NORMA Cyber 2026 Report: a maritime threat that is primarily geopolitical, more hybrid than spectacular

The latest NORMA Cyber annual report has the merit of placing maritime cybersecurity back where it now truly operates: in a space saturated with geopolitical tensions, logistical interdependencies, and blurred boundaries between cyber, physical, and informational domains. Its main outlook for 2026 (for those who still believe in cyber crystal balls) is that the structuring risk is not so much the “big” destructive attack as the accumulation of intelligence operations, opportunistic disruptions, and hybrid effects on already strained logistical and operational chains. In that sense, it is a less alarmist report than it may appear at first glance, and that is probably its main strength.

The core message can be summarized briefly: NORMA Cyber once again places espionage at the top of its concerns, with a clear focus on Russia, China, and, to a lesser extent for Nordic actors, Iran. The report also highlights the normalization of low-intensity disruptive attacks, especially distributed denial-of-service, the rise of GNSS interference as a concrete operational issue (even if cases in the Baltic or the High North are not new), and the persistence of highly industrialized cybercrime, centered on identity theft or impersonation, phishing, and ransomware. By contrast, outright destructive operations are still considered unlikely for the commercial fleet as a whole, which remains a relatively measured assessment.

A few figures help give texture to the picture. In 2025, NORMA Cyber recorded 182 distributed denial-of-service attacks attributed to the DDoSia ecosystem of NoName057(16), including 138 targeting ports or port entities. It reports knowledge of 60 ransomware attacks in the global maritime sector and having notified 77 companies compromised through multi-factor authentication bypasses. On the technical side, it identified 1,122 vulnerabilities affecting maritime operational technologies. These are less indicators of rupture than markers of density: the sector is continuously targeted, or at least persistently “worked” across multiple layers by a wide range of actors (and likely motivated ones).

The most interesting aspect of the report, in my view, lies elsewhere. It is in the idea that maritime cyber is becoming less and less a purely IT matter (although you are probably already convinced of that if you are reading this). NORMA Cyber convincingly describes the convergence between digital intrusion, physical surveillance, exposure of peripheral equipment, supplier dependencies, and exploitation of the geopolitical context. IP cameras around logistics nodes, edge equipment, satellite services ashore, terminals, technical documentation from equipment manufacturers: all of this sometimes matters as much as onboard networks themselves. The report is particularly convincing when it shows that, for a state actor, the value of maritime systems lies less in spectacular ship disruption scenarios than in obtaining a detailed picture of flows, port calls, cargoes, and logistical dependencies, possibly through prepositioning.

The section on GNSS interference is probably the most concrete. NORMA Cyber does not describe a theoretical risk but an already operational phenomenon, with pressure zones identified in the Baltic Sea, the Barents Sea, the Red Sea, and the Gulf. More importantly, the report highlights a qualitative shift: we are no longer only dealing with simple jamming, but with hybrid patterns combining jamming and spoofing across multiple constellations. This matters because it shifts the issue from navigational comfort to operational continuity. The increase reported by the Swedish administration, from 55 incidents in 2023 to 733 in 2025, is telling in that regard. As always, however, such figures should be handled with caution.

Where I am somewhat more cautious is on the topic of the “insider threat”. NORMA Cyber devotes several pages to this theme, mainly illustrated by the discovery, in December 2025, of a Raspberry Pi Zero equipped with a cellular modem, physically connected to the office network of a passenger vessel (we discussed this case here). The case is interesting, serious, and clearly deserves attention. But the analytical leap from this case to the idea of a general intensification of insider threats feels somewhat rushed, or at least insufficiently substantiated. The argument essentially relies on this case and then on extrapolation: because a tactic has been observed and publicized, it becomes more likely. This is not unreasonable, but it remains a weak signal rather than a demonstrated shift.

Above all, this type of threat is nothing new in the maritime sector. The report itself recalls that actors linked to China continue to use infected USB drives as an initial access vector, including to cross segmented environments. In other words, the exploitation of physical access, human behavior, and peripheral hardware has long been part of the espionage toolkit. The judicial takedown led by the U.S. Department of Justice in January 2025 around the PlugX malware is a useful reminder: this family, attributed to actors supported by Beijing, was widely distributed via infected USB devices and has been used since at least 2014 against governments and companies in Europe, Asia, and the United States (official statement). The novelty, therefore, is not the existence of a “human + hardware” vector. At best, it is its increased visibility in publicly documented maritime environments.

Another useful precedent is Antwerp. It is often remembered as a narcotrafficking case, but it sheds considerable light on the issue. Europol had already documented the use of hackers by criminal networks to infiltrate port systems and track containers, combining digital compromises, physical access, and human complicity in a revealing way (Europol SOCTA report). In more recent reporting, Europol also explains that the infiltration of European ports by organized crime relies on the corruption of personnel, access to information systems, and the appropriation of logistics codes, particularly in Antwerp and Rotterdam. But I think all serious cybersecurity assessment frameworks (hence, all serious cybersecurity consultants :-) ) take the insider risk into account, be it either intentional or accidental. And mitigation solutions exist. In other words, the boundary between “insider threat”, “compromised subcontractor”, “logistics facilitator” and “cybercrime” has long been porous in port environments.

This is where the NORMA Cyber report benefits from being read with some distance. It is not wrong on substance: physical access remains highly effective, especially when it bypasses traditional network controls. But it somewhat overstates the novelty effect. Maritime environments have long experienced forms of intrusion involving subcontractors, maintenance personnel, temporary equipment, service laptops, USB drives, persistent remote access, and corrupted logistics actors. The real issue is therefore not the sudden emergence of insider threats. The real issue is that they are becoming better documented, cheaper to implement, and more easily combined with espionage, organized crime, or hybrid prepositioning objectives.

Beyond that, the report is fairly accurate in emphasizing industrial supply chain dependencies. The most underestimated aspect may not be insider threats, but the exposure of equipment manufacturers, integrators, and service providers (the so-called supply chain). NORMA Cyber notes that leaks of technical documentation, source code, and functional schematics affected several actors in 2025. This is a highly relevant angle: in the maritime domain, understanding a system is already close to intrusion. The compromise of an Iranian satellite connectivity provider, illustrated by the case of VSAT systems on sanctioned vessels, also shows how a single point ashore can create a fleet-wide effect. It is not spectacular, but it is structurally significant.

Overall, the tone of the report remains, fortunately, more constructive than alarmist. NORMA Cyber highlights increasing sector maturity, stronger involvement from executive management, the driving effect of new regulatory requirements, and the value of sectoral information sharing. This is an important aspect to retain. In focusing on threats, one can easily forget that the normalization of maritime cybersecurity is already underway. The sector is now examining its vulnerabilities with greater method.

Ultimately, this report deserves to be read for what it actually shows. It does not suggest that the maritime sector is on the verge of a cyber-apocalyptic tipping point. It says something more useful: the maritime threat is becoming increasingly hybrid, granular, and embedded in geopolitical realities. Espionage matters more than visible sabotage. Modest but repeated disruptions often matter more than extreme scenarios. And the “insider threat” must be taken seriously, not because it is new, but because it remains a long-standing constant in the sector, now better documented and easier to industrialize. It allows for vigilance without drifting into dramatization.