Assessment 2: Critical Analysis of Maritime Cybersecurity Threats and the Regulatory Framework for Autonomous Vessel Operations

1. Module Context

Shipping accounts for over 80% of global trade by volume, and the sector’s accelerating shift toward digitalisation has created a parallel expansion in its attack surface. In the first half of 2024 alone, the maritime sector recorded 23,400 malware detections and 178 ransomware attacks across 1,800 vessels, resulting in operational standstills and recovery costs running into millions of dollars. More recently, compared to 2024, the number of maritime cyber incidents in 2025 surged by 103%, with Distributed Denial of Service, ransomware, and malware infections accounting for the majority of those attacks.

For students of marine engineering, maritime security, and maritime law, these developments are not abstract. The systems now routinely targeted — Electronic Chart Display and Information Systems (ECDIS), Automatic Identification Systems (AIS), Global Navigation Satellite Systems (GNSS), propulsion control networks, and cargo management platforms — are the operational backbone of modern commercial shipping. In some incidents, as seen with GNSS spoofing in the Black Sea and the Straits of Hormuz, cyber-attacks have degraded operator trust in the accuracy of critical navigational systems, threatening both safe operations and the integrity of maritime traffic management.

The regulatory response to these threats has been significant but remains contested. IMO Resolution MSC.428(98) mandates that cyber risk management be integrated into Safety Management Systems (SMS) under the ISM Code, and the BIMCO cybersecurity guidelines provide industry-level frameworks. Yet as autonomous and semi-autonomous vessels move from pilot projects toward commercial deployment, scholars and practitioners have raised persistent questions about whether those frameworks, built primarily for crewed conventional vessels, are adequate for a maritime environment in which remote operations centres and AI-driven navigation systems are becoming standard.

This assessment requires you to engage with those questions critically — not simply to describe the threat landscape, but to evaluate the extent to which the current regulatory framework closes the gap between the risks that exist and the protections that are mandated.

2. Assessment Task

Write a 2,000–2,500-word critical essay in response to the following question:

Your essay must move beyond catalogue and description. The strongest submissions will stake a defensible position on the central question — adequacy or inadequacy of the regulatory framework — and will use specific, evidence-based analysis of real incidents, technical vulnerabilities, and legal provisions to support it.

3. Learning Outcomes Assessed

1. Identify and critically evaluate the principal cybersecurity threats to maritime operational technology (OT) and information technology (IT) systems, with particular reference to autonomous and digitally connected vessels.
2. Analyse the current international and industry regulatory frameworks governing maritime cybersecurity, including the IMO, ISM Code, BIMCO guidelines, and classification society requirements.
3. Apply risk assessment principles to evaluate the vulnerability of specific maritime systems — ECDIS, AIS, GNSS/GPS, GMDSS, propulsion control — to documented categories of cyber attack.
4. Construct a reasoned, evidence-based argument about the adequacy of existing regulatory instruments, identifying specific gaps and proposing targeted reforms.
5. Communicate technical and regulatory analysis in precise, well-structured academic prose appropriate to the discipline.

4. Task Requirements and Structural Guidance

The essay does not require a rigid section structure, but all of the following elements must be present and integrated into a coherent argument. Weaker submissions typically address each element in isolation; stronger ones weave them together around a central evaluative claim.

4.1 Introduction (approximately 200–300 words)

Frame the significance of maritime cybersecurity in the current operational and regulatory environment. State your central argument (thesis) clearly. Briefly signpost the essay’s structure. Do not reproduce background information that belongs in the analysis sections.

4.2 The Threat Landscape: Key Vulnerabilities in Maritime Systems

Your analysis must address the following categories of threat, using specific documented incidents where possible:

• GNSS spoofing and jamming: Analyse the technical mechanism and documented maritime impacts. Incidents of GPS spoofing targeting civilian ships have surged in geopolitically sensitive regions including the Black Sea and the Persian Gulf, where signals have been manipulated to mislead vessels into territorial waters, triggering legal disputes and insurance claims. You should also engage with the grounding of the MSC Antonia in the Red Sea in May 2025 as a case study where GPS signal interference contributed to a navigational incident. The IMO Maritime Safety Committee addressed GNSS interference through MSC.1/Circ.1644 (2021), and you should evaluate the adequacy of the guidance issued.
• ECDIS and AIS vulnerabilities: Address how tampering with or manipulating electronic chart and vessel identification systems creates cascading risks across traffic management, port state control, and collision avoidance.
• Ransomware and OT system attacks: Examine the category of attacks targeting operational technology systems — propulsion, engine control, cargo handling — and distinguish their risk profile from IT-layer threats. Both traditional and autonomous vessels are vulnerable to cybersecurity breaches through networks connecting various onboard systems, creating potential entry points for malware, ransomware, and unauthorised access, with network vulnerabilities such as weak passwords, outdated software, and unpatched systems exposing ship types to significant cyber threats.
• Autonomous vessel-specific risks: Identify the additional attack vectors introduced by Maritime Autonomous Surface Ships (MASS) — including remote operations centre communications, AI decision-making systems, and sensor fusion architectures — and explain why these differ in kind from the threats facing conventional crewed vessels.

