Survey and Future Trends for Cybersecurity in Maritime and Port Sectors: A Discrete Event Systems Perspective

Abstract

With the development and widespread application of information technology, cybersecurity has become a focal point in all industry sectors. The maritime sector is no exception, with both physical and cyber threats. This survey first highlights, from a system engineering and information technology perspective, the specific architectures of on-vessel and in-port systems, as well as the communication equipment connecting them. Subsequently, cyber attacks in maritime and port domains and their potential consequences are described from various angles. Examples of real cases of cyber attacks are also reported. An overview of current key techniques used in vulnerability analysis, attack detection, and security protection is proposed before discussing cybersecurity issues in the maritime and port sectors from the particular perspective of discrete event systems. Various systems used in maritime and port domains are modeled as automata or Petri nets. Some analysis, detection, and protection approaches are then proposed to illustrate the potential of discrete event systems in this domain.

1. Introduction

According to the data from the Review of Maritime Transport 2024 by the United Nations Conference on Trade and Development, released in 2024, maritime transport handles over 80% of the world’s trade volume [1], which demonstrates that the maritime industry is a critical factor in the world economy [2]. Maritime transport relies on an extensive global network of ports and shipping lanes. As the maritime industry undergoes a digital transformation, innovations such as smart shipping [3], automated ports [4], and blockchain technology offer significant opportunities to improve efficiency and reduce costs [5]. The increasing connectivity of equipment, systems, and devices within the maritime environment facilitates accessibility and enhances functionality, leading to more efficient operations. These connected systems include navigational, communication, cargo management, dynamic positioning, terminal management, tracking, logistics, and many others. However, this growing digitalization and connectivity also introduce substantial cybersecurity challenges [6,7,8,9,10,11,12,13,14,15,16,17,18,19].

To effectively address these growing threats, the industry must focus on vulnerability analysis in the maritime and port sectors, improve cyber attack detection capabilities, and establish resilient defense strategies to ensure the safe and secure operation of maritime activities [20,21,22,23,24,25]. System security typically prioritizes three core principles: confidentiality, integrity, and availability (CIA) [26,27]. Confidentiality ensures that the system’s information is accessible only to those with proper authorization. Integrity protects the system from unauthorized alterations or damage while maintaining the accuracy and trustworthiness of the data. Finally, availability guarantees that authorized users can access the system whenever needed, minimizing service interruptions and unnecessary downtime. System vulnerabilities refer to weaknesses or flaws within the design, implementation, or configuration of a system that can be exploited by attackers to gain unauthorized access, disrupt operations, or cause harm [26,28,29,30,31]. These vulnerabilities can exist in software, hardware, or processes, and they pose significant risks to the system’s CIA. Identifying and addressing these vulnerabilities is critical to maintaining robust system security. Vulnerability analysis in the maritime and port sectors involves systematically identifying, assessing, and addressing potential weaknesses within critical infrastructures, systems, and processes that could be exploited by cyber threats or other security risks [4,30,32,33]. This analysis focuses on the various connected devices, communication networks, information systems, and operational technologies used in ports and maritime operations. Key aspects include the following:

• Identifying vulnerabilities: assessing all components, including hardware, software, and network configurations, to identify potential weaknesses that could be targeted by cyber attacks.
• Assessing risk impact: evaluating the potential impact of identified vulnerabilities on the CIA of critical maritime and port systems.
• Prioritizing vulnerabilities: ranking vulnerabilities based on their severity and the likelihood of exploitation, allowing for targeted mitigation efforts.
• Mitigation and protection: implementing security measures, such as patch management, intrusion detection systems, and network segmentation, to reduce the risk of vulnerabilities being exploited.
• Continuous monitoring: regularly updating vulnerability analysis to adapt to new threats and changes in the technology landscape to ensure that the maritime and port sectors remain resilient against evolving cyber risks.

In this survey, the literature was identified through targeted searches in major academic databases, including Scopus, Web of Science, IEEE Xplore, and SpringerLink, covering the period 2005–2025. The search combined keywords such as “discrete event system”, “cybersecurity”, “cyber attack”, “maritime”, and “port”. The initial set of publications was refined by focusing on works that provide conceptual insights, methodological innovations, or representative applications within the maritime and port cybersecurity domains.

