cybersecurity from a legal standpoint. It makes the case that cybersecurity must be incorporated into the fundamental framework of maritime law immediately and provides a roadmap for legal reform and international collaboration. It is not only a policy requirement but also a legal requirement for cybersecurity to be incorporated into legally enforceable standards as international trade becomes more and more reliant on safe digital maritime infrastructure.

Nature of cybersecurity lapses in  Maritime

Complex digital technologies have become more and more necessary for the maritime industry to manage and optimize operations. This digital revolution has greatly increased efficiency in a variety of areas, including worldwide supply chain logistics, automated terminal operations, and onboard navigation systems. However, it has also created a wide and intricately layered cyber-attack surface. Operational technologies (OT) like electronic navigation devices and propulsion control systems are increasingly integrated with conventional IT systems like crew communications and cargo paperwork, transforming modern ships into floating data centers. Due to their frequent interconnection—and occasionally inadequate network segmentation—these systems are susceptible to cyber attacks that may travel laterally within a ship or between a ship and infrastructure on land.

Additionally vulnerable to cyberattacks are ports and terminals, especially large automated ports like those in Rotterdam, Singapore, or Los Angeles. Because of their dependence on cloud-based customs databases, automated cranes, container tracking software, and terminal operating systems, ransomware gangs find them to be a lucrative target. Any interruption to these systems has the potential to cause ripple delays in international maritime lanes. Additionally, navigation systems like the Electronic Chart Display and Information Systems (ECDIS), Automatic Identification Systems (AIS), and Global Navigation Satellite Systems (GNSS) are susceptible to jamming and spoofing, which can cause vessel misdirection and even maritime collisions or groundings. GPS spoofing incidents in politically sensitive areas, like the South China Sea and Red Sea, have already shown how dangerous these flaws are in practice.

Numerous players, each with unique goals, pose a threat to the maritime realm through cyberspace. Criminal ransomware organizations, like the ones behind the Port of Nagoya or several oil facilities in Europe, frequently use operational disruption and ransom payments as a means of generating revenue. During times of geopolitical conflict, state-affiliated or “grey zone” entities purposefully target vital marine infrastructure or conduct espionage in order to gain political and strategic leverage through cyberattacks. Hacktivists may want to obstruct trade routes for ideological reasons, but insider threats—whether deliberate or the result of carelessness—remain a major potential weakness. An example of how widespread and quick such attacks may be is the 2017 NotPetya malware outbreak, which had a significant impact on Maersk, incurring an estimated $300 million in losses and stopping port operations. The incident was linked to a software supply-chain hack.

Numerous and very advanced technical vectors are employed to take advantage of these vulnerabilities. Attacks using mass ransomware frequently target port logistics software and terminal control systems, encrypting data and stopping operations. According to the Maersk instance, supply chain attacks—in which genuine software upgrades are used to distribute malware—have proven particularly risky. Distributed denial of service (DDoS) attacks, GNSS spoofing, and persistent port scanning are also frequently employed to probe, disrupt, or deceive maritime systems. Further highlighting the strategic importance of maritime cybersecurity, state-sponsored actors have even targeted underwater fiber-optic cables, which transport enormous volumes of financial and shipping data, with cyber-physical disruption.

There is a substantial risk in terms of numbers. The Port of Los Angeles, for example, recorded more than 40 million hostile cyber probes per month in 2024, demonstrating the startling scope of ongoing online threats. The economic ramifications of significant cyberattacks can be dire; individual instances can cost hundreds of millions of dollars and disrupt international trade. A single cyberattack can also have an immediate impact on several continents due to the transnational and interdependent nature of maritime activities. The sector is particularly vulnerable to systemic disruption because of the high level of automation and digital interconnectedness, which also means that problems in one area (like navigation) can swiftly cause problems in other areas (like port access or cargo unloading).

The underlying causes of these breaches are several. Many ports and ships continue to use legacy operational technologies, which are antiquated systems that were never intended to be internet-facing but are now vulnerable because of 5G port integration or satellite internet. Because IT and OT systems have frequently converged without proper network segmentation, a breach in one area (such a crew member’s email) could give access to vital ship controls. Patch management is another ongoing issue, particularly for ships at sea when crucial software updates are sometimes delayed by satellite bandwidth restrictions or extended intervals between port calls. Another serious weakness is human mistake; crew members frequently lack proper cyber training, which makes phishing attempts a typical entrance point for attackers.

