Ports at risk from outdated policy and lack of ‘dedicated strategic attention’ to cyber threats, NATO report warns

Blurred lines of responsibility and policy that hasn’t kept up with the threat environment have put global ports under increased risk as the sector comes under “unprecedented cybersecurity threats from state-linked actors,” a new NATO report says.

The Cooperative Cyber Defence Centre of Excellence policy brief underscores that the current NATO Alliance Maritime Strategy, a 2011 document that analysts have called sorely outdated, lacks formalized frameworks “for engagement with commercial port operators, despite their critical role in maritime security and NATO logistics operations.”

“Maritime port cybersecurity requires immediate policy intervention to establish sector-specific intelligence sharing networks, coordination mechanisms, and resilience standards,” the report says, highlighting the fact that integrated and interconnected information and communication technology (ICT) and operational technology (OT) “underpin all land and sea-based maritime operations.” Many ports operate with legacy OT systems not originally designed for internet connectivity and “significant vulnerabilities and new threat vectors” have been introduced with modernization efforts.

The results of poor network segmentation were seen in the 2017 NotPetya attack that spread malware rapidly across ICT and OT domains and caused cascading effects through Maersk and major ports.

“NotPetya demonstrates that even if maritime infrastructure is not the original intended target, the spillover effect becomes inevitable due to increased connectivity,” the CCDCOE brief continues. “As such, critical maritime infrastructure cannot afford to lag behind in cybersecurity, as threats are capable of impacting even unintended targets. Therefore, considering that maritime infrastructure is crucial from a financial and military perspective, it is a magnet for all types of malicious cyber attacks.”

The threats and actors targeting port facilities “are remarkably consistent regardless of geographical location, and the tactics, techniques, and procedures (TTPs) are the same if not identical across Europe, the Americas, and the Asia Pacific regions.” The top maritime facility attacks reported by member nations are DDoS attacks, data breaches, phishing or malware delivery and ransomware. The Nordic Maritime Cyber Resilience Centre (NORMA Cyber) pins the number of maritime organizations hit by ransomware in 2024 at 45 — a number estimated to be much higher.

According to NORMA Cyber, Russia’s APT28, or Fancy Bear, has targeted maritime organizations, logistics providers and air traffic control systems in at least 11 countries. Iran-linked groups have targeted ports in Israel, Egypt and the broader Eastern Mediterranean. And a 2024 malware campaign by state-sponsored ArcaneDoor “spread across coastal facilities in numerous countries that were identified as strategically important to China,” while China-linked actor Mustang Panda has been targeting maritime transportation companies.

CCDCOE calls NoName057, the pro-Russian group of politically motivated hackers, “one of the most prominent groups threatening maritime infrastructure.” In 2023 and 2024, DDoS attacks attributed to NoName057 hit ports in Canada, Poland, Germany, Sweden, Latvia, Italy, Netherlands, Croatia, Greece, Finland and Spain. Several critical port facilities across Western Europe have been targeted, according to the group’s public Telegram channel. A close ally of NoName057, the Cyber Army of Russia, was reportedly responsible for 2024 DDoS attacks on the UK’s Port of Felixstowe and Port of Tyne.

The report calls for policy gaps to be filled with the goal of adequately defending ports in this hybrid threat landscape, including expanding the dated NATO Alliance Maritime Strategy and “dedicated strategic attention to port cybersecurity within NATO’s broader maritime posture” as well as addressing port operators and maritime facilities that may not have adequate cybersecurity resources, leadership or expertise. When asked to assess their current cybersecurity risk level, most respondents to a CCDCOE survey of port operators “classified it as moderate, indicating awareness of risk elements present.”

“Current cybersecurity frameworks, while comprehensive, face implementation challenges specific to the maritime environment,” the report adds. “The International Ship and Port Facility Security Code focuses primarily on the physical security of ports and vessels, providing guidance on planning and assessing security at ships and ports, but lacks comprehensive cybersecurity provisions. The International Association of Ports and Harbors Cybersecurity Guidelines offer cybersecurity guidance on identifying and assessing port risks during operations, yet implementation remains inconsistent across different jurisdictions and port authorities.”

In addition to revising the NATO Alliance Maritime Strategy, CCDCOE recommends developing and activating a formal threat intelligence-sharing platform specifically for maritime cyber threats and establishing a dedicated liaison role between NATO Maritime Command (MARCOM) and national port cybersecurity authorities along with coordination mechanisms. Government and industry should also align within international working groups to “focus on developing practical guidance for implementing existing cybersecurity frameworks in maritime environments, addressing the specific challenges of OT and IT convergence in port operations.”

China’s Volt Typhoon pre-positioning campaign against U.S. critical infrastructure should serve as a warning to the maritime sector that “more destructive measures are anticipated to target critical infrastructure,” the report warns. “A comprehensive transformation of maritime cybersecurity governance is not just recommended, but essential for preserving Allied maritime operational capacity.”