This survey distinguishes itself from previous reviews/surveys [4,5,27,34] by focusing specifically on the maritime and port sectors from a system engineering and information technology perspective, in particular by using discrete event system (DES) models [26,35,36,37]. While other reviews may cover broader topics or related industries, this analysis is uniquely tailored to the challenges and developments within these specialized fields. It is aimed at professionals, researchers, and decision-makers who are directly involved in maritime operations, port management, and the use of DES methodologies to enhance efficiency and strategic planning.

The rest of this paper is organized as follows. Section 2 describes the main maritime and port equipment/sites where cyber attacks are likely to occur, from the existence of information transmission and exchange. Section 3 is about cyber attacks and cybersecurity in the maritime and port domains. A classification and several examples of attacks are provided, and the common vulnerabilities and consequences of cyber attacks are also discussed. In Section 4, cybersecurity in the maritime and port domains is studied from a DES perspective. Basic models of vessel traffic management, radar, and port automated guided vehicle systems are described with automata and Petri nets. Section 5 explores DES-based methods for analysis, detection, and protection in cybersecurity contexts. Section 6 outlines the main research challenges and promising directions for future work in the maritime and port domains. Finally, Section 7 concludes the paper.

2. Architectures of On-Vessel and In-Port Communication Systems

When researching cybersecurity issues in the maritime and port sectors, it is essential to thoroughly understand the communication structures between ships, ports, and the various interactions, such as ship-to-ship, ship-to-port, and port-to-port. This knowledge is crucial because the interconnected nature of these systems makes them vulnerable to potential cyber threats. By understanding how these communication systems and operational structures work, stakeholders can better identify security risks, develop effective defense mechanisms, and implement robust cybersecurity strategies to protect the integrity and safety of maritime operations [3,38,39,40].

The maritime infrastructure can be represented by two essential platforms: on-vessel and in-port. The description of each platform, the connections between components, and the relationship between services are presented in Figure 1.

Figure 1. Vessel/port infrastructure.

On the one hand, the primary structures involved in the interaction and communication between ships and ports include the following on-vessel systems.

Navigation systems: These are critical for ensuring safe navigation of the ships. Key components include radar, Global Positioning System (GPS), Automatic Identification System (AIS), Electronic Chart Display and Information System (ECDIS), and an echo sounder.

Communication systems: These are used to communicate with the port, other vessels, and maritime authorities. This includes Very High Frequency (VHF) Radio, Satellite Communication, and Medium/High Frequency (MF/HF) Radio.

Control systems: Systems like Autopilot, Propulsion Control, and Ballast Water Systems are essential for precise maneuvering and maintaining vessel stability when entering or leaving a port.

Identification systems: AIS, ship lights, and horns are used for visual and electronic identification of the vessel.

On the other hand, interactions and communications between systems also include in-port systems.

Port control center: It is the control hub of the port, responsible for overseeing and managing the movement of ships in and out of the port, including berth assignments.

Vessel traffic service: This system monitors and guides vessel movements within the port and surrounding waters, offering navigation assistance and collision prevention.

Berthing facilities: They include mooring buoys and bollards used for the safe docking of ships.

Port communication systems: Ports use various communication methods, including VHF radio, telephone, and email, to coordinate with ships and other stakeholders.

Port security systems: Closed-circuit television surveillance, access control systems, and other security measures ensure the port’s safety.

Finally, the communication between ships and ports includes the following communications:

Berthing and departure notification: Ships notify the port of their estimated time of arrival and request berth assignments. The port confirms and provides specific instructions.

Berthing operations: Continuous communication between the ships and the port vessel traffic service during the approach to and departure from the port, covering docking instructions, tugboat assistance, and other operational details.

Emergency communication: In case of emergencies, ships use VHF, the Global Maritime Distress and Safety System, or other methods to contact the port for assistance or to provide information about incidents.

These structures and systems work together to ensure smooth and safe operations between ships and ports, from navigation to docking, communication, and security.

3. Cyber Attacks in the Maritime and Port Domains

In the maritime and port sectors, cyber attacks can take various forms, each targeting different aspects of operations, communications, and infrastructures. Over the years, various types of cyber attacks have been executed due to numerous security vulnerabilities. In order to discuss cyber attacks in a rigorous way, some key notions are first recalled.

