Maritime cybersecurity is often viewed through the lens of remote attacks; phishing, ransomware, or malware. But a recent incident has highlighted a different and growing threat: physical cyber intrusion directly onboard vessels.
In late 2025, a Raspberry Pi device was discovered connected to a ship’s network. Small, inexpensive, and easy to conceal, the device created a covert backchannel for remote access, credential theft, and network reconnaissance.
For the maritime industry, this is a clear warning. Cyber risk is no longer confined to shore-based systems or external threats, it can exist physically within the vessel network itself.
A New Dimension of Maritime Cyber Threats
This type of incident represents a shift in maritime cyber threats.
Rather than relying solely on remote compromise, attackers are increasingly combining physical access with cyber capability. According to our partner NORMA in their Cyber Annual Threat Assessment 2026, hardware-based attacks and insider-enabled threats are expected to rise, with rogue devices planted onboard vessels becoming a viable attack vector.
These attacks are particularly dangerous because they:
- Bypass traditional perimeter security
- Operate outside standard monitoring tools
- Enable persistent access via alternative connectivity (such as cellular)
This creates a new challenge for ship network security and onboard cyber defence.
Why Vessel Cybersecurity Needs Greater Visibility
Modern vessels rely on increasingly connected IT and OT environments. While this improves efficiency, it also expands the attack surface.
The NORMA report highlights that increased integration between systems introduces new vulnerabilities and raises the potential impact of cyber incidents.
A rogue device on a vessel network could enable:
- Unauthorised access to operational and business systems
- Mapping of onboard infrastructure for future attacks
- Credential harvesting across connected environments
- Long-term, undetected persistence
This reinforces a critical issue in maritime cybersecurity:
Many organisations lack full visibility of what is actually connected to their network.
The Growing Risk of Insider and Physical Attacks
Insider threats and physical access are becoming increasingly important in maritime cyber risk.
The NORMA assessment notes that threat actors are likely to exploit access through crew, contractors, or maintenance personnel to introduce malicious hardware.
Combined with the low cost and accessibility of devices like Raspberry Pi, this creates a scalable and difficult-to-detect method of attack.
In short, cyber threats in the maritime industry are no longer purely digital – they are physical, operational, and hybrid.
Closing the Gap: Why Asset Visibility Matters
At the centre of this challenge is asset visibility.
If organisations cannot see every device connected to their network, they cannot effectively secure it.
This is where solutions like GT Identify support maritime cyber resilience.
GT Identify enables organisations to:
- Build a clear inventory of IT assets across vessel environments
- Detect new or unauthorised devices on the network
- Maintain visibility across complex and evolving infrastructures
- Support faster investigation and response to anomalies
While advanced detection and response capabilities will continue to evolve, visibility is the essential first step in protecting vessel networks.
From Maritime Cyber Awareness to Action
The discovery of a hidden device onboard a vessel is a reminder that maritime cyber risk is immediate, tangible, and evolving.
It is no longer enough to focus solely on external threats. You must consider:
- What is connected to our network?
- Who has physical access to our systems?
- How quickly can we identify anomalies?
Because in today’s threat landscape, the greatest risk may already be inside your network.
If you’d like to learn more about how GT Identify can help, get in touch today.