Top 8 Maritime Cyber Risks & How Hard They Hit P&L
September 17, 2025
π Subscribe to the Ship Universe Weekly Newsletter
A single cyber incident can move real money. In shipping, that usually means hours lost, miles added, or invoices diverted. This report focuses on the parts of the P&L that move first: demurrage, off hire, bunker burn, penalties, and premiums. Use the quick formulas to price risk in voyage terms and act before losses compound.
1οΈβ£ Port and terminal ransomware or PCS outages
Bottom-line impact
When gate, yard, crane, or port community systems go down, queues build and schedules slip. Losses appear first as demurrage or off hire, then as extra fuel, missed windows, and penalties. The tighter the rotation, the faster the damage scales.
β Expand playbook
Outage loss per call: price it before you commit
Estimated loss = (berth wait hours Γ demurrage or off hire rate)
+ (catch up hours Γ cost per hour of delay)
+ (reroute miles Γ bunker consumption per nm Γ bunker price)
+ storage or penalty fees
If estimated loss is greater than the cost of an alternate routing or a window swap, change plan. Replace the example numbers with your voyage inputs.
Example A: Short outage with minor reroute
Assumptions: wait 8 h, demurrage or off hire 1,500 USD per hour, catch up 6 h at 1,200 USD per hour, reroute 40 nm, consumption 0.08 t per nm, bunker 650 USD per ton, storage or penalties 8,000 USD.
| Item | Calculation | Cost USD |
|---|---|---|
| Berth wait | 8 h Γ 1,500 | 12,000 |
| Catch up delay | 6 h Γ 1,200 | 7,200 |
| Reroute fuel | 40 nm Γ 0.08 t per nm Γ 650 | 2,080 |
| Storage or penalties | given | 8,000 |
| Estimated loss | 29,280 |
Alternate option: window swap fee 18,000 USD. Since 29,280 is greater than 18,000 choose the swap.
Example B: Full day outage with diversion
Assumptions: wait 24 h, off hire 1,250 USD per hour, catch up 12 h at 1,400 USD per hour, reroute 120 nm, consumption 0.09 t per nm, bunker 650 USD per ton, storage or penalties 25,000 USD.
| Item | Calculation | Cost USD |
|---|---|---|
| Berth wait | 24 h Γ 1,250 | 30,000 |
| Catch up delay | 12 h Γ 1,400 | 16,800 |
| Reroute fuel | 120 nm Γ 0.09 t per nm Γ 650 | 7,020 |
| Storage or penalties | given | 25,000 |
| Estimated loss | 78,820 |
Alternate option: divert to Port B with pilotage 5,500 USD, towage 3,000 USD, berth fee difference 12,000 USD, extra mileage 80 nm Γ 0.09 t per nm Γ 650 = 4,680 USD. Alternate total 25,180 USD. Since 78,820 is greater than 25,180 choose the diversion.
Main impact pathways
- Gate and yard systems offline increase truck turn time and yard dwell, which lengthens berth stays.
- Crane program or TOS disruption reduces moves per hour, which extends berth occupation and stacks queues.
- PCS outage slows customs and releases, which pushes vessels past window commitments.
- Congestion at the first affected hub ripples across the rotation and lifts total voyage time.
Fast KPIs to track
- Berth queue hours and trend by terminal.
- Moves per crane per hour compared to plan.
- Yard dwell time and truck turn time compared to prior week.
- Missed window count and average delay per rotation.
- Demurrage or off hire accrued per affected call.
Data to collect for pricing decisions
- Live queue length and expected time to recovery from the terminal or agent.
- Planned versus achieved crane windows and shift plans.
- Fuel rate at service speed and cost per hour of delay for the voyage.
- Storage and penalty triggers by cargo type and contract.
Controls that reduce loss
- Pre-agreed cyber outage clauses covering manual gate procedures, documentation fallback, and berthing priority.
- Alternate hub routing matrix with pre-cleared pilots, towage, and berths to shorten switch time.
- Standing manual workarounds for cargo ops, including paper releases and pre-generated stowage updates.
- Daily stoplight with terminals on systems health, moves per hour, and recovery timelines shared to planners.
Back of envelope
Recovery fuel = catch up hours Γ service speed fuel rate Γ bunker price.
If recovery fuel plus demurrage is greater than the cost of skipping or swapping the call, change plan.
What to do Monday
- Ask each key terminal for current manual workarounds and expected recovery time if systems fail.
- Pre build alternate rotation options with pilots and towage penciled in for your top trades.
- Set a simple trigger rule for swaps or skips: if queue exceeds a set hour threshold, switch plan.
- Run a one page outage cost template for the next five voyages so planners can decide quickly.
2οΈβ£ Business Email Compromise in RFQs and invoices
Bottom-line impact
Attackers intercept RFQs and invoices and then change bank details or redirect replies. Losses appear as misdirected payments, emergency double payments to keep schedules, and delay costs when suppliers hold release. The first 24 hours decide how much you recover.