• Cyber incident: A cyber incident is an occurrence that actually or potentially results in adverse consequences to an onboard system, network, and computer or the information that they process, store, or transmit, and which may require a response action to mitigate the consequences (https://www.bimco.org/about-us-and-our-members/publications/the-guidelines-on-cybersecurity-onboard-ships, accessed on 7 July 2025).
• Cyber attack: any type of offensive maneuver that targets Information Technology (IT) and Operational Technology (OT) systems, computer networks, and/or personal computer devices attempting to compromise, destroy, or access company and ship systems and data.
• Confidentiality: Confidentiality of the data represents the use of sensitive and confidential information by authorized personnel only and provides the security mechanisms to maintain the privacy of the data and system.
• Integrity: Integrity refers to the protection of valuable information and data from external and internal actors during daily system use.
• Availability: Availability permits immediate access of authorized personnel to information and data for normal operation or in dangerous situations, providing independence for the company in terms of using its resources.

3.1. Main Types of Cyber Attacks

Table 1 shows the main types of cyber attacks in the maritime and port sectors and also gives some corresponding past real cases. These events represent only the tip of the iceberg; there are multiple similar incidents that have not been mentioned.

Table 1. Main types of cyber attacks and past real cases.

Cyber Attack Types	Descriptions	Impacts	Past Real Cases
Malware Attacks	Involving malicious software like ransomware, viruses, or worms designed to disrupt operations, steal data, or cause damage.	These attacks can lead to system outages, data loss, and operational shutdowns.	In 2017, the global shipping giant Maersk was hit by the “NotPetya” ransomware attack, which crippled its IT systems and disrupted operations at 76 ports worldwide. 1
Phishing	Using deceptive emails or messages to trick employees into revealing sensitive information or downloading malware.	These attacks lead to credential theft, unauthorized access to systems, or the spreading of malware.	In 2020, the Mediterranean Shipping Company (MSC) suffered a phishing attack where employees were tricked into clicking a malicious link from a seemingly legitimate email. 2
Distributed Denial of Service (DDoS) Attacks	Overloading a port or maritime company’s servers with traffic, rendering systems and services unavailable.	These attacks cause significant delays, disrupt operations, and can lead to financial losses.	In 2024, the Port of Antwerp in Belgium was subjected to a DDoS attack that overloaded the port’s operational systems and communication networks, disrupting several operators’ activities. 3
Man-in-the-Middle (MITM) Attacks	Intercepting and possibly altering communications between ships and ports or within a port’s network.	These attacks can lead to miscommunication, incorrect navigation, or unauthorized access to sensitive information.	In 2019, an Iranian port was targeted by an MITM attack, where attackers intercepted and altered communication between ships and the port. This led to ships receiving incorrect docking instructions, resulting in delays and mismanagement of cargo handling. 4
Credential Theft	Stealing login credentials through phishing, brute force attacks, or social engineering.	These attacks allow attackers to access and manipulate sensitive systems, leading to data breaches or operational disruptions.	In 2020, a Danish shipping company faced a credential theft attack. Attackers obtained an employee’s login credentials and used them to access internal systems, altering shipping schedules and causing an incident that disrupted operations. 5
Supply Chain Attacks	Targeting third-party suppliers of maritime systems or services to compromise the end-user systems.	These attacks can introduce vulnerabilities into navigation systems, cargo management, or other critical infrastructure.	In 2020, a navigation software supplier for several U.S. shipping companies was compromised in a supply chain attack. Hackers implanted malicious code into a software update, which then disrupted the navigation systems of multiple vessels, affecting their voyages. 6
GPS Spoofing (GNSS Spoofing/AIS Spoofing)	Sending false GPS signals to mislead ships about their actual location.	These attacks cause navigation errors, potentially leading to collisions or grounding.	In 2017, vessels operating in the Black Sea reported GPS anomalies, with their navigation systems displaying incorrect locations. This was believed to be a targeted GPS spoofing attack, potentially intended to disrupt maritime traffic in the area. 7
Advanced Persistent Threats (APT)	Long-term, targeted attacks often carried out by state-sponsored actors, focusing on stealth and persistence to gather intelligence or cause disruption.	These attacks can severely compromise national security, disrupt critical infrastructure, and cause significant financial damage.	In 2020, Iranian port systems were targeted by an APT attack, believed to be orchestrated by a state-sponsored group from Israel. This attack paralyzed operations at several Iranian ports, causing massive cargo backlogs and significantly impacting Iran’s maritime trade. 8

