Key Takeaways
- Ship-to-shore connectivity is a high-leverage attack surface. A compromise here gives an attacker access to the entire fleet rather than just one vessel.
- VSAT and LEO terminals (Inmarsat, Iridium, Starlink Maritime, OneWeb) have publicly-documented management plane vulnerabilities. Default credentials, exposed admin web interfaces, weak firmware are common.
- Port WiFi is hostile by default. Assume any port WiFi network is monitored, intercepted or attacker-controlled. Bridge or crew use of port WiFi without VPN is a regular finding in vessel assessments.
- VPN concentrators on shore are often the highest-value target. Compromise yields lateral movement into fleet management, charterer portals, owner systems.
- Class society audits (IMO MSC.428(98), IACS UR E26/E27, TMSA 3 Element 13) expect documented controls covering the full ship-to-shore path, not just on-vessel.
Why Ship-to-Shore Connectivity Is a High-Leverage Attack Surface
Vessel cyber posture is often discussed at the vessel level: bridge integrated navigation, engine control, cargo systems. But the data link between vessel and shore is frequently the highest-leverage attack surface for several reasons: (1) it connects every vessel in the fleet through common shore infrastructure, (2) management planes (VSAT admin interfaces, VPN concentrators) are often exposed to the internet, (3) physical layer compromise (port WiFi, GSM, VSAT signal) is hard to detect without dedicated monitoring.
A compromised ship-to-shore link can yield an attacker access to: the entire fleet's operational and commercial data, fleet management systems, charterer and broker communications, crew records, maintenance scheduling, cargo manifests, ECDIS chart updates, AIS feeds, voyage instructions. The impact is fleet-wide rather than single-vessel.
The good news: defending the ship-to-shore link is a manageable cyber programme. Most issues we find in vessel assessments are configuration and management hygiene, not architectural impossibilities.
Ship-to-Shore Connectivity Options and Their Threat Profile
VSAT (Geostationary Satellite)
Traditional vessel satellite connectivity via Inmarsat FleetBroadband, Fleet Xpress, Iridium Certus and similar services. Geostationary or LEO-satellite-relayed. Threat profile: VSAT terminals frequently have management plane vulnerabilities (default credentials, exposed admin web interfaces, weak firmware). Public threat intelligence (Cisco Talos, vendor advisories) documents successful exploitation of unsecured VSAT terminals. Bandwidth limited; voice and low-bandwidth data emphasis.
LEO Constellations (Starlink Maritime, OneWeb)
Newer Low Earth Orbit satellite connectivity offering 50-200 Mbps. Increasingly common on vessels. Threat profile: Starlink terminals have a documented attack surface including the user dish firmware, the satellite link itself (less studied), and the management portal. OneWeb has similar exposure. As of 2026 both LEO providers have improved hardening but vessel operators report misconfigured installations are common.
Port WiFi (At Berth)
When alongside, vessels often use port WiFi for low-cost bandwidth. Threat profile: extremely hostile by default. Port WiFi is shared infrastructure, often with weak or no authentication. Attackers can monitor traffic, attempt man-in-the-middle attacks, push malicious updates to vessel systems. Bridge or crew laptops connecting to port WiFi without VPN is a regular finding in vessel assessments.
GSM / 4G / 5G Shore Links (Near Coast)
Cellular connectivity when within range of shore towers. Threat profile: better than port WiFi but still requires careful configuration. Risks include IMSI catchers (man-in-the-middle on cellular), SIM swap attacks, weak APN credentials, mismanaged eSIM provisioning. Vessel cellular gateways often have management interfaces exposed when not properly firewalled.
Hybrid SD-WAN and Failover
Most modern vessels use a hybrid setup: VSAT primary, LEO or cellular secondary, port WiFi tertiary. SD-WAN appliances handle failover and load balancing. Threat profile: SD-WAN appliances have their own attack surface (management plane, configuration database). Misconfigured failover can leak sensitive traffic over insecure paths.
Need a Maritime Cyber Assessment?
Codesecure runs vessel cyber risk assessments, OT/SCADA audits, ship-to-shore network assessments and IMO MSC.428(98) / IACS UR E26 / E27 compliance programmes. ISO/IEC 27001:2022 certified delivery, named maritime cyber consultants.
See Maritime Services →Common Issues We Find in Ship-to-Shore Assessments
1. Exposed VSAT Management Web Interfaces
VSAT terminal admin web interfaces accessible from the internet, often with default or weak credentials. Public Shodan-style scanning regularly identifies vessel VSAT terminals from their characteristic ports and banners. Once authenticated, an attacker can reconfigure firewall rules, route traffic, install firmware, brick the terminal.
2. Bridge or Crew Use of Port WiFi Without VPN
Crew laptops, personal phones and even bridge management PCs connecting to port WiFi without enforced VPN. Traffic exposed to anyone monitoring the port network. Credentials harvested, malware delivered, sensitive data exfiltrated.
3. Shared SD-WAN or VPN Credentials Across Fleet
Single credential set for the SD-WAN appliance or VPN concentrator shared across the entire fleet, often with no rotation policy. Compromise of one vessel yields fleet-wide credential access.
4. Unsegmented Vessel Network
Crew Wi-Fi, bridge management, ship management LAN and ECDIS / RADAR all on the same flat network. A malicious actor on crew Wi-Fi can reach engine control terminals. Bridge USB media compromise can spread to ship management. The vessel has no internal trust boundaries.
5. Fleet Management Web Apps with Weak Authentication
Shore-side fleet management web applications with weak authentication (no MFA, password-only), exposed APIs, insufficient access control. Compromise of one user account yields broad visibility into fleet operations.