β Expand playbook
Payment change rule and loss pricing
Estimated loss = diverted principal not recovered
+ delay hours Γ demurrage or off hire rate
+ storage or penalties
+ bank and FX fees
+ investigation and legal costs
If estimated loss is greater than the cost to use escrow or a split payment or to reissue funds to avoid delay, choose the option that minimizes total loss for the voyage.
Example A: Bunker invoice diverted and partially recovered
Assumptions: bunker invoice 450,000 USD. Payment sent to attacker. To keep schedule, a second payment is sent to the real supplier. Bank recall recovers 60% of the first payment. Delay avoided. Bank wire fees 150 USD total. Investigation and legal 10,000 USD.
| Item | Calculation | Cost USD |
|---|---|---|
| Diverted principal not recovered | 450,000 Γ 40% | 180,000 |
| Delay cost | 0 h Γ rate | 0 |
| Bank and FX fees | given | 150 |
| Investigation and legal | given | 10,000 |
| Estimated loss | 190,150 |
Control comparison: a 60 second call back to the supplier using a known phone number would have cost near zero and avoided the loss. The control pays for itself on the first avoided incident.
Example B: Port charges invoice swap with delay and no recovery
Assumptions: port charges 1,200,000 USD. Payment sent to attacker. Bank recall fails. To release cargo, a second payment is sent to the real account after a 16 hour delay. Off hire 1,400 USD per hour. Storage and penalties 18,000 USD. Two international wires with FX spread 0.5 percent each and wire fees 50 USD each. Investigation and legal 35,000 USD.
| Item | Calculation | Cost USD |
|---|---|---|
| Diverted principal not recovered | given | 1,200,000 |
| Delay cost | 16 h Γ 1,400 | 22,400 |
| Storage and penalties | given | 18,000 |
| FX spread and wire fees | (1,200,000 Γ 0.5%) Γ 2 + 50 Γ 2 | 12,100 |
| Investigation and legal | given | 35,000 |
| Estimated loss | 1,287,500 |
Alternate option: escrow or split payment 50 percent on order and 50 percent on delivery with verified bank details. The added bank fees are minor compared to the loss.
Main impact pathways
- Compromised supplier mailbox adds a forwarding rule that hides the real reply and introduces a new invoice PDF with changed bank details.
- Typosquatted domains capture RFQs and send spoofed quotes with the wrong account number.
- Man in the mailbox attacks alter bank details inside long email threads that look legitimate to busy teams.
- Agent or chandler portals without multifactor access are taken over and used to change settlement instructions.
Fast KPIs to track
- Percent of bank detail changes validated by call back to a known phone number.
- Percent of payments to vendors on a pre approved bank allowlist.
- Time from fraud discovery to bank recall initiation.
- Number of mailbox forwarding rules found and removed during audits.
- Percent of domains with SPF DKIM and DMARC set to reject for your company and key suppliers.
Data to collect for pricing decisions
- List of critical vendors with verified bank accounts and contacts on file.
- Last twelve months of near misses and the control that caught them.
- Bank recall outcomes and average recovery percentages by corridor.
- Template language used to confirm bank details in POs and charterparty addenda.
Controls that reduce loss
- Call back verification for any bank change using numbers already on file. Never trust numbers in the change request.
- Locked beneficiary changes in the bank portal with two person approval and audit logs.
- Pre approved bank allowlists for critical vendors with a cooling period before first payment.
- Split payments or escrow for large invoices where delay risk is high.
- Supplier portal with multifactor access and mandatory re validation of bank details every six months.
- Mailbox rule audits and DMARC policy set to reject to block spoofed senders.
- Finance team micro training focused on bank detail changes and invoice edits.
Back of envelope
Expected annual loss β average critical invoice amount Γ attempts per year Γ probability of change request accepted Γ probability of recall failure.
Control ROI β expected loss avoided β annual cost of verification and portal controls.
What to do Monday
- Turn on two person approval for new beneficiaries and bank changes in your payment system.
- Add a one line instruction to every PO and charterparty appendix that bank details never change by email and require a call back.
- Audit finance and ops mailboxes for auto forward and redirect rules and remove anything not required.
- Create a short vendor bank verification form and store signed copies with known contacts.
- Run a two week pilot of split payments for invoices above a threshold and measure delay reduction and risk reduction.
3οΈβ£ GNSS and AIS spoofing or jamming on key lanes
Bottom-line impact
False positions and signal loss push vessels off planned tracks, force slowdowns, or trigger detours. Money shows up as extra miles and fuel, delay and off hire, escorts, and premium uplifts in higher risk corridors. Treat any navigation anomaly as a cost event and price it in voyage terms.