¹ https://www.lrqa.com/en/insights/articles/notpetya-ransomware-attack-on-maersk-key-learnings/ (accessed on 7 July 2025); ² https://channel16.dryadglobal.com/maritime-cyber-security-threats-2020-week-3? (accessed on 7 July 2025); ³ https://itdaily.com/news/security/cyberaanval-op-belgische-havens-en-gemeenten/ (accessed on 7 July 2025); ⁴ https://zendata.security/2025/08/26/hackers-knock-out-iranian-ship-communications-in-major-cyberattack/ (accessed on 7 July 2025); ⁵ https://www.cfcs.dk/globalassets/cfcs/dokumenter/trusselsvurderinger/en/cfcs-cyber-threat-danish-maritime-industry-and-ports-.pdf (accessed on 7 July 2025); ⁶ https://industrialcyber.co/transport/hacktivists-nation-state-hackers-target-global-maritime-infrastructure-as-cyberattacks-gps-spoofing-surge/ (accessed on 7 July 2025); ⁷ https://maritime-executive.com/editorials/mass-gps-spoofing-attack-in-black-sea (accessed on 8 July 2025); ⁸ https://kiledjian.com/2024/09/09/iranian-cyber-apt-groups-a.html? (accessed on 8 July 2025).

There are many infrastructure devices and services in the maritime and port sector that are threatened and which can be vulnerable to cyber attacks. Based on the analysis of past real-world attack cases, the following are identified as the most susceptible to such threats:

• AIS: Since 2002, AIS has been mandatory for all passenger and sea-going vessels with 300 gross tonnage or more. It is a tool for vessel safety, collision avoidance, and ship monitoring, providing vessel information and status. Course, speed, and position are some of the information displayed in the AIS for the safety and security of vessel operations. However, the exposure of the AIS, concerning connectivity and information providers, represents a high risk for vessel operations. If the AIS is attacked, the consequences in terms of communication interconnectivity with ship-to-ship, ship-to-shore, and shore-to-ship can be significant. Furthermore, it has been proven that the AIS does not have the necessary security measures integrated, exposing it to cyber attacks. For example, it is possible to deactivate and manipulate the AIS information to create a false collision or SAR alert.
  There exist several cases of AIS attacks [41,42,43,44,45,46,47,48,49,50,51].
  In a series of events in 2017, numerous vessels in the Black Sea reported their GPS positions being spoofed, causing them to display incorrect locations. Some ships showed their locations as being on land, while others appeared to be far from their actual positions. This raised concerns about the vulnerability of both GPS and AIS systems to cyber attacks and manipulation (https://maritime-executive.com/editorials/mass-gps-spoofing-attack-in-black-sea (accessed on 23 July 2025)). In particular, in 2017, the British Royal Navy’s destroyer HMS Defender was reportedly involved in an AIS spoofing incident while navigating near Crimea, in the Black Sea (https://www.euronews.com/next/2021/06/28/hms-defender-ais-spoofing-is-opening-up-a-new-front-in-the-war-on-reality (accessed on 23 July 2025)). In 2019 and 2020, there were reports of “phantom fleets” in the South China Sea and off the coast of South America. AIS data indicated the presence of fleets of ships that did not actually exist, likely created through spoofing. These ghost ships were used to mask illegal fishing operations or the movement of sanctioned oil cargoes, highlighting how AIS manipulation could facilitate illicit activities.
• Navigation systems: by emitting false or misleading signals that overlap with the ship’s true position or indicating fake emergencies. This risk is increased by the growing reliance on technologies that control navigation, cargoes, etc., and by systems such as dynamic positioning, ship-to-shore interfaces, propulsion controls, cargo valve actuators, and passenger-boarding systems.
  There exist several cases of navigation system attacks [52]. In 2013, the University of Texas demonstrated the possibility of attacking the navigation systems by taking control of a yacht by spoofing its GPS (https://newatlas.com/gps-spoofing-yacht-control/28644/, accessed 25 July 2025). In 2014 and 2017, ships were fooled in a GPS spoofing attack, suggesting a Russian cyberweapon (https://maritime-executive.com/editorials/mass-gps-spoofing-attack-in-black-sea, accessed on 25 July 2025, https://www.newscientist.com/article/2143499-ships-fooled-in-gps-spoofing-attack-suggest-russian-cyberweapon/, accessed on 25 July 2025). In 2016, cyber threats prompted the return of radio for ship navigation (https://www.reuters.com/article/us-shipping-gpscyber-idUSKBN1AN0HT/, accessed on 25 July 2025). In February 2017, hackers reportedly took control of the navigation systems of a German-owned 8250 TEU container vessel en route from Cyprus to Djibouti for hours (https://rntfnd.org/2017/11/25/hackers-took-full-control-of-container-ships-navigation-systems-for-10-hours-ihs-fairplay/, accessed on 25 July 2025).

