Maritime VAPT: Penetration Testing for Port and Vessel Networks

Why Maritime VAPT Is a Distinct Discipline

Maritime VAPT brings together several disciplines that are usually scoped as separate engagements: enterprise IT pentest (shore office), OT pentest (bridge and engine systems), wireless pentest (crew WiFi and bridge wireless), network pentest (vessel LAN, port LAN), cloud pentest (fleet operations platforms), and supply-chain assessment (chart vendors, satcom providers, planned maintenance vendors). Treating them as a single coherent engagement is how we produce a report that satisfies IMO 2021, BIMCO, and the flag state in one document.

The other distinguishing factor is the safety constraint. A web app pentest can fuzz a login form. A maritime OT pentest cannot fuzz a propulsion alarm, an autopilot, or a cargo control loop while the vessel is operational. Methodology is built around what is safe to do when, often translating to passive observation at sea plus deeper active testing at port stay or in dock.

Scope Definition: IT vs OT, Vessel vs Shore

Scoping is the most important hour of the engagement. The customer typically arrives with one of three positions: 'test everything', 'test the vessel only', or 'test the IT systems only'. None of these is precise enough. The engagement letter must enumerate each environment and each test method per environment.

Our standard scope template covers six environments and three test depths per environment (passive observation, active non-disruptive, active intrusive):

• Vessel OT: bridge systems, engine monitoring, cargo control, ballast and scrubber control. Typically passive at sea, active non-disruptive at port
• Vessel IT: ship office workstations, planned maintenance system, document management. Standard pentest depth
• Crew network: welfare WiFi, BYOD segment, captive portal. Standard wireless pentest depth
• Shore IT: head office, fleet operations centre, ERP, chartering and accounting. Standard enterprise pentest depth
• Port terminal systems: TOS, gate systems, cargo manifest, port community system integration. Standard pentest with OT awareness for the controlled subset
• Vendor and cloud surface: satcom portal, chart distributor, planned-maintenance vendor, fleet platform. Standard cloud and API pentest depth

Vessel Network Topology Testing

Once on board, the first task is mapping the actual network as it exists, not as the network drawing claims. We start with passive observation using a SPAN port (where available) or a managed switch with mirroring, capturing on the bridge LAN, the satcom LAN segment, the crew network, and the engine room network. The capture reveals every device that talks, every protocol in use, every vendor remote diagnostic session, and every cross-zone path the firewall is supposed to be blocking.

Active discovery follows, with constrained Nmap (-sT, low-rate, no service probes against OT-bearing hosts), targeted protocol scans (NMEA 0183 over Ethernet, IEC 61162-450 multicast, Modbus where present in engine or cargo systems), and configuration walk-throughs of every accessible switch, router and firewall. The output is a corrected network diagram, a complete asset inventory, and a list of every cross-zone path with its policy and actual traffic observation.

Port Terminal Systems

Port pentest engagements have a different shape. The terminal operating system (TOS) sits at the centre, integrating with cargo manifests, gate access, crane and equipment control, RFID and barcode scanning, the port community system (PCS), and the customs declaration channel. Each is its own attack surface.

TOS platforms (Navis N4, Octopi, CyberLogitec OPUS Terminal, KALEIDO and others) are typically web or thick-client applications backed by enterprise databases. We test them with standard OWASP web and API methodology plus role-based access tests across operator, supervisor, gate clerk and customer-portal roles. Crane and equipment control are tested as constrained OT (refer to our IEC 62443 maritime guide). RFID gate systems are tested for tag cloning resistance, replay attack resistance, and gate-relay logic abuse.

Common findings: TOS instances with default vendor credentials retained, RFID gate badges using cleartext UIDs trivially clonable with a Proxmark, port community system APIs with broken object-level authorisation (BOLA) across terminals, and customs integration channels with weak authentication.

Crew WiFi: The Recurring Pivot Point

Crew welfare WiFi is the single most-exploited vessel attack path in our engagements. The crew network is by design lower-trust than the ship office or the bridge, but if it shares a physical switch with no VLAN separation, or if the captive portal logic has bypasses, or if the access points expose management interfaces to the crew segment, then a crew device or a visitor can reach into the higher-trust zones.

Standard tests include: enumerate from a crew-network position, attempt to reach the ship office subnet, attempt to reach the bridge OT subnet, attempt to reach the satcom management interface, attempt to bypass the captive portal (DNS tunnelling, MAC spoofing, ICMP tunnelling, captured guest credentials), and attempt to compromise the AP management plane. Findings are typically straightforward to remediate (proper VLAN separation, firewall rules between zones, AP management isolation) and difficult to argue against.

Pre-Port-Entry Cyber Testing and Inspections

Several major ports and a growing number of charterers now ask for a recent cyber assessment as a precondition for entry or charter. Singapore (MPA), Rotterdam, Antwerp, Houston, the larger UAE ports, and many cruise terminals already integrate cyber questions into their pre-arrival inquiries. India's Major Port Authorities are adopting similar practices.

Codesecure delivers pre-port-entry cyber assessments tuned to the questions the receiving port or charterer is likely to ask. The engagement is shorter than a full vessel pentest (typically 1 to 3 days) and produces a one-page attestation plus an evidence pack the master and DPA can hand over on request. Where a deeper finding emerges, we offer a follow-on full assessment.

Reporting for Flag State, Class, P&I and Charterer

A maritime VAPT report must serve four distinct audiences in one document. The flag state and class society want IMO 2021 and BIMCO control evidence. The P&I club and hull insurer want a risk posture statement that informs premium and excess. The charterer wants a security questionnaire that closes their queries. The internal IT and DPA team want the technical detail with remediation steps.

Our reports map each finding against MSC-FAL.1/Circ.3 functional elements (Identify, Protect, Detect, Respond, Recover), BIMCO Guidelines control areas, IEC 62443 zones and conduits, ISO/IEC 27001:2022 Annex A controls where applicable, and the OWASP Top 10 for web-facing components. CVSS v3.1 with environmental modifiers gives the risk number. A maritime-specific severity overlay (Safety-Impacting / Operations-Impacting / IT-Only) sits alongside CVSS so the bridge and the DPA can read the report as easily as the CISO. Free re-test within 90 days is standard.