β Expand playbook
Detour or push through: price the navigation anomaly
Estimated loss = (extra miles Γ bunker consumption per nm Γ bunker price)
+ (delay hours Γ demurrage or off hire rate)
+ escort or routing service fees
+ premium uplift or security surcharge
+ penalties or storage if a window is missed
If the estimated loss from pushing through exceeds the cost of a controlled detour or speed adjustment, change plan. Replace the example numbers with your voyage inputs.
Example A: Spoofing near a narrow strait with minor detour
Assumptions: extra 30 nm to avoid a spoofed track, consumption 0.07 t per nm, bunker 650 USD per ton, loiter 3 h while validating position, off hire 1,300 USD per hour, catch up 2 h at 1,100 USD per hour, missed window penalty 6,000 USD.
| Item | Calculation | Cost USD |
|---|---|---|
| Extra fuel | 30 nm Γ 0.07 t Γ 650 | 1,365 |
| Loiter delay | 3 h Γ 1,300 | 3,900 |
| Catch up hours | 2 h Γ 1,100 | 2,200 |
| Window penalty | given | 6,000 |
| Estimated loss | 13,465 |
If a controlled detour through a verified corridor costs less than 13,465 choose the detour. If the terminal confirms no penalty on arrival, you can remove the 6,000 line and recheck.
Example B: Jamming across a high risk corridor with escort
Assumptions: extra 110 nm to remain in a safe lane, consumption 0.09 t per nm, bunker 650 USD per ton, delay 14 h at 1,400 USD per hour, naval or private escort 18,000 USD, premium uplift 12,000 USD, storage or penalties 15,000 USD.
| Item | Calculation | Cost USD |
|---|---|---|
| Extra fuel | 110 nm Γ 0.09 t Γ 650 | 6,435 |
| Delay cost | 14 h Γ 1,400 | 19,600 |
| Escort or routing service | given | 18,000 |
| Premium uplift or security surcharge | given | 12,000 |
| Storage or penalties | given | 15,000 |
| Estimated loss | 71,035 |
Compare with an alternate plan. If a shorter corridor with verified coverage and no escort adds 60 nm and 8 h, the cost may be lower. Price both options and choose the smaller number.
Main impact pathways
- False tracks trigger off route alarms and require manual fixes, which slows the bridge team and can force speed reduction.
- Loss of valid GNSS forces dead reckoning or radar fixes and increases cross track error, which extends voyage time in traffic separation schemes.
- Suspicious targets on AIS prompt detours or holding patterns that add miles and miss windows.
- Repeat incidents on a lane raise insurance scrutiny and can push premium surcharges on that voyage or trade.
Fast KPIs to track
- Track variance versus plan in nm and minutes.
- GNSS quality indicators and time without valid fix.
- Cross track error average and peaks in constrained waters.
- Number of spoofing or jamming alerts per leg and time to confirm position by alternate means.
- Premium or surcharge deltas for voyages through affected corridors.
Data to collect for pricing decisions
- Fuel consumption per nm at the planned speed and a slower safe speed.
- Off hire or demurrage rate for the voyage and penalty triggers at the next port.
- Known spoofing and jamming zones on the intended route and recent alerts from agents or nav warnings.
- Escort, convoy, or routing service price sheets and availability windows.
Controls that reduce loss
- Multi sensor cross check on the bridge. Use radar ranges and bearings, inertial, log, and visual transits to validate GNSS before acting on alarms.
- Disable auto track follow if position quality drops. Hand steer on verified ranges until a valid fix returns.
- Install multi constellation receivers and anti jam antennas where practical. Use RAIM or equivalent integrity checks.
- Pre plan safe lanes and fallback waypoints through known interference areas. Publish a one page decision rule for detours and escorts.
- Standing communication script to notify operator, agent, and insurer when spoofing or jamming is suspected with time and position stamps.
Back of envelope
Extra fuel cost β extra nm Γ consumption per nm Γ bunker price.
Delay cost β delay hours Γ off hire or demurrage rate.
Choose the path with the lower sum after adding any escort and premium lines.
What to do Monday
- Add a spoofing and jamming row to your voyage plan template with the pricing formula shown here.
- Give bridge teams a one page validation checklist for position loss that lists radar and visual cross checks.
- Ask agents on the next five voyages for current interference reports and convoy or escort options with prices.
- Log all anomalies with time and effect so insurance can price fairly and so you can adjust detour thresholds.
4οΈβ£ Shipboard OT compromise on ECDIS, PLC, engine, or bridge networks
Bottom-line impact
When navigation or control systems are degraded, the vessel slows, drifts, or misses a window. Money shows up as off hire, tug and pilot fees, extra fuel to recover schedule, class and flag survey costs, and unplanned spares and yard time. Treat any OT anomaly as a cost event and price it before choosing the next move.
β Expand playbook
Isolate, slow, or divert: price the OT incident
Estimated loss = (off hire hours Γ rate)
+ tug or pilot assistance
+ (catch up hours Γ cost per hour of delay)
+ (extra miles Γ fuel per nm Γ bunker price)
+ class or flag surveys
+ spares and OEM support
+ yard or berth day
+ penalties or storage
Choose the plan with the lower total after adding safety margins. Replace the example numbers with your voyage inputs.
