From navigating hostile weather to safeguarding crew and cargo, resilience is embedded into every operational decision in the maritime industry. Today, however, a new and less visible threat is reshaping what resilience means at sea: cyber risk.
Digital transformation is providing great value through satellite navigation, automation, real-time fleet management and integrated logistics. But this connectivity has also expanded the attack surface. In the first half of 2024 alone, more than 1,800 vessels were targeted by cyberattacks, according to Marpoint industry analysis. This confirms that cyber threats are a critical operational concern.
By mid-2025, brute force (27%), vulnerability scanning (22%) and IoC detections (20%) dominated the global threat landscape, according to Obrela’s latest Digital Universe Report. Yet in shipping, malware accounted for 62% of incidents – a rise that highlights significant gaps in maritime endpoint protection.
Long-term cyber infiltration
Nation-state groups such as UNC5174, Hafnium, Mustang Panda, APT29 and APT44 are intensifying campaigns, while ransomware actors like Qilin and Akira have expanded operations. These adversaries increasingly leverage zero-day exploits, stealthy persistence and supply chain infiltration, tactics that place maritime operators at heightened risk. They prioritise stealth over speed, embedding malware inside networks for months or even years while quietly observing vessel operations and logistics flows.
The challenge is magnified because of the interconnected nature of shipping. From onboard OT systems to port infrastructure, maintenance contractors, software vendors and logistics platforms, maritime operations depend on a large and complex digital supply chain. A single compromised third party can introduce malware capable of affecting entire fleets.
Obrela’s threat intelligence teams consistently observe that many of today’s most serious maritime breaches originate not from vessels directly, but from the wider supply chain that supports them.
Why maritime cyber risk is so complex
Maritime environments have legacy technology, constrained satellite connectivity, highly mobile assets and often limited onboard cyber expertise. Many shipboard systems were not designed for defending against hostile cyber environments. Patching is slow, segmentation is often limited and operational availability always takes priority.
At the same time, regulatory scrutiny is increasing. IMO 2021, IACS UR E26/E27 and the EU’s NIS2 Directive now require demonstrable cyber governance, response readiness and resilience assurance across fleets and shore operations.
Despite updated IMO guidelines and new mandates under IACS UR E26/E27 and NIS2, many fleets still struggle to operationalize cyber risk management, leaving a gap between compliance expectations and real-world resilience.
At Obrela, this is where we see the greatest risk emerging: cyber security programmes that exist on paper but fail to deliver real-time detection, response and operational protection in live maritime conditions.
Malware, the human factor and AI acceleration
While malware dominates the technical threat landscape, people remain a critical part of the risk equation. Obrela’s report highlights that insider activity is a persistent risk across industries, with rates ranging from 24% to 37%. Maritime operations face similar exposure, where crews, contractors and port personnel often operate under high pressure with varying levels of cyber awareness.
At the same time, adversaries are increasingly leveraging artificial intelligence to automate reconnaissance, evade traditional detection tools and convincingly impersonate legitimate users. These AI-powered attacks are evolving faster than many vessel environments can currently adapt.
Obrela addresses this challenge through a fusion of continuous human-led threat hunting, automation and AI-enhanced detection within its Managed Detection and Response (MDR) framework. This allows emerging malware behaviour, insider misuse and AI-driven attack patterns to be identified and contained before they escalate into operational disruption.
Why MDR is mission-critical at Sea
Traditional Security Operations Centres were never designed for satellite-dependent vessels, intermittent connectivity or operational technology environments. Maritime operators need a security model that reflects the realities of operating at sea. This is why MDR has become a foundational cyber capability for modern fleets.
Obrela’s MDR for Vessels delivers continuous visibility across both IT and OT environments, real-time analyst-led response and secure remote access that enables immediate shoreside support during live incidents. This allows cyber incidents to be investigated, contained and neutralised even when bandwidth is limited and onboard technical expertise is constrained.
Obrela’s MDR framework achieves an average response time of 11.2 minutes for critical incidents through the fusion of global threat intelligence, security automation and dedicated expert teams. In maritime environments, where delays turn rapidly into operational and safety risks, this speed of response is a protective advantage.
The real-world consequences of inadequate detection are already clear. In 2023, the Rhysida ransomware group targeted MarineMax, exfiltrating sensitive financial data and demanding nearly $1 million in ransom. Operations were disrupted and reputational damage was immediate. With MDR in place, early detection and rapid containment could have significantly reduced both financial and operational impact.
What makes a maritime-ready MDR solution different
Not all MDR services are suited to maritime operations. Obrela’s MDR for Vessels is purpose-built to operate within the constraints of satellite communications and hybrid IT/OT ship environments. It offers out-of-the-box integration with leading OT monitoring platforms such as Dragos, Nozomi and Microsoft Defender for IoT, delivering unified threat visibility across traditionally isolated environments.
Equally critical is maritime-specific threat intelligence. Obrela continuously monitors adversary behaviour across shipping lanes, ports and logistics corridors, enriching detection with context that generic IT security platforms simply cannot provide. This ensures that alerts are prioritised based on real maritime operational risk, not abstract IT severity scores.
Cyber resilience is a strategic advantage
Cyber incidents now rank among the top five operational risks to global shipping. The impact is no longer limited to data loss. Voyages are disrupted, cargo is delayed, compliance is compromised and trust is eroded with regulators, charterers and insurers.
Operators that can demonstrate continuous cyber monitoring, rapid response and validated resilience now have a measurable competitive advantage.
The maritime industry has always understood that preparation is essential for survival. Redundancy, drills, foresight and discipline have kept vessels safe through generations of physical risk. That same philosophy must now define cyber strategy.
Cyber security must be rehearsed, measured and continuously improved. It must extend across vessels, shore teams, suppliers and port ecosystems. And it must be supported by intelligence, automation and expert human response operating around the clock.
With Obrela’s MDR for Vessels, maritime operators gain the real-time visibility, intelligence and response capability required to navigate both the physical and digital seas with confidence.
