Addressing State-Linked Cyber Threats to Critical Maritime Port Infrastructure

As part of your healthy summer reading, have you also gone through the CCDCOE paper, “Addressing State-Linked Cyber Threats to Critical Maritime Port Infrastructure”?

No?

Then let me offer a brief personal reflection on and around the topic of port cybersecurity.

In this fine month of July 2025, the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) published a Policy Brief entitled “Addressing State-Linked Cyber Threats to Critical Maritime Port Infrastructure”.

In this article, I would like to offer a short personal analysis.

As a preliminary remark, a useful reminder: there is no such thing as a “generic” port, just as there is no such thing as a “generic” ship. Every port is different, whether we are talking about digital matters or not. This is even more true given that countries themselves have different levels of maturity and different organizational models. I am therefore always very cautious, and sometimes even uncomfortable, when discussing the “cybersecurity level of ports” and drawing overly broad conclusions from such a generic notion.

That being said…

One for all, or not?

Let us perhaps start with the title of the brief, whose wording is interesting in itself. Quite logically, NATO focuses this paper on so-called “state” or “pseudo-state” (state-linked) threats. As we have already discussed, the usual segmentation of risk sources (or threat sources, for those nostalgic for the older terminology) into three categories — state, cybercriminal, and hacktivist — which we often used or still use, is somewhat blurred here, at least in the framing of the paper, probably in order to align with the complex geopolitical context we are experiencing.

Indeed, if the CCDCOE is primarily interested in state-linked threats, it is for good reason: by nature, such threats are more covert, harder to detect, and potentially more destructive. And being able to attribute them to a state is, from an analytical standpoint, “interesting.” That said, further in the brief, cybercriminal and hacktivist threat sources are also mentioned, which is reassuring.

Threat overviews are useful reading, but they must always be handled with care

A few points are worth noting here (page 3 of the document):

However good they may be, and regardless of who publishes them, threat overviews generally rely on the same sources, mostly open ones. Their accounting methods — the scope considered and the way incidents are counted — and their analytical framing may differ, but they are still looking at almost the same events. To be more precise, they need more inputs: effective field-level sensors, or privileged information. One must therefore remain mindful of the risk of interpretive bias in the analyses and conclusions drawn from these overviews, however useful they may be. We probably have not seen everything. Recent claims of attacks against actors in the naval defense industrial and technological base, on which I have deliberately chosen not to comment, are one example: influence operations may well multiply. And they will consume cyber analytical resources in the process. At some point, we will need to think differently, and perhaps more creatively, both to understand the threat and to defend against it;

Some threat sources pursue political goals, or at least partisan ones, and state attacks are usually only identified long after the fact — if they are identified at all. At the same time, a ransomware attack could also disable a poorly secured port. The theft of credentials through an infostealer or a simple phishing campaign, which might initially be categorized as criminal activity, could also be an early signal of a more sophisticated future attack if the target is of interest. We should therefore be cautious not to dismiss “small” attacks as insignificant precursors while focusing only on state threats. Deliberately limiting analysis to one type of threat while ignoring others would be a mistake. This is also why I remain committed to producing threat analyses and to integrating dynamic sector-specific incident data alongside traditional risk analysis;

As for the figures, according to my own calculations (necessarily rigorous — I do have a PhD ;-) ), the group mentioned in Figure 1 of the brief claimed 112 victims in the maritime sector in 2024, representing a total claimed equivalent of 344 continuous days of DDoS attacks against the sector, 56% of which targeted port infrastructure. In reality, many of these attacks did not work, or only worked once. That is the difference between paying attention to the publicity generated by claims and looking at the operational reality and impact of an attack. Who is influencing whom?

Overall, if one looks at recent years and at publicly reported incidents (cf https://www.m-cert.fr/admiral, in particular), cybercriminal and hacktivist threats have hit ports quite hard. The anti-NATO hacktivist group mentioned in the brief, and recently declared defunct — or perhaps not — has contributed significantly to dominating the cyber media narrative, and the resulting anxiety, around ports. Cybercriminal actors have also frequently targeted ports and, more broadly, the logistics sector. A port is also an ecosystem — and a very large one. Focusing only on the port operator itself is therefore potentially convenient because it is simple, but necessarily limiting. Is it not time to move from the stage of “look, yet another vulnerable port got hit” to “securing an entire port ecosystem, much like the defense industrial base, is genuinely difficult”?

So even if the sophistication and resources of the adversary may vary, when one secures a port against a “state” or “pseudo-state” threat, one must do so against a broader set of threats and TTPs. This is all the more true because defending against only one category of threat rarely makes sense in practical protection terms, while, conversely, the implementation of relevant security measures can cut off attack paths for several kinds of actors at once.

To avoid making this article too long, let us also recall the risks associated with insider threats and the digital dependencies ports have on third parties such as software suppliers, hosting providers, and service companies. A few years ago, I remember mapping the external dependencies of a single port application: there were 40 of them. It is a pity that this aspect is not discussed more often.