Example A: ECDIS outage at approach with daylight only entry
Assumptions: ECDIS locked. Paper navigation is available but port requires daylight entry and pilot standby. Delay 10 h at 1,300 USD per hour off hire. Catch up 4 h at 1,100 USD per hour. Pilot standby 3,500 USD. Class condition check 5,000 USD. No extra miles. No storage penalties.
| Item | Calculation | Cost USD |
|---|---|---|
| Off hire | 10 h Γ 1,300 | 13,000 |
| Catch up delay | 4 h Γ 1,100 | 4,400 |
| Pilot standby | given | 3,500 |
| Class check | given | 5,000 |
| Estimated loss | 25,900 |
Alternate option: swap to a later window at 12,000 USD with no pilot standby and no class visit. Since 25,900 is greater than 12,000 choose the swap if cargo and contracts allow.
Example B: Engine control PLC fault with tow to anchorage
Assumptions: propulsion trips and the vessel drifts 4 h at 1,400 USD per hour off hire. Two harbor tugs for 3 h at 3,500 USD per tug per hour. Emergency pilot boarding 2,000 USD. OEM remote plus technician travel and day rate 18,000 USD. Replacement PLC module 12,000 USD. Yard day for reset and tests 15,000 USD. Catch up 10 h at 1,200 USD per hour. No storage penalties.
| Item | Calculation | Cost USD |
|---|---|---|
| Off hire | 4 h Γ 1,400 | 5,600 |
| Tugs | 2 Γ 3 h Γ 3,500 | 21,000 |
| Pilot | given | 2,000 |
| OEM support | given | 18,000 |
| PLC module | given | 12,000 |
| Yard day | given | 15,000 |
| Catch up delay | 10 h Γ 1,200 | 12,000 |
| Estimated loss | 85,600 |
Alternate option: controlled slow steam to a nearby safe port without tugs but with 70 nm extra and 8 h delay. If fuel is 0.08 t per nm at 650 USD per ton the extra fuel is 3,640 USD. Add 8 h Γ 1,200 = 9,600 USD. Total 13,240 USD plus OEM and PLC and yard still required. Compare both totals to choose the smaller number.
Main impact pathways
- Bridge network compromise degrades ECDIS or conning, which forces manual fixes and can delay entry or departure.
- Engine or auxiliary PLC compromise trips propulsion or critical pumps, which leads to drift and tug assistance.
- Malicious configuration changes inflate fuel burn or reduce speed, which raises voyage time and bunker cost.
- Incident findings require class or flag surveys and close out actions, which add yard time and spares.
Fast KPIs to track
- Time to isolate affected network segment and restore minimum safe navigation.
- Success rate and time to load known good images for ECDIS and PLCs.
- Number of unauthorized USB or portable media attempts blocked per month.
- Count of overdue firmware and patch items on OT assets.
- Off hire hours and assistance costs per incident.
Data to collect for pricing decisions
- Current OT asset inventory with model, firmware, and network map.
- Golden images and backups for ECDIS and PLCs with last verified restore date.
- Local price sheets for pilots, tugs, and yard day rates at nearby ports.
- Fuel per nm at safe speed and service speed for catch up calculations.
- Class and flag survey requirements and expected costs for nonconformities.
Controls that reduce loss
- Network segmentation between bridge, engine control, cargo, and corporate networks with one way data diodes where practical.
- Application allow listing and signed updates for OT systems. Disable unused services and ports.
- Read only media policy for ECDIS and OT with scanned update media stored in sealed pouches on board.
- Daily offline backups and quarterly full restore drills to verify images and procedures.
- Pre written isolation and fallback checklists for manual navigation and local control.
- Vendor access through jump server with multifactor and session recording. Remove access when not in use.
Back of envelope
Segmentation and backup program cost per vessel per year compared to one incident.
If annual control cost is 12,000 USD and a single OT incident averages 60,000 USD, break even is one avoided incident every five years per vessel.
What to do Monday
- Print and brief the isolation and fallback checklist for bridge and engine room. Run a 30 minute drill.
- Verify the latest ECDIS and PLC images are on board and perform a test restore on a spare or simulator.
- Walk the OT network map and confirm physical disconnect points and switch labels.
- Set a rule that any vendor remote access requires same day approval and expires automatically.
- Collect current tug, pilot, and yard rates for the next three ports on your rotation to speed decisions.
5οΈβ£ Enterprise IT ransomware hitting liners and logistics
Bottom-line impact
When booking portals, TMS, email, and EDI go down, cargo does not move on paper and ships sail lighter or later. Money shows up as lost yield per TEU, detention and demurrage, truck reschedules, overtime to rekey data, and customer compensation. The first goal is to keep utilization above target and stop D and D from compounding.