The regulatory environment is unenforceable, which exacerbates these organizational and technical flaws. Shipowners are required under the International Maritime Organization’s (IMO) Resolution MSC.428(98) to incorporate cyber risk into their Safety Management Systems (SMS); however, this directive is not legally binding and has no enforcement measures. This leads to cybersecurity being viewed more as a checklist item for certification or insurance purposes than as a vital safety necessity. Furthermore, the attack surface has been significantly increased by the growing use of high-bandwidth satellite connectivity (like Starlink or OneWeb) on commercial ships, and advancements in artificial intelligence have reduced the cost and complexity of launching sophisticated attacks, thus intensifying the threat.

Maritime cybersecurity breaches are a consequence of deeply ingrained structural weaknesses in the industry rather than isolated IT malfunctions. From the operations of a single vessel to entire port systems and global supply chains, the scale of these risks is enormous. Both criminal and state-sponsored cyber operations continue to view the global marine industry as a high-value target in the absence of a unified, legally binding, and enforced framework—and without commensurate advancements in digital resilience.

Legal Framework Governing Maritime Cybersecurity

The existing legislative structure governing cybersecurity in the marine industry is disjointed, mostly non-binding, and unable to handle the increasing complexity and scope of cyberthreats in the global maritime realm. While traditional maritime law, such as the International Convention for the Safety of Life at Sea (SOLAS) and the United Nations Convention on the Law of the Sea (UNCLOS), provides broad obligations regarding safety, navigation, and state responsibility, cybersecurity is not specifically addressed by these documents because they were drafted long before digital technologies became popular. Consequently, the International Maritime Organization’s (IMO) soft law instruments and guidelines—which are enforced inconsistently across states and lack legal force—have been the mainstay of maritime cyber risk legislation.

As the fundamental agreement regulating the use of the world’s seas and oceans, UNCLOS lacks specific cybersecurity measures. On the other hand, it imposes obligations on coastal, port, and flag states that could be construed as cybersecurity duties. For example, flag nations must effectively exercise jurisdiction and control over administrative, technical, and social matters pertaining to ships flying their flag, as required by Article 94. It is arguable that this responsibility also includes making sure that ships’ safety procedures include sufficient cybersecurity protections. Article 22(2) also gives coastal governments the authority to control innocent travel in their territorial seas in order to maintain peace and security; one may argue that this includes stopping cyber-compromised ships from endangering infrastructure within their countries. However, because these regulations are broad and were never meant to regulate cyber operations, their applicability in the cybersecurity environment is both operationally poor and legally ambiguous.

The IMO has taken the most direct approach to addressing maritime cyber risk, having issued Resolution MSC.428(98) in 2017. As required by the International Safety Management (ISM) Code, an annex to SOLAS, this resolution calls for cyber threats to be addressed within the scope of ships’ current Safety Management Systems (SMS). As to the decision, by January 1, 2021, shipowners, managers, and operators were required to include cybersecurity risk assessments into their safety protocols. This resolution is a non-binding recommendation, but it is an important first step toward acknowledging cyber risks as a component of maritime safety. Since there is no system of penalties for non-implementation, compliance is primarily voluntary. Instead of taking genuine steps to mitigate cyber risk, many businesses have instead embraced simple, checkbox-style methods to appease insurers or classification societies.

The International Maritime Organization (IMO) also released Guidelines on Maritime Cyber Risk Management (MSC-FAL.1/Circ.3), which include comprehensive best practices for recognizing, evaluating, and controlling cyber hazards in shore-based systems and aboard ships. In addition to recommending practices like crew training, network segmentation, and incident response planning, these guidelines promote the adoption of pre-existing frameworks like the NIST Cybersecurity Framework or the ISO/IEC 27001 standard. Nevertheless, implementation differs greatly among flag states and operators due to the fact that these rules are not legally enforceable and do not have standardized enforcement procedures. This results in regulatory fragmentation and uneven protection levels.

Cybersecurity is not specifically included in the SOLAS Convention, despite the fact that it is more directly related to maritime safety. Resolution MSC.428(98), which added cyber risk to the ISM Code, de facto expands SOLAS’s responsibilities without a formal treaty change. This leads to legal uncertainty over the extent and enforceability of safety regulations pertaining to cyberspace. Additionally, port state control regimes may lack the necessary tools or authority to evaluate cyber readiness. These regimes are designed to inspect foreign boats for conformity with international safety requirements. Therefore, even in cases when safety duties theoretically incorporate cyber threats, enforcement is still insufficient and inconsistent.

State accountability under general international law presents another difficulty. The guidelines for identifying governments that have committed globally unlawful conduct are outlined in the Articles on State Responsibility (ARSIWA, 2001) of the International Law Commission. The victim state may be able to use ARSIWA to hold the offender state responsible if a state-sponsored cyberattack damages another state’s ships or maritime infrastructure. Given the inherent issues with attribution in cyberspace, this is challenging in practice. Most frequently, cyberattacks are carried out by non-state actors with state support, anonymized, or routed through several jurisdictions. In the absence of trustworthy proof of origin, intent, or control, legal attribution and the application of international law countermeasures or remedies are exceedingly difficult.