Attacks also affect vessel communication systems (https://www.spglobal.com/commodityinsights/en/market-insights/latest-news/shipping/101317-shipping-bw-groups-computer-systems-hacked-steps-up-cybersecurity, accessed on 25 July 2025, https://psabdp.com/, accessed on 25 July 2025), shipping company sytems, and systems for loading and unloading cargo. Such systems are one of the targets of attacks because they are the key to the good functioning and coordination of the loading and unloading operations of the ships and the compliance of their respective lines in time. Examples of such attacks are manipulation and sabotage; falsification; piracy and robbery; destruction; and alteration and deviation.

3.2. Literature Review on Cybersecurity in Maritime and Port Sectors

With the wide and rapid development of numerical solutions in communications, networked systems, and cyber–physical devices during the last three decades, cybersecurity has become a critical issue in many domains, including the maritime and port sectors. There also exists an exponential increase in the number of scientific papers including survey papers, about cybersecurity in maritime and port domains. Figure 2 illustrates these statistics based on ResearchGate, MDPI, Elsevier, and Cambridge databases. Table 2 and Table 3 sum up the survey papers that have been considered for this study.

Figure 2. Literature about cybersecurity in maritime and port domains.

3.3. Consequences of Cyber Attacks and Cybersecurity Mitigation Guidelines

Cyber attacks in the maritime and port sectors can have extensive and severe impacts, particularly in terms of safety, environmental damage, and economic disruption [53]. Below is a detailed exploration of these potential consequences:

• Safety impact: Cyber attacks pose significant threats to safety in the maritime and port industries. Modern ships and ports rely heavily on automated and digital systems, such as navigation, communication, and cargo management systems. If these systems are compromised by hackers, it could result in vessels losing control, navigating incorrectly, or even colliding with other ships, endangering the lives of crew and passengers.
  For example, in 2017, the global shipping giant Maersk was hit by the NotPetya cyber attack. This attack crippled their IT systems, causing severe disruptions in their ability to operate and schedule vessels, thereby affecting the global shipping network’s safety. While no direct collisions were reported, the incident exposed vulnerabilities that could lead to serious safety risks.
• Environmental impact: Cyber attacks can lead to catastrophic environmental disasters, especially when hazardous materials are involved. If attackers gain control of a ship’s navigation or control systems, they could cause the vessel to run aground or collide in environmentally sensitive areas, leading to oil spills, chemical leaks, and other environmental catastrophes.
  For example, in 2010, the Stuxnet worm, although primarily targeting nuclear facilities, demonstrated the potential for widespread damage if similar attacks were directed at maritime operations. In particular, a cyber attack on a vessel carrying hazardous chemicals could result in the ship grounding in a fragile marine ecosystem, causing significant environmental harm.
• Economic impact: The economic impact of cyber attacks on maritime and port operations can be devastating. Ports and shipping companies are critical nodes in global trade, and a cyber attack could lead to cargo delays, supply chain disruptions, and substantial financial losses. Additionally, the cost of restoring compromised systems and addressing security vulnerabilities can be significant.
  For example, in 2020, CMA CGM Group suffered a ransomware attack that disrupted its online systems, preventing customers from booking cargo shipments and severely interrupting the logistics chain. This incident not only resulted in direct financial losses for CMA CGM but also affected the stability of global supply chains, highlighting the far-reaching economic impact of cyber attacks.

In summary, the potential impacts of cyber attacks in the maritime and port sectors are profound and far-reaching. Safety hazards, environmental risks, and economic losses are the primary dimensions of these impacts. To mitigate these threats, the maritime and port industries must strengthen their cybersecurity defenses, develop robust incident response plans, and continuously monitor and update their security systems to reduce the likelihood and severity of cyber attack-related consequences.

Table 2. Survey papers on cybersecurity in maritime and port sectors-1.