Standards, regulations, legislation, and good practices

Faced with a protean threat — there, I used the word — operating through hybrid actions — there, I used that one too — and with the arrival of new tools for attackers such as AI — yes, that one too — as well as post-quantum risks — and that one as well — it must be said that defenders, myself included, are not short of documentary ideas to solve everything.

If we put ourselves today in the position of a port CISO — let us take the case of France, in Europe — that person sits at the crossroads of a rather impressive number of documents and authorities issuing requirements, guidance, or recommendations. I will mention only a few here, sparing you the NIST framework, the USCG regulations, and the ISO and IEC standards, among others:

The regulations issued by the IMO, notably the ISPS Code, which historically requires the integration of digital risks into PFSAs (Port Facility Security Assessment). One could probably criticize the IMO for a certain lack of ambition and precision in cybersecurity matters (cf. MSC.428(98), MSC.FAL1 Circ3 Rev. 3, among others, regarding the scope concerned), but is it really the IMO’s role to go into detailed cyber technological or operational measures to be implemented in a port? Conversely, if it does not, what happens to consistency and fair competition at a global, NATO, or even just European level?

The work carried out by professional associations and organizations: one may think, for example, of the IAPH, which published the IAPH Cybersecurity Guidelines for Ports and Port Facilities as early as 2021.

At the European level, beyond NIS (v1, v2) and related texts, one can notably mention Regulation (EC) No 725/2004 on enhancing ship and port facility security, as well as ENISA’s good practice guide on port cybersecurity.

At the French level, one may refer to the implementing decree of the Military Programming Law (LPM) applicable to Operators of Vital Importance (OIV) in the maritime sector, the “Ports cybersécurisés” guide issued by the Direction Générale des Infrastructures, des Transports et de la Mobilité (DGITM), or II 230.

Is this too much? Too little? What does the port CISO think of all these documents, given the resources actually available? Everyone will have their own view. In any case, it would be difficult to say that there is “nothing.” Of course, one must distinguish what is regulatory from what is not. But does this not rather suggest that our duty, in supporting these actors, should perhaps lie somewhere other than in yet another document, even if regulatory in nature?

And as for the CISO, when such a role actually exists, are they really given the means to meet all these requirements? What is their workload? What difficulties are they facing?

Recommendations

Returning to the brief itself, here are the three main recommendations put forward by the CCDCOE:

to integrate cybersecurity as a fundamental component in the revision of NATO’s maritime strategy, whose last version dates back to… 2011. To engage in dialogue, or even establish a protocol, for NATO involvement in significant cyber incidents, notably by making greater use of liaison officers from different countries and by incorporating port cybersecurity scenarios into NATO exercises;

to establish structured information-sharing networks. I must admit I am somewhat disappointed that the pioneering work carried out by France Cyber Maritime is not mentioned;

to develop maritime cybersecurity working groups under the auspices of the IMO, in order to build maritime-specific security standards, notably by developing sector-specific implementations of frameworks such as NIST or NISv2.

Conclusions

Should we already prepare, while NISv2 has still not been transposed in all EU Member States — let alone fully implemented — for a future sector-specific extension, even though many good practices and other documents resulting from lengthy working groups have already been produced? When one sees how difficult national transposition of the directive already is, just imagine the work required if we move down to the sector level. Then again, since ships fall outside the scope of NIS2, the perimeter and complexity would at least be somewhat reduced. In any case, I have never heard of such a sector-specific implementation of NIS2.

How should we take into account competitive dynamics between ports, differences in legal status, financial and human resources, and varying levels of digital exposure, especially in the context of international information sharing? Cybersecurity has a cost. Certainly, it strengthens the operations and value of the port that invests in it, but can we really assume equality?

In the geopolitical context we are facing, how can we ensure effective coordination among the many actors working in support of ports? National agencies, sectoral and regional CERTs, professional associations, international agencies, national and European administrations and directorates, private companies, national military support, or NATO support?

Even in the age of AI, I fortunately do not have an answer to everything, but I will put forward two concrete proposals:

• we are still running after the adversary, and we are often at least one step behind. In that case, would it not be better to focus on the regulatory resilience of core port operations rather than on regulatory compliance with a long list of overlapping, and sometimes incompatible, requirements? For example: require formal evidence that port operations are resilient against certain adapted and regularly updated strategic scenarios. In other words, an obligation to demonstrate operational outcomes rather than hypothetical total compliance;
• save the time spent in yet more working groups and redirect the time and money saved, on the one hand, toward analyzing what already exists and building compatibility matrices between existing regulations, standards, and good practices, and, on the other hand, toward investing that money in the operational resilience of ports and in evaluating it.

My 2 cents, as our English-speaking colleagues would say.

And you, what is your view? Other challenges? Do you agree or disagree?