July 4, 2023: Nagoya Goes Dark
At 6:30 AM on a Tuesday, operators at the Port of Nagoya — Japan's largest port by cargo tonnage, handling 10% of the country's trade — discovered that the NUTS container terminal system was unresponsive. No containers could be loaded or unloaded. No trucks could be dispatched. Every quay crane sat idle.
LockBit ransomware had encrypted the terminal operating system overnight. This attack is part of a broader trend: ransomware targeting manufacturing and industrial sectors surged 49% in 2025.
For three days, Nagoya's container operations stopped completely. Toyota halted parts shipments. Shipping lines diverted vessels. The estimated cost exceeded $100 million when you factor in vessel demurrage, delayed cargo, and the ripple effects across supply chains that depend on just-in-time delivery.
The attack path was straightforward. Attackers compromised IT systems first, then pivoted to the OT network that ran physical operations. The terminal operating system (TOS) — the single piece of software that coordinates vessel planning, yard stowage, crane dispatch, and truck processing — was the bridge between both worlds. Once it was encrypted, everything stopped.
What Would Have Been Different with Segmentation
Nagoya's kill chain followed the same path seen in nearly every port cyberattack:
- Initial access through phishing, exposed RDP, or compromised credentials on IT systems
- Lateral movement from corporate IT to the TOS network
- Pivot from TOS to crane control or SCADA networks — because the TOS must communicate with OT systems for operational coordination
- Ransomware deployment across connected systems
The TOS is the bridge between IT and OT. It needs connectivity to both worlds: corporate email and ERP on the IT side, crane PLCs and gate systems on the OT side. This makes the TOS network the most critical segmentation point in any port.
If the TOS had been in its own zero-trust segment — with explicit, authenticated connections to IT on one side and crane PLCs on the other — the ransomware would have hit the IT network and stopped at the boundary. The TOS would have continued operating. The cranes would have kept moving containers. That is the difference between a three-day shutdown and a contained IT incident.
Nagoya Was Not an Isolated Case
- DP World Australia (November 2023) — A cyberattack forced DP World to disconnect from the internet, stranding 30,000 containers across four major Australian ports for days.
- Port of Lisbon (December 2022) — LockBit claimed a ransomware attack on the port authority, exfiltrating financial and operational data.
Every one of these incidents shares the same pattern: attackers compromise IT systems and walk into OT networks that control physical operations. The IT/OT boundary in ports is where security breaks down.
Why Ports Are Uniquely Hard to Secure
Several factors make port OT security harder than typical industrial environments:
- Multi-vendor, multi-generation equipment — A single terminal may have cranes from three different manufacturers, each with its own control system and remote access requirements
- Ship crew and pilot connections — Vessels connect to port networks for cargo planning data exchange. Every ship is an untrusted endpoint.
- Logistics partner integrations — Shipping lines, customs authorities, trucking companies, and freight forwarders all exchange data with the TOS
- Wireless control networks — RTGs and AGVs use Wi-Fi or private LTE for real-time control, expanding the attack surface
- Physical access challenges — Port facilities span large areas with multiple entry points, making physical network security difficult
- 24/7/365 operations — Container operations do not stop for maintenance windows
Port OT Systems: Criticality and Risk Profile
| System | Criticality | Risk Profile | Common Vulnerabilities |
|---|---|---|---|
| Quay cranes (STS) | Critical — vessel operations stop without them | High — PLCs on flat networks, vendor remote access | Unpatched Windows HMIs, no network segmentation |
| RTG cranes | Critical — yard operations halt | High — wireless control links, mobile equipment | Wi-Fi interception, shared credentials for fleet |
| AGVs | Critical in automated terminals | High — real-time control over wireless | Spoofed positioning, unauthorized commands |
| TOS | Critical — all operations depend on it | Very High — connects to IT, OT, and external partners | Large attack surface, database exposure, API vulnerabilities |
| Gate systems | Important — truck processing delays | Medium — external-facing, connected to TOS | OCR systems on Windows, direct internet exposure for customs |
| VTS | Safety-critical — vessel navigation | High — radar and AIS spoofing possible | Legacy systems, limited security controls |
| Port SCADA (electrical) | Critical — powers all equipment | High — standard SCADA vulnerabilities | Legacy protocols, unsegmented networks, remote access |
| Reefer monitoring | Important — cargo value at risk | Medium — IoT sensors on shared networks | Default credentials, unencrypted telemetry |
IMO and NIS2 Requirements
Port operators face requirements from multiple regulatory frameworks:
IMO Maritime Cyber Risk Management (MSC-FAL.1/Circ.3):
- Identify OT systems and their dependencies
- Assess risk to safety, operations, and environmental protection
- Implement protective measures proportionate to risk
- Detect cyber events and respond effectively
NIS2 Directive (for EU ports classified as essential entities):
- Risk management measures including network segmentation and access control (Article 21)
- Incident reporting within 24 hours of detection (Article 23)
- Supply chain security covering all vendor and partner connections (Article 21(2)(d))
- Board-level accountability for cybersecurity (Article 20)
IACS UR E26/E27 (for vessels, but affects port connectivity):
- Ships built after 2024 must meet cyber resilience standards
- Port-to-ship interfaces must account for vessel cybersecurity requirements
Securing Port Infrastructure Without Disrupting Operations
-
Segment the TOS — Place the TOS in its own zero-trust segment with explicit, authenticated connections to both IT systems (for business data) and OT systems (for operational commands). No implicit trust between zones.
-
Isolate each crane network — Every quay crane and RTG should be in its own micro-segment. A compromised HMI on Crane 4 should not be able to reach the control network of Crane 5.
-
Broker vendor access — Crane manufacturers need remote access for maintenance. Replace persistent VPN tunnels with just-in-time, recorded sessions that are restricted to specific equipment.
-
Secure wireless control links — Overlay encryption on RTG and AGV wireless networks so that control traffic is authenticated even if the wireless layer is compromised.
-
Control ship-to-shore data exchange — Place data exchange points in isolated segments with strict protocol filtering. Cargo planning files from vessels should reach the TOS through a controlled gateway, not a direct network connection.
EU port operators classified as essential entities must also comply with NIS2 enforcement requirements now active across member states. Port operators do not have to secure everything at once. Start with the TOS boundary — the point where Nagoya's attack would have been stopped — and work outward. Each step delivers measurable security improvement and NIS2 compliance evidence. The goal is to make sure the next port attack stops at the IT perimeter instead of shutting down the cranes.
Full NIS2 on-premise compliance guide → /resources/nis2-on-premise