β Expand playbook
Keep utilization or cut loss: price the outage
Estimated loss = (lost TEU Γ yield per TEU)
+ detention and demurrage
+ truck and rail reschedule costs
+ manual rekeying labor
+ customer compensation
+ incident response and restore
If the estimated loss from sailing light exceeds the cost of delaying or refeeding via feeders and rail, change plan. Replace the example numbers with your network inputs.
Example A: Booking and EDI outage before gate cut off
Assumptions: outage hits 18 h before cut off. Average booking velocity 120 TEU per hour. Conversion to shipped loads from last day bookings 70 percent. Yield 250 USD per TEU. Overtime to rekey 200 hours at 45 USD per hour. Rehandle and feeder refeed 400 TEU at 85 USD per TEU. Missed window penalty on a subset 6,000 USD is avoided by keeping the rotation. D and D not triggered.
| Item | Calculation | Cost USD |
|---|---|---|
| Lost TEU yield | 18 h Γ 120 TEU Γ 0.70 Γ 250 | 378,000 |
| Overtime to rekey | 200 h Γ 45 | 9,000 |
| Rehandle or feeder refeed | 400 TEU Γ 85 | 34,000 |
| Customer compensation | 150 shipments Γ 60 | 9,000 |
| Estimated loss | 442,500 |
Compare with a one day delay and a controlled gate extension. If the delay keeps utilization and costs less than 442,500 choose the delay and adjust rotation.
Example B: Logistics provider TMS locked for 72 hours
Assumptions: 2,000 boxes in flight. Average D and D 95 USD per day. Trucks rescheduled 600 at 180 USD each. Missed rail cut off storage and rebooking 300 boxes at 75 USD. Manual rekeying 3,500 shipments at 5 minutes each and labor 40 USD per hour. Goodwill credits 400 customers at 50 USD. Incident response and restore 180,000 USD.
| Item | Calculation | Cost USD |
|---|---|---|
| Detention and demurrage | 2,000 Γ 95 Γ 3 days | 570,000 |
| Truck reschedules | 600 Γ 180 | 108,000 |
| Rail storage and rebooking | 300 Γ 75 | 22,500 |
| Manual rekeying labor | 3,500 Γ 5 min Γ· 60 Γ 40 | 11,667 |
| Goodwill credits | 400 Γ 50 | 20,000 |
| Incident response and restore | given | 180,000 |
| Estimated loss | 912,167 |
If a pre contracted work around keeps boxes moving with paper releases and store and forward EDI for 150,000 and cuts D and D by half, the total can fall below 500,000. Price both paths and choose the smaller number.
Main impact pathways
- Booking portal and email outage lowers last day conversion and drives vessels below target utilization.
- EDI failure blocks customs, rail, and terminal messages, which stalls gate moves and stacks containers.
- TMS and WMS downtime breaks truck dispatch and rail bookings, which adds reschedules and storage.
- Shared directory or identity compromise slows restore and widens the blast radius to multiple brands or regions.
Fast KPIs to track
- Booking velocity per hour near cut off and conversion to shipped loads.
- Utilization versus target on departures during the outage period.
- EDI success rate and backlog age in hours.
- D and D accrual per day and number of boxes at risk of triggers.
- Time to first restore for identity, email, TMS, and EDI, and full mean time to recover.
Data to collect for pricing decisions
- Yield per TEU by service and the minimum utilization that protects voyage economics.
- Average last day booking volume and percent that converts to shipped loads.
- D and D tariffs by terminal and free time balances for current boxes.
- Feeder and rail options with rates and lead times for refeed and recovery.
- Incident response cost rates and restore time objectives for identity and core apps.
Controls that reduce loss
- Immutable offline backups for identity and core apps with regular restore drills.
- Multifactor on all privileged accounts and admin isolation from user workstations.
- Endpoint detection and response and application allow listing on servers.
- Network segmentation between booking, TMS, EDI, and file services.
- Store and forward EDI with queueing and paper release playbooks with terminals and customs.
- Pre built manual booking forms and a small standby team trained to rekey from agent lists.
Back of envelope
Lost yield β outage hours Γ booking velocity Γ conversion rate Γ yield per TEU.
D and D β boxes affected Γ daily tariff Γ outage days.
Choose the option that keeps utilization above target and yields the lower sum after adding refeed and restore costs.
What to do Monday
- Confirm you can restore identity and email to a clean island within hours with a tested playbook.
- Stage manual booking and paper release procedures with your top three terminals and customs brokers.
- Set a trigger utilization level that forces a short delay rather than sailing light.
- Pre agree rail and feeder options for recovery and keep current rate sheets on hand.
6οΈβ£ Satcom or VSAT disruption and vulnerabilities
Bottom-line impact
When ship to shore connectivity drops, planning slows and cargo decisions stall. Money shows up as extended port stays, delayed clearances, manual rekey labor, weather routing errors, and higher risk premiums after incidents. Treat any comms outage as a cost event that can be priced and reduced.
