Published in cybersecurity, all | 4 minutes reading time

How to handle maritime cyber attacks

Stay up to date!

* By subscribing to the latest news from our blog, you consent to us storing your email address, and sending you monthly emails. You can, at any time, retract this consent.

Fortunately, not every cyber incident in the maritime industry unfolds on such a massive scale as 2017's NotPetya malware outbreak, which wreaked havoc on Maersk, the biggest cargo shipping company in the world.

Cyber attacks don’t have to be devastating to cause major disruptions, though. Experiences in shipping and other sectors have shown that successful cyber attacks might result in a significant loss of services. In some cases, even safety is compromised.

When you’re on the receiving end of a cyber attack, whether on board one of your ships at sea or within your organisation, all bets are off. How big is the attack? Is it targeting our company specifically, or is it randomly distributed? What data and systems are affected? How can we stop it?

Your team will be facing a high-pressure scenario fraught with unknowns and a frenzy of activity. Having a comprehensive, pre-planned incident response plan in place will help you effectively respond to and recover from the incident.

Below are 5 incident response steps you should take during a cyber attack on one of your vessels.


Efficient incident response


1. Establish your response team

Resuming normal ship operations is the number one priority. Assemble a team to restore the IT and/or OT systems. The response team, which may include a combination of onboard and shore-based personnel and external experts, should be capable of performing all aspects of the response.


2. Perform initial assessment

To make sure you respond to the cyber incident the right way, your response team should find out:

  • how the incident occurred
  • which IT and/or OT systems were affected and how
  • the extent to which the commercial and/or operational data is affected
  • to what extent any threat to IT and OT remains
  • what and how to preserve as evidence of the incident, for later investigation

Read more: How machine learning can prevent cyber attacks


3. Recover systems and data

The next step is to restore IT and OT to an operational state. Working step by step through a recovery plan, your team should take the necessary steps to remove threats from the system and restore software. The recovery plan should:

  • be available in hard copy on board and ashore
  • prioritise the operation and navigation of the ship
  • be understood by personnel responsible for cybersecurity
  • outline where you can get expert assistance from ashore if needed

Bear in mind that recovery actions such as wiping drives may destruct evidence that could provide valuable information on the causes of the incident.


4. Investigate the incident

To understand the causes and consequences of the cyber incident, you should launch a detailed investigation, preferably with support from an external expert. Such an examination can help you understand how a vulnerability was exploited, and what technical and procedural protection measures you need to take on board and ashore to prevent it from happening again. Moreover, the investigation may help the wider maritime industry better understand potential cyber risks.


5. Prevent a recurrence

If your post-incident investigation uncovers flaws in your technical and/or procedural protection measures, you should implement appropriate changes. Review lessons learned, fix security vulnerabilities, and train your crew on how to recognise when there might have been a security breach.

Make sure you update your recovery plan to reflect all of these preventive measures.


Cybersecurity exercises

In order to help keep your response capability up to par, you should carry out regular cybersecurity exercises. These could be inspired by real-life events and can be simulations of large-scale incidents that escalate to become full-blown cyber crises.

Executing security drills regularly helps you understand sophisticated breaches and cyber threats as well as address business continuity and crisis management.

Read more: The key to best practice cybersecurity



Your organisation should establish and battle-test an incident response plan before a significant attack or data breach occurs. Detection and protection are important – but just as important is ensuring your recovery procedures are watertight.

Webinar: Cybersecurity in the face of upcoming demands

How to handle maritime cyber attacks
Written by Walter Hannemann, Product Manager

Walter Hannemann started his career in a computer factory product development laboratory in 1983, while taking his education in Electronics and Information Systems. Since then, his jobs have involved software architecture and development, infrastructure design and overall IT management, in both large enterprises and startups. With a passion for “making things work”, shipping applications and all digital things onboard ships became his interest after joining Maersk in 2008. Managing IT in large companies like Maersk Tankers and Torm has given him insider’s knowledge in the shipping industry and enticed his entrepreneurship to help moving the industry into the digital future. Based in Copenhagen as Product Manager for Dualog, Walter enjoys finding solutions for big (and small) problems while keeping the overview and a forward-looking approach, with deep dives in technical subjects when necessary – or possible.

Related blog posts