Some legal academics have looked to non-binding documents such as the Tallinn Manual 2.0, which was created by NATO’s Cooperative Cyber Defence Centre of Excellence, to get advice on how international law may be applied to cyber operations. Although the Tallinn Manual examines how sovereignty, due diligence, and self-defense might be applied in the event of a cyberattack, it lacks legal power and does not particularly address marine situations. Furthermore, it is challenging to put into reality the principles it discusses—such as the duty to prevent malicious cyber operations on one’s territory or the ban against the use of force especially in situations where there is no legally binding dispute resolution process.

The Tallinn Manual 2.0, developed by NATO’s Cooperative Cyber Defence Centre of Excellence, is one non-binding text that some legal scholars have turned to for guidance on how international law might be applied to cyber operations. Despite examining the potential applications of sovereignty, due diligence, and self-defense in the case of a cyberattack, the Tallinn Manual does not specifically address maritime scenarios and lacks legal authority. Furthermore, it is difficult to implement the concepts it outlines, such as the obligation to shield one’s territory from harmful cyber operations or the prohibition against using force, particularly when there is no legally enforceable dispute resolution procedure in place.

Legal Issue in Maritime Cybersecurity

The lack of legally binding international regulations specifying cybersecurity responsibilities for flag states, shipowners, port authorities, and other marine actors is one of the biggest legal concerns. Cyber threats were not taken into consideration while creating instruments such as UNCLOS and SOLAS, which just offer general obligations pertaining to safety and due diligence. While the IMO’s Resolution MSC.428(98) promotes the incorporation of cyber risk management into the current Safety Management Systems under the ISM Code, it is not legally enforceable and is subject to different country implementation levels. Since some nations and operators take cybersecurity seriously while others view it as a formality, this leads to a patchwork of compliance norms. The inability to enforce uniform, required standards significantly restricts the capacity to hold people responsible for not putting in place sufficient cybersecurity safeguards.

When state-sponsored or state-tolerated actors are engaged, attribution of cyberattacks is a major legal hurdle. A state must be responsible for a wrongdoing in order for it to be held accountable under international law, specifically the Articles on Responsibility of States for Internationally Wrongful Acts (ARSIWA, 2001). On the other hand, in cyber operations, attackers frequently employ non-state proxies, conceal their identities, or pass through neutral nations. It is also technically challenging, legally intricate, and politically delicate to demonstrate that a specific state was responsible for a marine cyberattack. Deterrence is weakened by this absence of attribution since nations might behave with plausible deniability or impunity. Moreover, it restricts the victim states’ legitimate responses based on countermeasures or self-defense principles.

Cyber incidents frequently cross national borders, creating uncertainty and jurisdictional disputes. Determining which state has the legal right to look into, prosecute, or seek damages when a vessel registered in one state is attacked by malware hosted on servers in another state while parked in a third. The global and digital nature of cyberattacks is not well mapped onto by UNCLOS, even while flag states have primary authority over their vessels and port states have limited jurisdiction while the ship is in port. Additionally, cross-border cooperation is made more difficult by disparities in national cybercrime legislation and enforcement capabilities. Investigations may be delayed, offenders may avoid punishment, and victims seeking legal recourse may be frustrated by this jurisdictional ambiguity.

A significant legal concern pertains to the standards of liability for private parties, including shipowners, operators, and port authorities. Traditionally, maritime law has imposed obligations on cargo care, safe navigation, and seaworthiness. Therefore, the question now becomes: can a vessel be declared “unseaworthy” or constitute negligence under tort or contract law if cybersecurity safeguards are not implemented? Though courts have not yet established a clear body of precedent on this issue, litigation on this front is probably going to grow in frequency as cyberattacks become more common. Furthermore, the engagement of outside IT contractors or vendors may make responsibility more complex. Is the shipowner responsible for utilizing a software provider that is vulnerable in a supply chain-style assault, for example, or is the supplier fully at fault? Uncertainty and uneven judicial decisions are possible in this area due to the lack of established legal standards.

There are difficulties with cyberattacks in the area of maritime insurance law as well. Broad exclusions under “war risk” or “hostile act” provisions or partial coverage of cyber incidents are features of many typical marine insurance policies. For instance, insurance companies might refuse coverage if a cyberattack is thought to be state-sponsored because it is considered terrorism or an act of war. The attribution of the malware to a nation-state has resulted in high-profile conflicts, such as those that followed the NotPetya attack, where insurance firms declined to pay damages. Shipowners and operators face financial and legal uncertainties due to the lack of clarity surrounding what qualifies as a covered cyber event vs an excluded one, particularly when losses exceed hundreds of millions of dollars. Marine insurance policies’ inconsistent cyber coverage leaves stakeholders vulnerable to significant uninsured liabilities.