β Expand playbook
Degrade, delay, or divert: price the comms outage
Estimated loss = (outage hours Γ cost per hour of degraded ops)
+ manual rekey labor
+ fallback comms cost
+ weather or route inefficiency cost
+ penalties, storage, or off hire
Choose the option with the lower total after adding a safety margin. Replace the example numbers with your voyage inputs.
Example A: Terminal requires digital releases and EDI, VSAT down 9 hours
Assumptions: terminal move plan slowed by manual calls and paper. Degraded ops cost 2,000 USD per hour for 9 hours. Crew rekeys 220 records at 5 minutes each with labor 40 USD per hour. Backup L band messages 320 at 0.90 USD each. Missed gate cut extends berth by 3 hours at 1,500 USD per hour. No storage penalties.
| Item | Calculation | Cost USD |
|---|---|---|
| Degraded ops | 9 h Γ 2,000 | 18,000 |
| Manual rekey labor | 220 Γ 5 min Γ· 60 Γ 40 | 733 |
| Fallback comms | 320 Γ 0.90 | 288 |
| Extended berth | 3 h Γ 1,500 | 4,500 |
| Estimated loss | 23,521 |
If a controlled delay of 6 hours would avoid the berth extension for 9,000 USD in total cost, the delay is cheaper than the 23,521 loss. Price both paths before committing.
Example B: Ocean leg blackout with weather routing blind spot
Assumptions: 20 hours without valid data. Speed kept conservative, adds 70 nm. Consumption 0.085 t per nm. Bunker 650 USD per ton. Off hire impact 6 hours at 1,300 USD per hour. Iridium fallback package 1,200 USD. Post incident survey and logs 4,000 USD. No penalties.
| Item | Calculation | Cost USD |
|---|---|---|
| Extra fuel | 70 nm Γ 0.085 t Γ 650 | 3,868 |
| Off hire | 6 h Γ 1,300 | 7,800 |
| Fallback package | given | 1,200 |
| Survey and admin | given | 4,000 |
| Estimated loss | 16,868 |
If a pre approved slow lane with guaranteed coverage adds 40 nm and 3 hours, price that path. Extra fuel 2,210 USD plus off hire 3,900 USD plus small comms cost may beat 16,868.
Main impact pathways
- Loss of VSAT breaks EDI and customs messages, which delays releases and extends berth time.
- Routing and weather updates arrive late, which increases extra miles and fuel burn.
- Remote OEM support is blocked, which prolongs OT incidents and pushes tug or pilot costs.
- Unpatched modems or weak credentials allow misuse that triggers blacklisting and traffic shaping by providers.
- Antenna blockage, mispoint, or interference reduces link margin and forces expensive fallbacks.
Fast KPIs to track
- VSAT uptime percent and mean time to restore.
- Message backlog age for EDI or customs clearances in hours.
- Bytes delivered for weather and routing packages per day.
- Fallback link activation time and cost per hour during outages.
- Incidents per vessel of modem misconfig or failed authentication.
Data to collect for pricing decisions
- Fuel per nm at service speed and safe speed for route trade offs.
- Demurrage or off hire rate for the current voyage.
- Fallback plans with per message and per megabyte rates for L band or 4G at berth.
- Provider service level targets and historic restore times on the trade.
- List of ports that accept paper fallback and those that do not.
Controls that reduce loss
- Dual path design with auto failover to L band or 4G at berth and a clear rule on which traffic is prioritized.
- Hardened modem configs with multifactor, rotated passwords, closed management ports, and current firmware.
- Pre staged offline weather and routing packs for the next leg kept on the bridge every departure.
- Small text based EDI templates for fallback transmission to agents and terminals.
- Monthly link tests and antenna health checks with logged signal margins and blockage notes.
Back of envelope
Delay cost β outage hours Γ cost per hour of degraded ops or off hire.
Route cost β extra nm Γ consumption per nm Γ bunker price.
Choose the option with the lower sum after adding fallback comms and any penalties.
What to do Monday
- Verify auto failover works on two vessels by pulling VSAT and timing L band cutover.
- Load offline weather packs and routing files for the next leg on all vessels departing this week.
- Rotate modem and portal credentials and close any exposed management interfaces.
- Agree a simple text format with top terminals and agents for paper or low bandwidth releases.
- Create a one page outage pricing sheet using the formulas here so planners can pick the cheapest path quickly.
7οΈβ£ Software and third party or supply chain compromises
Bottom-line impact
A single vendor breach can stall multiple ports, vessels, or offices at once. Money shows up as extra berth hours, off hire, lost utilization, rework, recall and rebuild costs, and emergency vendor fees. Treat any supplier compromise as a network event, not a local issue, and price options before acting.
