You are currently viewing Port Infrastructure Under Attack: The Soft Underbelly of Global Trade

Port Infrastructure Under Attack: The Soft Underbelly of Global Trade

Maritime Cyber Threat Briefing #3

Ports are where the digital and physical worlds collide most violently. They are simultaneously logistics hubs, industrial control environments, financial systems, and national security assets. A port that stops working does not merely inconvenience a shipping company, it disrupts supply chains, halts energy flows, strains national economies, and creates immediate geopolitical leverage, and in the current conflict environment, provides adversaries with a strategic instrument of coercion.

The cyber threat to port infrastructure has escalated sharply. It is no longer driven solely by financially motivated ransomware groups seeking extortion payments. It is increasingly shaped by state-aligned actors who view port disruption as a legitimate instrument of hybrid warfare and by a conflict in the Middle East that has already demonstrated, in real time, what that targeting looks like.


Why Ports Are High-Value Targets

Ports sit at the intersection of the physical and digital worlds, where maritime logistics, industrial control systems, and corporate IT converge. This convergence creates enormous efficiency, but it also introduces an entirely new attack surface. A cyber event that halts gate operations or vessel movement can paralyze trade and ripple through national economies within hours.

The systems that run a modern port are numerous, interconnected, and frequently built on legacy architectures never designed with cybersecurity in mind. Terminal operating systems manage container flows, berth allocation, and crane operations. SCADA and industrial control systems govern power distribution, fuel handling, and physical access. Gate management systems process truck entries and exits. Port community systems connect customs, agents, shipping lines, and freight forwarders. Each of these represents a potential entry point. Each has dependencies on the others. A compromise in one area does not stay contained, it propagates.

European port authorities have become increasingly vocal about the scale of the threat. The CEO of Port of Antwerp-Bruges has described the current environment in direct terms: “This is not peacetime anymore. We are somewhere between peace and real war, and cyberattacks are the first indications.” His port sees regular, massive attacks on data centers and services, particularly from Russian and Russian-friendly territories. A pattern shared by Rotterdam, Le Havre, Hamburg, and Bremen.


The Iran Conflict: Ports as Targets in a Live War

The outbreak of Operation Epic Fury on February 28, 2026 immediately elevated the threat to port infrastructure across the Gulf and beyond.

Port disruptions have been recorded at Jebel Ali in the UAE, Salman Industrial Zone in Bahrain, and Duqm and Salalah in Oman. At Khalifa Port, late departures increased by 1,300%, port-of-loading rollovers reached 14, and transshipment delays significantly exceeded seven-day averages.

The conflict produced a development with no precedent in maritime history. Less than 24 hours into the war, Iranian drones struck three Amazon Web Services facilities in the UAE and Bahrain, disrupting core cloud infrastructure and knocking out finance applications and enterprise tools across the Gulf and far beyond the region. The attacks demonstrated that physical distance from a conflict zone is no guarantee of insulation from the impacts of kinetic warfare.

Port management systems, terminal operating platforms, and logistics coordination tools hosted on cloud infrastructure were directly exposed. For port operators who had migrated critical operational functions to cloud-hosted environments, this was not an abstract cyber risk, it was a service outage caused by physical destruction of the infrastructure their systems depended upon.

Since February 28, multiple Iranian state-aligned hacktivist groups operating under a newly established Electronic Operations Room have claimed responsibility for a range of disruptive operations, with Handala Hack claiming responsibility for compromising Jordan’s fuel systems and targeting Israeli energy infrastructure, while APT Iran claimed responsibility for sabotage of critical infrastructure across the region.

Pro-Russian hacktivist group NoName057(16) teamed up with Iranian hacktivists to target Israeli defense and municipal organisations including defence contractor Elbit Systems, and separately claimed access to an Israeli water management system and other industrial control systems. The convergence of Iranian and Russian hacktivist coalitions targeting critical infrastructure represents a significant expansion of the operational threat surface for ports and terminal operators with any affiliation to conflict-adjacent nations.


The Ransomware Threat: Persistent, Targeted, and Escalating

Beyond the conflict-driven threat, port infrastructure faces a sustained and growing ransomware problem that predates the current war and will outlast it.

The 2017 NotPetya attack on Maersk remains the most cited example, 76 port terminals shut down, 45,000 compromised systems, and an estimated $300 million in losses from a single malware deployment. The lesson it taught the maritime industry, that a shipping company’s port operations could be rendered inoperable by an IT compromise. This has been absorbed by threat actors and repeated in multiple forms since.

Ransomware groups targeting industrial organisations increased 64% year on year in 2025, with 119 groups tracked and attacks affecting over 3,300 organisations. The average dwell time for ransomware in OT environments was 42 days, meaning attackers were present and moving laterally for over six weeks before triggering their payload.

Ransomware targeting maritime infrastructure is now highly targeted rather than opportunistic. Attackers focus on critical shipboard and port systems specifically to cause maximum disruption and financial damage, recognising that the ability to immobilise a port has immediate and severe consequences for global supply chains.

A critical and underappreciated vulnerability lies in third-party access. Stevedores, agents, and contractors frequently have system access to port-owned infrastructure. If those third-party systems are not sufficiently hardened, they represent a direct gateway into the port’s operational environment. The 2025 attack on Iranian maritime operations via the Fanava Group [a satellite communications vendor] demonstrated exactly this pathway at sea. The same logic applies on shore.