Enforcement measures are either nonexistent or very weak, even in cases where cybersecurity standards are in place. International safety and environmental requirements can be checked for conformity by port state control authorities, but they frequently lack the technological know-how or legal authority to evaluate a ship’s cybersecurity readiness. Particularly when it comes to open registries that draw boats for regulatory leniency, flag states can differ greatly in their ability and inclination to enforce IMO cyber standards. Consequently, the maritime industry lacks a robust oversight system to guarantee the meaningful implementation of cybersecurity requirements, resulting in a compliance gap that compromises the resilience of the industry.

Using the current legal framework to classify cyber events is another new legal concern. Maritime risks have often been described in terms of environmental harm, kinetic military action, or bodily safety. It is debatable whether cyberattacks that interrupt operations, paralyze systems, or reroute vessels without causing direct physical harm should be legally recognized as risks to safety, security, or navigation under agreements like SOLAS or UNCLOS. Legal definitions of “danger,” “force,” and “unseaworthiness” will need to be expanded to include interruptions and digital interference brought on by cyberspace as maritime law develops.

Conclusion and Way forward

As the backbone of international trade, the marine industry is increasingly at risk from complex and destructive cyberattacks. The increasing digitization and interconnectedness of ships and ports makes them appealing targets for state-sponsored entities looking to project strategic influence as well as cybercriminals seeking disruption or ransom. Nonetheless, maritime cybersecurity is still governed by an undeveloped, disjointed, and primarily soft law-based international legal framework. Inconsistent cyber readiness levels, unclear jurisdiction, unclear culpability, and a general lack of accountability within the sector are all consequences of this regulatory void. The fundamental issue is that foundational legal documents such as UNCLOS and SOLAS are out of date and do not sufficiently take into account the realities of the cyber age. Although the International Maritime Organization (IMO) has started crucial discussions about cyber risk with initiatives like Resolution MSC.428(98) and its guiding principles, these measures are not legally binding and do not have uniform enforcement procedures. The scenario is made more difficult by legal concerns about insurance coverage, cross-border jurisdiction, state attribution, and the lack of explicit duties for private sector participants including port operators, software providers, and ship-owners.

Author- Unnati khandelwal, O.P. Jindal Global Law School.

REFERENCES:

Primary Sources

Legislature:

• United Nations Convention on the Law of the Sea (adopted 10 December 1982, entered into force 16 November 1994) 1833 UNTS 3 (UNCLOS)
• International Convention for the Safety of Life at Sea (SOLAS) (adopted 1 November 1974, entered into force 25 May 1980), 1184 UNTS 2
• IMO, Resolution MSC.428(98): Maritime Cyber Risk Management in Safety Management Systems (adopted 16 June 2017)
• IMO, Guidelines on Maritime Cyber Risk Management (MSC-FAL.1/Circ.3, 5 July 2017)
• International Law Commission (ILC), Draft Articles on Responsibility of States for Internationally Wrongful Acts, with commentaries (2001) UN Doc A/56/10
• NATO Cooperative Cyber Defence Centre of Excellence, Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (CUP 2017)

Case Laws:

• Andy Greenberg, Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers (Doubleday 2019) — for NotPetya and Maersk attack
• ‘Port of Nagoya Hit by Ransomware, Major Shipping Delays Reported’ (The Japan Times, 6 July 2023)
• ‘Maersk: How a Cyber Attack Could Create a Global Supply Chain Crisis’ (BBC News, 22 August 2017)
• National Maritime Cyber Security Plan (US White House, December 2020)

Secondary Sources

Reports and journals:

• BIMCO et al., The Guidelines on Cyber Security Onboard Ships (4th edn, December 2020)
• Lloyd’s Register and University of Southampton, Cyber Security: The Unknown Threat in Shipping (2015)
• International Chamber of Shipping (ICS), Cyber Risk Management and Best Practices (2021)
• Allianz Global Corporate & Specialty, Safety and Shipping Review 2022

Literature Review

• Henrik Ringbom, Regulating Autonomous Ships: Concepts, Challenges and Precedents (Brill Nijhoff 2019)
• Jason Chuah, Cyber Risks and International Maritime Law (2020) 26(1) Journal of International Maritime Law 40
• Tullio Treves, ‘The Law of the Sea Convention and Cyber Operations: An Uncharted Sea’ in Russell Buchan and Nicholas Tsagourias (eds), Research Handbook on International Law and Cyberspace (2nd edn, Edward Elgar 2021)