β Expand playbook
Isolate or switch vendors: price the supplier incident
Estimated loss = (affected sites or vessels Γ outage hours Γ cost per hour)
+ detention, demurrage, or off hire
+ manual rekey labor and rework
+ incident response and rebuild costs
+ penalties, storage, or credits
Choose the lower total after adding the safety and compliance margin. Replace the example numbers with your network inputs.
Example A: Port tech vendor compromise slows a hub terminal
Assumptions: terminal TOS degrades. Planned two cranes at 60 moves per hour combined. Actual 30 moves per hour for 12 hours. Vessel accrues extra berth 12 h at 1,500 USD per hour. Catch up 6 h at 1,100 USD per hour. Storage and penalties 9,000 USD. Manual rekey 150 h at 45 USD per hour.
| Item | Calculation | Cost USD |
|---|---|---|
| Extra berth | 12 h Γ 1,500 | 18,000 |
| Catch up delay | 6 h Γ 1,100 | 6,600 |
| Storage or penalties | given | 9,000 |
| Manual rekey labor | 150 h Γ 45 | 6,750 |
| Estimated loss | 40,350 |
Alternate option: switch to a manual stack plan with extra stevedores and a controlled gate extension. Extra labor 24 h Γ 12 stevedores Γ 60 USD = 17,280 USD. Extra berth falls to 4 h at 1,500 = 6,000 USD. Manual rekey drops to 30 h Γ 45 = 1,350 USD. No penalties. Alternate total 24,630 USD. Choose the smaller number.
Example B: MSP tool compromise triggers emergency fleet patching
Assumptions: 10 vessels require immediate hardening. Engineering overtime 12 h per vessel at 95 USD per hour. Satcom transfer 2 GB per vessel at 50 USD per GB. Two vessels at berth take a 6 h reboot delay at 1,300 USD per hour off hire. OEM support 20 h at 350 USD per hour. Incident response retainer call 28,000 USD.
| Item | Calculation | Cost USD |
|---|---|---|
| Engineering overtime | 10 Γ 12 h Γ 95 | 11,400 |
| Satcom transfers | 10 Γ 2 GB Γ 50 | 1,000 |
| Off hire at berth | 2 Γ 6 h Γ 1,300 | 15,600 |
| OEM support | 20 h Γ 350 | 7,000 |
| Incident response | given | 28,000 |
| Estimated loss | 63,000 |
Staged rollout option at next port calls avoids berth delay. Overtime 11,400 USD. Satcom 1.2 GB per vessel total 600 USD. OEM support 10 h at 350 = 3,500 USD. Incident response 18,000 USD. Alternate total 33,500 USD. Choose the smaller number after risk review.
Main impact pathways
- Managed service provider compromise spreads via remote management tools and disables identity and file services.
- OEM or vendor update packages are tampered, which forces emergency audits and restores across vessels.
- Port tech or TOS outage slows crane moves, which extends berth time and ripples across the rotation.
- Shared credentials or always on vendor access increases blast radius and time to contain.
Fast KPIs to track
- Percent of critical vendors with multifactor on all access and just in time access enabled.
- Mean time to disable vendor credentials across all systems.
- Percent of software with signed updates and verified hashes before install.
- Percent of vessels that can operate with vendor access disabled for 24 hours.
- Restore time to known good images for OT and IT stacks.
Data to collect for pricing decisions
- Vendor inventory with systems touched, credentials used, and ports or vessels affected.
- Service level targets and price sheets for alternate vendors at key terminals and trades.
- Cost per hour of degraded operations and off hire by service or vessel class.
- Incident response and OEM day rates with travel, plus expected patch sizes for satcom planning.
- Contract language for right to audit, code signing, and breach notification timelines.
Controls that reduce loss
- Tier vendors by criticality and require multifactor, device posture checks, and session recording.
- Just in time vendor access that expires by default, with no persistent VPN accounts.
- Signed update validation against vendor hashes and test installs on a staging system before fleet rollout.
- Immutable backups of identity and configuration with quarterly restore drills.
- Alternate vendor or manual workflow playbooks for terminals and OEMs at priority ports.
- Software bill of materials and vulnerability disclosure timelines in contracts.
Back of envelope
Third party outage cost β affected sites Γ outage hours Γ cost per hour + off hire or demurrage + rebuild and IR fees.
Choose isolation or switch plans that yield the lower total after adding safety and compliance checks.
What to do Monday
- Turn off always on vendor tunnels and require just in time approvals with expiry.
- Ask top vendors for current signed hash locations and patch sizes and store them offline on board.
- Pre qualify an alternate terminal workflow and a secondary OEM contact for priority ports.
- Run a one hour tabletop on a vendor compromise and record time to disable all vendor accounts.
- Create a quick sheet with the formulas above so planners can price isolation versus switch within minutes.
8οΈβ£ Data integrity attacks on noon reports, performance baselines, and eBL or manifests
Bottom-line impact
When voyage data or documents are altered, decisions drift and costs rise. Money shows up as extra bunker burn, speed underperformance claims, schedule penalties, storage, and legal or survey fees. Treat any data anomaly as a cost event and price it using clear formulas.
