As the maritime sector undergoes rapid digital transformation, the security of shipboard Operational Technology (OT) has emerged as an urgent yet underexamined challenge within the broader industrial cybersecurity landscape. In this talk, we present recent research and practical insights from a deep technical analysis of the maritime OT attack surface, focusing on the convergence of navigation, propulsion, and communication subsystems through legacy and modern protocols. Using a full-scale maritime testbed built in our lab with real commercial vessel hardware, we identify and exploit a novel remote attack vector enabled by mandated situational awareness broadcasts. By chaining previously unknown vulnerabilities in navigation processing software, bridge equipment, and serial-to-Ethernet gateways, we demonstrate how unauthenticated external messages can cross isolation boundaries and compromise critical OT components such as steering and engine control systems. These attacks require no initial onboard presence, highlighting the erosion of the “air-gapped at sea” security assumption.

Beyond individual vessel compromise, we analyze how the structure and behavior of global maritime logistics—particularly predictable vessel movement patterns and international RF communication requirements—introduce systemic cybersecurity risks. Using global maritime traffic data, we simulate how coordinated adversarial campaigns could propagate compromise through high-traffic regions, maritime chokepoints, and transoceanic shipping lanes, potentially leading to widespread operational disruption. These findings expand the traditional ICS threat model by introducing a mobility-aware, domain-specific attack paradigm tailored to maritime systems.

To contextualize these findings with real-world practice, we also present results from our recent user study involving 21 officer-level mariners from both commercial and military fleets. The study revealed direct exposure to cyberattacks such as GPS spoofing and ransomware, but also systemic gaps: cybersecurity training that does not reflect operational realities, poor integration of security protocols into vessel operations, and widespread uncertainty about roles and responsibilities during cyber incidents. These human and organizational factors compound technical risks and present barriers to implementing resilient defenses.

Informed by both attack research and user feedback, we conclude with a discussion of defense mechanisms and recommendations, including architectural segmentation strategies, broadcast message sanitization, and regulatory co-design. We also describe our collaborative efforts with the National Marine Electronics Association (NMEA) to embed security into the next generation of maritime communication standards. This talk will equip attendees with new perspectives and actionable insights for securing the maritime OT ecosystem—an often-overlooked but globally critical domain.