4.3 The Regulatory Framework: Scope, Strengths, and Gaps

• Critically analyse IMO Resolution MSC.428(98) and its requirement that cyber risk management be addressed within SMS documentation under the ISM Code. Evaluate the strength of this instrument: is a non-prescriptive, risk-management-based approach adequate, or does the absence of mandatory technical standards create an unacceptable compliance gap?
• Assess the role of BIMCO’s Cybersecurity Guidelines (current edition) alongside classification society cyber notations from DNV, Lloyd’s Register, and Bureau Veritas. Examine the extent to which these industry instruments complement or substitute for binding IMO regulation.
• Evaluate the application of the NIS2 Directive (EU) to maritime operators, and — for students in North American or UAE contexts — consider equivalent national frameworks (USCG Maritime Cyber Strategy; UAE National Cybersecurity Strategy as it applies to critical maritime infrastructure).
• Address the specific regulatory gap for MASS. The IMO’s Maritime Safety Committee began its Regulatory Scoping Exercise in November 2022 and is working toward a non-mandatory MASS Code by 2025 followed by a mandatory MASS Code in 2028, but these instruments are still under development and the cybersecurity provisions for autonomous operations remain incomplete. You should evaluate the consequences of this timeline gap given the pace of autonomous vessel deployment.

4.4 Human Factors and the Crew-Cyber Interface

• Analyse the role of seafarer competency in cybersecurity outcomes. Simulator studies of GNSS spoofing scenarios found that on average it took cadets and mid-experience navigators 8 minutes after the first manipulation to spot the error, which meant a significant course offset of 1.2 kilometres, whereas senior experienced mariners identified the discrepancy almost instantly. What does this finding imply for STCW competency frameworks?
• Consider how the human element interacts with automated cyber defences in remote operations contexts: does greater automation reduce or displace human-error vulnerability, or does it introduce new forms of complacency and over-reliance on system integrity?
• Address the adequacy of current crew training requirements under STCW for cyber threat identification and response, noting that IMO’s Marine Circular 06/2025 on GPS Spoofing and Cybersecurity specifically recommends training crew to recognise signs of GNSS spoofing and implement manual navigation fallback procedures.

4.5 Recommendations (approximately 250–350 words within the essay body)

Based on your analysis, develop a minimum of three targeted, evidence-grounded recommendations for regulatory or operational reform. These must be specific — general calls for “better training” or “more regulation” are insufficient. Each recommendation should identify who is responsible for implementation (IMO, flag state, shipowner, classification society, or port state), what instrument or mechanism would carry the change, and what outcome would constitute success.

4.6 Conclusion (approximately 200–250 words)

Return to the essay question. Synthesise your key findings into a direct answer. Identify the single most significant gap or failure in the current framework, and explain its consequences if unaddressed.

5. Specific Requirements

1. The essay must be written in continuous academic prose throughout. Bullet points, subheadings, and tables within the essay body are not permitted. These may only appear in any appendices you include, which do not count toward the word limit.
2. A minimum of eight (8) academic or authoritative sources must be cited. At least five (5) must be peer-reviewed journal articles or book chapters published between 2020 and 2025. IMO resolutions, BIMCO guidelines, and classification society documents must be cited correctly but do not count toward this minimum.
3. At least two (2) documented cyber incidents must be discussed with specific factual detail — incident name, vessel or organisation involved, type of attack, and operational consequences. Unspecified references to “recent incidents” will be penalised.
4. Students in UAE, GCC, or Middle Eastern institutions should, where possible, include reference to incidents involving or directly affecting vessel traffic in the Arabian Sea, Persian Gulf, Strait of Hormuz, or Red Sea region, given the documented concentration of GPS spoofing activity in these waters.
5. Students studying in Australia should consider the application of the Australian Cyber Security Centre (ACSC) Critical Infrastructure frameworks to maritime operations where relevant to their argument.
6. Word count must appear on the title page. Submissions outside the 2,000–2,500-word range by more than 10% are subject to penalty in line with university regulations.
7. Title page must include student ID number (not name), module code, module title, essay question or a short working title, word count, and submission date.