6. Vessel Edge Routers with Default Credentials
On-board edge routers (often Cradlepoint, Cisco IR, Peplink, MikroTik) with default or weak credentials, exposed management interfaces, no firmware patching. Compromise of the edge router gives an attacker the keys to the vessel's entire connectivity.
Hardening Measures That Actually Work
1. Authenticated Management Planes
All VSAT, LEO, edge router, SD-WAN, VPN concentrator management interfaces must require strong authentication with MFA. No internet exposure of management interfaces (jumpbox or VPN-only access). Rotated credentials. Per-vessel unique passwords, not fleet-wide shared. Centralised IAM with audit logging.
2. Vessel-Edge VPN with Always-On Enforcement
Vessel edge router runs always-on VPN to fleet management VPN concentrator. All vessel traffic except local-to-vessel routes through the VPN. Bridge and crew systems cannot reach the internet directly; all egress through the encrypted tunnel. Port WiFi compromise becomes containable.
3. Network Segmentation Onboard
Bridge integrated navigation, engine control, cargo control, ship management LAN, crew Wi-Fi on physically or logically separate VLANs with firewalled inter-VLAN routing. East-west traffic restricted to documented flows. No flat networks.
4. End-to-End Encryption for Sensitive Data
Application-layer encryption for sensitive vessel data (cargo manifests, charterer communications, crew records) end-to-end from vessel application to shore-side application. Defence in depth beyond VPN encryption: even if VPN compromised, sensitive payloads remain encrypted.
5. Shore-Side VPN Concentrator Hardening
Shore-side VPN concentrator (where all vessels terminate) hardened to enterprise VPN standards: latest firmware, certificate-based authentication for vessels, MFA for admin access, IDS/IPS inspection of decrypted traffic, alert on anomalous vessel behaviour.
6. Fleet Management Web App Security
Shore-side fleet management web apps and APIs hardened to web application security best practices: MFA, role-based access, API rate limiting, WAF protection, regular pentest (we recommend annual). Web app pentest finds the highest-impact issues here.
7. Vessel Edge Router Hardening
On-board edge router hardened to network device security baseline: latest firmware, disable unnecessary services, strong management plane authentication, network-segmented management VLAN, logging to centralised SIEM.
Frequently Asked Questions
Why is ship-to-shore connectivity a higher-leverage attack surface than the vessel itself?
Because it connects every vessel in the fleet through common shore infrastructure. A compromise of the shore-side VPN concentrator, fleet management web app or shared credentials yields access to the entire fleet's operational and commercial data, not just one vessel. The blast radius is fleet-wide rather than single-vessel.
Is Starlink Maritime more secure than traditional VSAT?
Starlink Maritime offers more bandwidth and lower latency than traditional VSAT, but its security depends on configuration. Both Starlink terminals and traditional VSAT terminals have documented attack surfaces (management plane, firmware, customer portal). The difference is operational: Starlink is newer so vessel operators have less mature operational practices around it. Codesecure ship-to-shore assessments cover Starlink Maritime, OneWeb and traditional VSAT with the same hardening framework.
How should crew use port WiFi safely?
Crew should not use port WiFi directly. Crew internet access should route through vessel-edge VPN to shore-side fleet management VPN concentrator, then out to the internet. Even crew personal phones should be configured to use vessel WiFi with VPN, not port WiFi directly. Educate crew on the operational risk: port WiFi compromise of crew device can spread to crew Wi-Fi VLAN and potentially to bridge management VLAN if segmentation is weak.
Should vessel operators do regular ship-to-shore penetration testing?
Yes, recommended annually. Ship-to-shore pentest covers VSAT/LEO management planes (remote testing), shore-side VPN concentrators, fleet management web apps and APIs (full web pentest), and during port-call on-board sampling of edge router configuration and segmentation. Codesecure ship-to-shore assessment typically takes 3-5 weeks per fleet and produces class-society-aligned report.
What standards address ship-to-shore connectivity security?
IMO Resolution MSC.428(98) requires vessel SMS to address cyber risks including those affecting communications. IACS UR E26 (new build cyber resilience) and UR E27 (ship system cyber resilience) cover communication system cyber resilience. BIMCO Guidelines on Cyber Security Onboard Ships v5 explicitly addresses ship-to-shore connectivity. TMSA 3 Element 13 covers it for tanker operators.
Can ship-to-shore connectivity be hardened against state-level adversaries?
Defending against state-level adversaries (with capabilities including satellite signal interception, supply chain compromise of vessel equipment, infrastructure-level access) is genuinely difficult and beyond most commercial vessel programmes. However, baseline hardening (no exposed management, vessel-edge VPN, segmentation, MFA, fleet management web app pentest) defeats the vast majority of adversaries vessel operators actually face in practice.
How does Codesecure approach ship-to-shore assessments?
Hybrid remote + on-board phase. Remote: testing of internet-facing management interfaces, shore-side VPN concentrators, fleet management web apps and APIs from our infrastructure. On-board (during port call): sample edge router and SD-WAN configuration review, WiFi segmentation verification, VSAT/LEO terminal inspection. Reports aligned to IMO MSC.428(98), IACS UR E26/E27, BIMCO and TMSA 3. ISO/IEC 27001:2022 certified delivery.
Get a Ship-to-Shore Security Assessment That Covers VSAT, LEO and Shore Infrastructure
Codesecure delivers end-to-end ship-to-shore network security assessments covering VSAT, LEO constellations, port WiFi, GSM links, VPN concentrators and fleet management cloud apps. Class-society aligned reports. ISO/IEC 27001:2022 certified.
