When video of the 984' containership Dali slamming into Baltimore’s Francis Scott Key Bridge burst onto television screens, many mariners and shipping executives had a common first reaction: Was it a cyberattack?
The March 26, 2024, allision at 1:28 a.m. was preceded by the ship’s lights flickering and going out twice before the impact, recorded on Vessel Traffic Service cameras. Then came the urgent warnings from pilots and police stopping traffic on the span. It was too late to save six construction workers repairing potholes on the bridge deck, and the flashing yellow lights on their trucks descending into the Patapsco River were captured in the video.
Amid a $100 million cleanup and recovery effort, National Transportation Safety Board investigators came to focus on a low-tech culprit in the disaster: A loose cable in the Dali’s electrical system that contributed to a total power failure as the ship approached the bridge.
The 11-week shutdown of Baltimore’s main ship channel was a stunning illustration of port vulnerabilities. Cybersecurity had already been demanding the attention of port operators and the Coast Guard. The idea of hackers remotely commandeering a ship to use it as a weapon is now considered a threat.
In February, the Government Accountability Office (GAO) issued a report on Coast Guard efforts, titled “Additional Efforts Needed to Address Cybersecurity Risks to the Maritime Transportation System.”
GAO auditors found the “greatest cyber threats” to the U.S. maritime transportation system are posed by China, Iran, North Korea, Russia, and international criminal groups. Those adversaries can target port facilities and vessels that increasingly rely on technology and systems that are vulnerable to cyberattacks.
Cyber incidents have already affected U.S. port operations, according to federal officials and other sources interviewed by GAO auditors, “and the potential impacts of future incidents could be severe.”
The GAO report cited U.S. cybersecurity incidents that Coast Guard officials say disrupted operations at port facilities.
In a June 2017 incident, Russian military intelligence conducted worldwide attacks using NotPetya malware, which included international containership operator A.P. Møller-Maersk among the targets.
“Once NotPetya infected a machine, it was capable of automatically spreading through a network and infecting other machines,” according to the GAO. “The attack began in Ukraine and spread and infected organizations across the globe — including Maersk. As a result of the attack, computers throughout Maersk were shut down, bringing port operations (including U.S. operations) to a halt and leaving ships idle at sea. According to Maersk, the incident cost the company approximately $250 to $300 million.”
In December 2019, the Coast Guard reported a ransomware attack on an unnamed port facility’s network, believed to have started when a perpetrator gained access through a phishing email containing a malicious link.
When clicked by the recipient, the link delivered ransomware into the facility network, which encrypted critical files and disrupted “the entire corporate IT network,” the report noted. “Additionally, the malware compromised OT” — operational technology — “systems that monitor and control cargo transfer and disrupted camera and physical access control systems, which led to a 30-hour shutdown of primary operations.”
Since those incidents, many more ransomware assaults have targeted port operators. In August 2024, the Port of Seattle was hit by the Rhysida ransomware group, which gained access to numerous systems, including those for the Seattle-Tacoma International Airport.
Despite the disruption, port officials said most flights stayed on schedule, and cruise ship operations were not affected. In time, systems were restored.
“The Port of Seattle has no intent of paying the perpetrators behind the cyberattack on our network,” Steve Metruck, the port’s executive director, said after the attack. “Paying the criminal organization would not reflect port values or our pledge to be a good steward of taxpayer dollars.”
The Department of Homeland Security warned in November 2022 that cyberattacks are one of the most significant threats to the 900 U.S. ports. Ports are considered particularly vulnerable to cyberattacks due to the extensive outsourcing of their workforces.
A 2022 survey by Jones Walker LLP on ports and terminals cybersecurity revealed that cybersecurity remains a top concern within the maritime industry. The survey showed a significant increase in reported cyberattacks, from 43% in 2018 to 74% in 2022, despite 90% of respondents claiming they were prepared to withstand such threats.
Security concerns have been raised over cranes used at U.S. container ports. Some 80% of those cranes are built by Shanghai Zhenhua Heavy Industries Company (ZPMC), a Chinese state-owned company with military links.
A 2024 congressional investigation reported that the semiautomated cranes could be monitored or even controlled remotely, suggesting that an adversary could do so to shut down port operations.
ZPMC and Chinese government officials dismissed the concerns as “paranoid.”
Coast Guard teams evaluated more than 90 cranes but found no “unique vulnerabilities or exploitations specific to foreign ship-to-shore cranes,” the GAO report said. They did see the same potential vulnerabilities found across operating systems.
In February 2024, the Coast Guard issued a directive requiring owners and operators of Chinese-built cranes to take cybersecurity precautions, including eliminating connections to the Internet. In November, the Coast Guard followed up with more risk management requirements.
In 2018, the Federal Maritime Transportation Security Act was amended to require that port owners and operators assess and address cybersecurity risks. “However, implementing regulations for this requirement were not issued until January 2025,” the report noted. “As such, there were no specific cybersecurity controls or measures that [Marine Transportation System] owners and operators were required to include in their security plans at the time of our review.”
That final rule, titled “Cybersecurity in the Marine Transportation System,” will become effective on July 16. Some new requirements are to go into effect immediately, while owners and operators can have six to 24 months to implement other requirements.
The GAO found that the Coast Guard lacks procedures for cataloging cyber incidents. “Implementing procedures to identify and track accurate cybersecurity incident information would help strengthen the Coast Guard’s ability to prevent or mitigate disruptions that could jeopardize billions in critical commerce,” the report concluded.
Updating its case management system would help the Coast Guard to better understand the scope and type of cybersecurity risks maritime transport owners and operators have found, the GAO report said.