6. Marking Rubric and Grading Criteria

Criterion	Weight	High Distinction / Distinction (75%+)	Credit / Merit (60–74%)	Pass (50–59%)	Fail (<50%)
Critical Argument and Analytical Depth Thesis clarity; quality of critical evaluation; evaluative vs. descriptive balance	30%	Sustained original critical argument; clearly evaluates adequacy of framework rather than simply describing it; identifies tensions and contradictions within the regulatory architecture with precision.	Clear thesis with solid critical analysis; some tendency toward description at points; generally evaluative but occasionally loses the critical thread.	Argument present but underdeveloped; predominantly descriptive; limited engagement with whether the framework is adequate or not.	No clear argument; primarily descriptive or incoherent; fails to engage with the core question of regulatory adequacy.
Technical and Regulatory Knowledge Accuracy of technical detail; command of IMO instruments, ISM Code, BIMCO, MASS regulatory timeline	25%	Accurate, detailed command of specific system vulnerabilities (ECDIS, AIS, GNSS, OT layers), IMO instruments, and regulatory architecture; demonstrates reading beyond required module texts.	Sound understanding of the main technical and regulatory issues; minor gaps or occasional inaccuracy in technical detail.	Basic understanding of key issues; limited engagement with specific technical vulnerabilities; over-reliance on general descriptions of cybersecurity threats.	Significant technical errors or mischaracterisation of IMO instruments; unable to distinguish IT from OT threat categories; key regulatory instruments absent or misapplied.
Use of Evidence and Case Studies Quality, specificity, and integration of documented incidents; source range and currency	20%	Excellent, specific use of documented cyber incidents integrated analytically; data attributed to named, reputable sources; minimum source requirements exceeded; sources from 2022–2025 predominate.	Good range of sources; incidents cited with reasonable specificity; mostly well-integrated; minor attribution gaps.	Adequate number of sources but limited specificity in incident analysis; some unattributed data or overly general references to “recent attacks.”	Insufficient sources; incidents described without verifiable detail; minimum requirements not met; over-reliance on non-peer-reviewed web sources.
Recommendations Specificity, feasibility, and grounding of proposed reforms	15%	Three or more specific, targeted recommendations clearly grounded in the essay’s analysis; each identifies responsible actor, proposed mechanism, and measurable outcome.	Adequate recommendations that follow logically from the analysis; some lack specificity regarding actor or mechanism.	Recommendations present but generic; calls for “better training” or “stricter regulation” without specifying how.	Recommendations absent or not connected to the essay’s analysis.
Structure, Clarity, and Referencing Essay organisation; academic register; Harvard/APA 7th accuracy	10%	Logically structured throughout; academic register consistent; referencing correct and complete; IMO documents and grey literature cited accurately.	Generally well-organised; minor referencing inconsistencies; academic register mostly maintained.	Adequate organisation; noticeable referencing errors; some lapses in academic register.	Poorly structured; frequent referencing errors or omissions; non-academic register.

7. Submission Instructions

• Submit via the module Turnitin portal on Blackboard / Canvas / Moodle. File format: Microsoft Word (.docx) or PDF.
• Anonymous marking applies: include your student ID number only — no name on any page.
• Late submissions without an approved extension incur a mark penalty in accordance with university late submission regulations (typically 5 marks per 24-hour period or equivalent reduction).
• Extension requests must be submitted through the university’s mitigating circumstances or extension request process before the deadline. Retrospective requests are not ordinarily approved.

8. Academic Guidance Notes

On the central question of “adequacy”

Many students make the error of simply listing what the framework does — IMO mandates SMS integration, BIMCO provides guidelines, classification societies offer cyber notations — and leaving it there. The question asks whether those provisions are adequate. That requires a judgement: by what standard? Against what threat? For which category of vessel? A strong essay might argue, for instance, that MSC.428(98) is adequate for conventional crewed vessels operating under ISM Code audit cycles, but demonstrably inadequate for MASS vessels given the absence of binding autonomous-specific cybersecurity requirements and the fact that the mandatory MASS Code will not be adopted until 2028. That is a defensible, specific position. Build your argument around a position of that quality.