β Expand playbook
Validate or escalate: price the data anomaly
Estimated loss = extra fuel from wrong baselines
+ time lost from speed shortfall Γ off hire or demurrage rate
+ storage or penalties from doc holds
+ audit, survey, and legal costs
+ rework and rekey labor
Choose the option with the lower total after you add recovery steps like re routing, window swaps, or document reissue.
Example A: Noon reports manipulated to mask underperformance
Assumptions: voyage 1,200 nm. Warranted speed 14.5 kn. Actual speed 13.8 kn. Fuel baseline 0.065 t per nm. Actual 0.070 t per nm. Off hire rate 1,300 USD per hour. Forensic audit 6,000 USD. Legal 4,500 USD.
| Item | Calculation | Cost USD |
|---|---|---|
| Extra fuel | (0.070 β 0.065) t per nm Γ 1,200 nm Γ 650 | 3,900 |
| Time lost claim | 1,200 Γ· 13.8 β 1,200 Γ· 14.5 = 4.20 h Γ 1,300 | 5,460 |
| Forensic audit | given | 6,000 |
| Legal and admin | given | 4,500 |
| Estimated loss | 19,860 |
If a short hull clean for 15,000 USD removes the speed gap for the next leg, that can be cheaper than carrying the loss. Price both options before deciding.
Example B: eBL or manifest fields altered and customs hold imposed
Assumptions: 220 containers affected. Customs hold 48 h. Storage 35 USD per container per day. Truck reschedules 90 at 180 USD each. Vessel at berth 6 h at 1,500 USD per hour. Port admin fees 4,000 USD. Correction and verification labor 300 records at 5 min each and 40 USD per hour.
| Item | Calculation | Cost USD |
|---|---|---|
| Storage | 220 Γ 35 Γ 2 days | 15,400 |
| Truck reschedules | 90 Γ 180 | 16,200 |
| Berth time | 6 h Γ 1,500 | 9,000 |
| Port admin fees | given | 4,000 |
| Correction labor | 300 Γ 5 min Γ· 60 Γ 40 | 1,000 |
| Estimated loss | 45,600 |
If a pre approved reissue path with digital signatures costs 6,500 USD and clears in 12 h, choose that option to cut storage and berth time.
Main impact pathways
- Noon report edits inflate headwinds or currents and hide speed shortfalls, which drives claims later.
- Performance model tampering raises expected consumption, which masks fouling and increases bunker bills.
- eBL or manifest field changes trigger customs holds, which add storage and berth time.
- Master data edits in vendor or cargo systems misroute loads and add rework and penalties.
Fast KPIs to track
- Variance between sensor data and reported noon values for speed, wind, and consumption.
- Exceptions per voyage where performance deviates from model by more than a set percent.
- Percent of eBL and manifests signed and verified with tamper evident checks.
- Time to detect and correct a bad data point and time to reissue documents.
- Count and value of claims linked to data quality issues per quarter.
Data to collect for pricing decisions
- Raw sensor feeds for speed through water, wind, current, and fuel flow with timestamps.
- Model version history and baselines with change approval records.
- Charterparty clauses for speed and consumption and the claim calculation template in use.
- Document signing status and reissue procedures at current ports and customs authorities.
Controls that reduce loss
- Dual data path capture: immutable sensor logs stored off vessel and reconciled with noon reports daily.
- Two person approval and digital signatures on model baseline changes with audit trails.
- Automated exception flags for speed and consumption variance with a simple escalation tree.
- Digitally signed eBL and manifests with verification before release and a pre approved reissue path.
- Quarterly claims drill using last voyages to verify math and detect baseline drift.
Back of envelope
Extra fuel cost β nm Γ (actual t per nm β baseline t per nm) Γ bunker price.
Time lost cost β nm Γ (1 Γ· actual kn β 1 Γ· warranted kn) Γ rate per hour.
Document hold cost β boxes Γ daily storage Γ days + berth hours Γ berth rate.
What to do Monday
- Turn on a daily reconciliation that compares noon reports to sensor data and flags outliers.
- Lock performance baselines behind two person approval and record every change with a reason code.
- Adopt a signed template for eBL and manifests and test the reissue process with a single shipment.
- Publish a one page claim math sheet so captains and operators can price speed and consumption deviations quickly.
Maritime cyber risks are no longer abstract scenarios, they directly shape voyage economics, cargo flows, and stakeholder confidence. The eight categories outlined here show that each incident can be priced in clear dollar terms, from lost utilization to extended berth time. By applying simple formulas, tracking a short set of metrics, and investing in targeted controls, shipowners and operators can move from reactive firefighting to proactive cost defense. In todayβs market, cyber resilience is not just a compliance checkbox but a financial safeguard for the bottom line.