OT Systems: The Hidden Attack Surface

The operational technology environments running port infrastructure represent a particularly dangerous and frequently overlooked attack surface. In port environments these systems control container cranes, fuel pipelines, power distribution networks, automated gates, and increasingly autonomous yard equipment.

OT incidents now account for 20% of all reported cyber events, with 22% of organisations experiencing an OT or ICS cyber incident in 2025. Attack patterns have shifted from targeting network gateways toward programmable logic controller devices, the systems that directly control physical processes.

Adversaries are increasingly mapping how control systems work, understanding where commands originate, how they propagate, and where physical effects can be induced. Specialised threat groups are systematically building access pathways for more capable actors to reach OT environments, while ransomware groups are causing multi-day outages that require OT-specific recovery procedures.

The intersection of IT and OT in port environments creates a particularly dangerous condition. A compromise that begins in a corporate email system or a contractor’s remote access connection can traverse into crane control systems, power management infrastructure, or gate access platforms.

The IT/OT boundary in most ports is not a wall, it is at best a poorly maintained fence.


What Port Operators Must Address

  1. Asset visibility across IT and OT environments. You cannot defend what you cannot see. Globally, less than 5% of OT networks are monitored with adequate visibility. Until that gap is addressed, defenders are operating in the dark. Port operators must maintain a current, accurate inventory of every connected asset, including legacy systems that may be running on unsupported operating systems or with default credentials unchanged from installation.
  2. Third-party and contractor access management. Every external organisation with system access to port infrastructure represents a potential attack vector. Vendor access should be time-limited, monitored, logged, and subject to formal security assessment. The US Coast Guard’s cybersecurity rules effective July 2025 specifically require ports to assess and monitor the cyber resilience of third parties and contractors. This is not optional compliance overhead, it is a direct response to a documented attack pathway.
  3. IT/OT network segmentation. Corporate IT systems and operational technology environments must be separated with enforced boundaries. Where connectivity between them is operationally necessary, it should be tightly controlled, monitored, and subject to anomaly detection. A ransomware infection that cannot cross from IT to OT is a containable incident. One that can is a potential operational shutdown.
  4. Cloud dependency risk assessment. The AWS facility strikes in the UAE and Bahrain on March 1, 2026 demonstrated that cloud-hosted operational systems can be rendered unavailable by physical attacks on infrastructure the port operator has no visibility of or control over. Port operators must understand which critical operational functions depend on cloud services, where those services are hosted geographically, and what their fallback procedures are when cloud connectivity is lost.
  5. Incident response with OT-specific capability. Generic IT incident response plans are insufficient for port environments. Response procedures must address OT system recovery, the reinstatement of industrial control functions, and the coordination between IT security teams and operational personnel who understand how physical processes are managed. These plans must be tested through realistic exercises, not simply documented.
  6. Cyber monitoring of OT environments. Industrial control environments must be continuously monitored for anomalous behavior using OT-aware detection technologies. Traditional IT security tools are rarely capable of detecting malicious commands issued to industrial control systems.

The Regulatory Imperative

The IMO’s cyber risk management requirements, embedded in the ISM Code since 2021, apply to the shipboard environment. NIS2 in Europe brings port operators and maritime logistics providers meeting certain thresholds under mandatory cybersecurity obligations, including incident reporting requirements with defined timelines. The US Coast Guard’s 2025 cybersecurity rule introduces specific requirements for ports, terminals, and offshore facilities, including the appointment of Cybersecurity Officers and formal incident reporting to the National Response Center.

These regulatory frameworks have elevated cybersecurity to boardroom level in many organisations. But when applied mechanically, regulation risks becoming a tick-box exercise that adds paperwork without reducing risk. The opportunity lies in using these standards as catalysts for genuine operational resilience rather than compliance performance.


Port infrastructure is not a peripheral concern in the current threat environment, it is a primary strategic target. It is a primary target. State-aligned actors view ports as chokepoints through which economic coercion can be exercised. Ransomware groups view them as high-value targets where downtime translates directly to financial leverage. Hacktivists view them as visible symbols of the commercial and political interests they oppose.

The Iran conflict has provided a live demonstration of what targeted disruption of Gulf port infrastructure looks like and the consequences extend far beyond the region. The 27 tankers that were adrift without confirmed discharge destinations in the Arabian Sea, the 1,300% increase in late departures at Khalifa Port, the suspension of bookings by Maersk, MSC, CMA CGM, and Hapag-Lloyd. These are not hypothetical risk scenarios, they are this week’s operational reality.

Ports are the beating hearts of global trade. Protecting them from cyber disruption is not a technical ambition. In the current environment, it is an operational necessity with direct consequences for the safety, security, and continuity of the global supply chain.

The question for port operators is no longer whether they will face cyber attacks, but whether those attacks will remain IT incidents or escalate into operational shutdowns.


Maritime Cyber Threat Briefing is an independent series covering cyber threats, vulnerabilities, and risk management across the global maritime industry. It is published by Alexandros Engelen, a Cybersecurity Strategist, specializing in maritime cyber risk.