On distinguishing IT from OT threats

A persistent weakness in student essays on maritime cybersecurity is treating the shipboard threat landscape as uniform. IT threats (email phishing, administrative network breaches, crew device malware) and OT threats (attacks on ECDIS, AIS, propulsion control, power management systems) carry different risk profiles, require different technical countermeasures, and are regulated differently under the ISM Code framework. Your essay should demonstrate this distinction.

On citing incidents

Specific incidents carry analytical weight only if they are cited with verifiable detail. For GNSS spoofing incidents, the Black Sea anomalies of 2017–2019 are extensively documented in the peer-reviewed literature. The MSC Antonia grounding in the Red Sea (May 2025) is referenced in recent industry publications from CYTUR and Smart Maritime Network. The IMO MSC.1/Circ.1644 (2021) is the primary regulatory document acknowledging widespread GNSS interference. Use these as your anchors, not vague references to “several recent incidents.”

Key module resources and primary sources

• IMO Resolution MSC.428(98) — available at imo.org
• IMO MSC.1/Circ.1644 (2021) — Deliberate interference with GNSS — imo.org
• BIMCO Cybersecurity Guidelines (current edition) — bimco.org
• DNV Recommended Practice DNVGL-RP-0496 — Cyber security for ships
• Barbados Maritime Administration Marine Circular 06/2025 — GPS Spoofing and Cybersecurity — barbadosmaritime.org
• CYTUR 2026 Maritime Cyber Threat White Paper — cytur.io

---

---

9. References / Learning Materials

1. Symes, S., Blanco-Davis, E., Graham, T., Wang, J. and Shaw, E. (2024) ‘The survivability of autonomous vessels from cyber-attacks’, Journal of Marine Engineering and Technology, 24(3), pp. 194–216. Available at: https://doi.org/10.1080/20464177.2024.2428022 [Liverpool John Moores University]
2. Androjna, A., Perkovič, M., Pavic, I. and Mišković, J. (2021) ‘AIS data vulnerability indicated by a spoofing case study’, Applied Sciences, 11(11), p. 5015. Available at: https://doi.org/10.3390/app11115015
3. Tam, K. and Jones, K. (2019) ‘MaCRA: a model-based framework for maritime cyber risk assessment’, WMU Journal of Maritime Affairs, 18(1), pp. 129–163. Available at: https://doi.org/10.1007/s13437-019-00162-2
4. Svilicic, B., Kamahara, J., Celic, J. and Bolmsten, J. (2019) ‘Assessing ship cyber risks: a framework and case study of ECDIS security’, WMU Journal of Maritime Affairs, 18(3), pp. 509–520. Available at: https://doi.org/10.1007/s13437-019-00183-x
5. Gülmez, Y. (2025) ‘Enhancing cybersecurity in marine vessels: integrating artificial neural networks with inertial navigation systems for resilience against GPS cyber-attacks’, in Bauk, S. (ed.) Maritime Cybersecurity. Signals and Communication Technology. Cham: Springer, pp. 139–156. Available at: https://doi.org/10.1007/978-3-031-87290-7_9
6. International Maritime Organization (2017) MSC-FAL.1/Circ.3: Guidelines on Maritime Cyber Risk Management. London: IMO. Available at: https://wwwcdn.imo.org/localresources/en/OurWork/Security/Documents/MSC-FAL.1-Circ.3.pdf

Next Assessment — Assessment 3 (Final Research Report): Due Week 14

Module: Maritime Engineering, Technology and Safety  |  Maritime Security and Risk Management

Title: Human Factors, Seafarer Fatigue, and Maritime Accident Causation: A Case Study Analysis

Length: 3,000–3,500 words

Weighting: 50% of total module mark

Drawing on the technical and regulatory analysis skills developed across Assessments 1 and 2, this final research report requires you to conduct a structured case study analysis of a documented maritime accident in which human factors and crew fatigue played a significant causal or contributory role. You will apply a recognised accident causation model — the Swiss Cheese Model, HFACS (Human Factors Analysis and Classification System), or Bow-Tie analysis — to your chosen incident, and evaluate the adequacy of STCW hours of rest requirements, IMO fatigue management guidance, and flag state oversight mechanisms in preventing recurrence. Suitable case studies include the grounding of the Ever Given in the Suez Canal (March 2021), the collision of the MV Wakashio off Mauritius (July 2020), or — for students with a particular interest in autonomous operations — the navigational anomalies documented in GNSS spoofing simulation exercises conducted with mixed-experience mariner groups. The report must include at least ten peer-reviewed sources, a structured methodology section explaining your choice of accident causation model, and evidence-based recommendations targeting at least two different regulatory levels (international, flag state, or company SMS).