MARITIME CYBER RISKS AND THE NEED FOR A PRO-ACTIVE INDIAN CYBERSECURITY STRATEGY

Introduction

Around 80% of the international trade happens by sea.  Among this, around 60% of the trade transits through Asia. As one of the fastest-growing economies in the world, India is rapidly expanding its shipping and port infrastructure.  With 12 major ports and more than 200 minor ports, India is a key maritime player in the Indian Ocean Region (IOR).  The Indian Maritime sector is undergoing a seismic transformation, with the Union government promoting various initiatives to make the industry self-reliant and place India among the top 5 shipbuilding nations by 2047.  But along with opportunities also come risks. The absence of a strategy for responding to maritime cyber risks has emerged as an impending threat to Indian shippers and port authorities. The author contends that while India is investing heavily in infrastructure and external security, comprehensively deterring maritime cyberattacks remains largely unaddressed, mainly in the current Indian security discourses. Therefore, this article examines the impact of maritime cyber risks for India and the world and argues for developing a sector-specific maritime cyber security strategy for a cyber-resilient maritime sector.

The Global Rise of Maritime Cyber Risks

On January 7, 2025, A massive ransomware attack crippled a software supplied by DNV, a major ship classification society.  This attack specifically targeted the ship manager software that was widely used in several ships for their smooth functioning.   In response, the company had to shut down the servers and ensure that the software functions properly.   This is one real-life example of a cyber risk that can occur on a maritime infrastructure.   As there is no legally binding definition of a maritime cyber risk, the explanation given by the International Maritime Organisation (IMO) is of huge relevance.  

According to IMO,

“Maritime cyber risk refers to a measure of the extent to which a technology asset could be threatened by a potential circumstance or event, which may result in shipping-related operational, safety or security failures as a consequence of information or systems being corrupted, lost or compromised”.

Unlike other cyber risks, its maritime counterpart is yet to receive the kind of attention it deserves.  But some States have taken note of this impending concern, with Denmark leading the world in formulating a sector-specific maritime cyber security strategy.

Ransomware as an emerging Maritime cybersecurity threat

A maritime cyber risk involves a major disruption to the shipping sector, one that can potentially impose a huge economic burden on various stakeholders.  Of course, a cyber risk is not one standalone phenomenon, but the consolidation of different types of risks.   The most common risks are ransomware attacks, with more than 1000 ships affected by the ransomware attack on DNV software.   A ransomware attack is one in which hackers lock access to a file or system unless a ransom is paid.

Apart from economic crimes, cyber criminals can exploit the critical infrastructure of a ship or port to inflict massive damage to the hardware or software.   This can be either done by a direct state-sponsored mechanism or by an indirect act of any foreign State.   From a national security perspective, several states are actively engaging in cyberwarfare, and in due course, ships and port operations without an effective cybersecurity system could be easily disabled and brought to a grinding halt.   In 2021, a ransomware attack crippled the port operations at the Port of Nagoya, with the loading and unloading operations effectively brought to a standstill.

An alarming prediction was made in the year 2019 by a research group studying the economic fallout of a maritime ransomware attack.   It was found that the Asia-Pacific region would be the worst affected in the case of a hypothetical cyber strike on 15 major ports in the region. Economically, Asia would suffer 26 billion dollars in economic losses.  Thus, the impact of maritime cyber risks for Asian countries, especially rapidly developing countries like India, poses an all-pervading risk to the shipping sector, with ransomware constituting the major chunk of cyber threats.

International Maritime Organisation (IMO) Resolutions and Guidelines as a Positive Start

Currently, no binding international convention exists to specifically address the issue of Maritime cyberattacks.  However, the IMO have passed a resolution and issued guidelines to address the risk posed by cyber criminals.  Although these soft law instruments exist, there does not seem to be a concerted joint effort from the side of even major maritime traders to address the threat posed by maritime cyber risks.   IMO’s resolution MSC.428(98), adopted in the year 2017, is one of the few existing legal instruments that aim at addressing cyber risks from a holistic angle.   Drafted by the Maritime Safety Committee (MSC), the resolution urges all the relevant stakeholders, including the administration, classification societies, shipowners, ship agents, and port officers, to engage swiftly in guarding the maritime sector from existing and future maritime cyber risks.   The key feature of this resolution is the call given to all the stakeholders to incorporate a dedicated cyber risk management system into the existing International Safety Management Code (ISM).

The IMO guidelines on Maritime Cyber Risk Management, adopted in the same year, are a high-level recommendation from the MSC that explicitly defines cyber risks and provides various guidelines to deal with maritime cyber risks. These guidelines provide a uniform standard or best practices for States to equip their maritime infrastructure with a dedicated cyber risk management system. Apart from defining cyber risks, the guidelines also focus on cyber risk management and emphasise the adoption of cyber-resilient systems to effectively thwart cyber threats. Thus, looking at the bigger picture, it can be argued that the IMO resolution and guidelines can be considered as the first major step in drafting a standalone convention on maritime cyber risks. Another positive signal is the adoption of the United Nations Convention against Cyber Crimes.   This 2024 UN Convention is the first global multilateral convention addressing specifically the issue of cybercrimes.   Thus, with the support of the IMO regulations, guidelines and the UN Cybercrimes conventions, States like India can look at these models for guidance in proactively building an effective maritime cybersecurity infrastructure.

The Need for a Comprehensive Indian Maritime Cybersecurity Strategy

Like many other countries, India is also not immune to the innovative and destructive threats posed by cyber criminals.   With a large population now having access to the internet, cyber threats will exponentially increase over the next decade. According to a report published by the cyber intelligence firm CloudSEK in 2024, India was the second most targeted nation in terms of cyberattacks in the world. By 2047, when the country becomes 100 years old, cyberattacks are projected to rise to 17 trillion. For the Indian maritime sector, these statistics present an urgent reality check. In 2022, one of the terminals of the Jawaharlal Nehru Port Trust (JNPT) was immobilised due to a massive cyberattack. If these attacks are not properly addressed from a holistic approach, hacktivists, state-sponsored, and non-state cyber actors will find India’s weak maritime cybersecurity framework an easy entry for massive exploitation.

The Way Forward for the Indian Maritime Sector

It is predicted that in the future India will face a barrage of hacktivist attacks targeting critical infrastructure like defence, health and education sectors.   As maritime cyber risks have made an entrance on the global stage, India must be proactively on guard to thwart potential breaches of maritime security systems.  In the current fuming geo-political context, maritime cyber threats have the capability of exacerbating the already contentious maritime zones in the world.   At present, India’s maritime cybersecurity strategy is reactive and not proactive.  The Maritime Amrit Kaal vision of 2047 clearly envisions India as a global maritime powerhouse by 2047.   With the Government rapidly promoting digitisation, integration and automation in the shipping sector, it is high time India leverages the best practices of the IMO and develops comprehensive guidelines for managing cybersecurity systems on ships and ports.  The Indian-Middle East-Europe Economic Corridor (IMEC) is yet another grand multi-modal infrastructure project that India aims at a holistic integration of land and sea networks for a smooth trading experience.   But in the absence of a sector-specific maritime cyber security framework, these projects will be an easy prey for cyber criminals and terrorists, especially those who coordinate cyberattacks with geo-political fault lines. The recent satellite jamming incidents that led to the collision of two tankers in the highly volatile zone near the Strait of Hormuz reinforce the need for States like India to invest in resilient cyber risk management systems.  Further, a close integration with the private, public and military shipping sector is essential in India for formulating a centralised and proactive strategy for a resilient maritime cybersecurity framework.