Ref.	Year	Title	Comments
[4]	2025	Port resilience: a systematic literature review	This paper systematically reviews research on port resilience, examining definitions, frameworks, and key influencing factors. It identifies gaps such as fragmented approaches and limited empirical studies and proposes directions for future research to enhance port resilience.
[34]	2024	Maritime autonomous surface ships: a review of cybersecurity challenges, countermeasures, and future perspectives	This paper reviews cybersecurity threats and defenses for maritime autonomous surface ships, highlighting AIS/GPS vulnerabilities and proposing multi-layer protections integrating IMO frameworks. It explores AI, blockchain, and behavior analytics to enhance maritime autonomous surface ship resilience.
[5]	2024	Blockchain implementation in the maritime industry: a literature review and synthesis analysis of benefits and challenges	This paper reviews blockchain applications in maritime logistics, highlighting its potential to improve transparency, traceability, and efficiency, while addressing challenges in standardization, scalability, and regulatory compliance, and exploring integration with IoT and AI.
[27]	2024	Maritime cybersecurity: A comprehensive review	A comprehensive survey of maritime cybersecurity, analyzing threats, incidents, countermeasures, and challenges across vessels, ports, and the global maritime supply chain to guide resilience and future research.
[54]	2024	Port cyber attacks from 2011 to 2023: a literature review and discussion of selected cases	This paper analyzes 15 cases showing that ransomware and disruption are the main motives. Weak procedures and low awareness increase risks, while timely detection, collaboration, and comprehensive disaster plans are crucial for resilience.
[55]	2023	Cyber-seaworthiness: a critical review of the literature	It reviews maritime cyber risks and policy frameworks, introducing the concept of “cyber-seaworthiness” to address rising threats from digitization and autonomous ships and to guide future industry, legal, and policy developments.
[56]	2023	Maritime cybersecurity threats: gaps and directions for future research	It examines maritime cybersecurity, identifying major research gaps, policy needs, and priorities, including the lack of real-time attack data, limited economic impact studies, inadequate professional training, and insufficient legal frameworks.
[57]	2023	Literature review on maritime cybersecurity: state-of-the-art	It reviews maritime cybersecurity research, noting current work is mostly conceptual and qualitative. It calls for quantitative methods and interdisciplinary collaboration to address complex cyber attacks and strengthen industry resilience.
[58]	2023	A survey on cybersecurity threats in the IoT-enabled maritime industry	This paper reviews the applications of IoT in the maritime industry and the major cybersecurity threats it faces, including attack types, vulnerabilities, and potential impacts. It also discusses the limitations of existing protection measures and suggests directions for future research and improvement.
[59]	2022	Cybersecurity challenges in the maritime sector	The paper maps key cybersecurity challenges in the maritime sector, but its analysis is mostly descriptive, lacking quantitative depth and concrete mitigation strategies. It usefully outlines vulnerabilities and gaps, yet more empirical and actionable research is needed.
[60]	2022	Developments and research directions in maritime cybersecurity: a systematic literature review and bibliometric analysis	The paper analyzes cybersecurity risks in the maritime industry’s digital transformation and highlights vulnerabilities in shipping and ports. It calls for stronger defenses through policies, technology, and training.
[61]	2022	Digital transformation of the maritime industry: a cybersecurity systemic approach	The paper proposes a systemic approach to maritime cybersecurity, stressing coordination across technology, organization, and policy. It argues that only a holistic governance framework can handle the evolving threat landscape.
[62]	2022	Review of ship information security risks and safety of maritime transportation issues	The paper reviews ship information security risks under digitalization, highlighting system vulnerabilities and cargo threats. It proposes risk assessment methods and stresses multilayered cyber resilience.
[39]	2022	Cyber security in the maritime industry: a systematic survey of recent advances and future trends	The paper outlines key cybersecurity challenges in maritime, stressing vulnerabilities in critical systems. It calls for regulation, technology, and training to strengthen defense.
[63]	2021	Maritime cybersecurity: a global challenge tackled through distinct regional approaches	This paper discusses maritime cybersecurity as a global challenge, analyzing IMO initiatives and regional responses in Europe and Asia. It highlights international cooperation and harmonized standards as key to strengthening overall industry cybersecurity.

Table 2. Survey papers on cybersecurity in maritime and port sectors-1.

Ref.	Year	Title	Comments
[4]	2025	Port resilience: a systematic literature review	This paper systematically reviews research on port resilience, examining definitions, frameworks, and key influencing factors. It identifies gaps such as fragmented approaches and limited empirical studies and proposes directions for future research to enhance port resilience.
[34]	2024	Maritime autonomous surface ships: a review of cybersecurity challenges, countermeasures, and future perspectives	This paper reviews cybersecurity threats and defenses for maritime autonomous surface ships, highlighting AIS/GPS vulnerabilities and proposing multi-layer protections integrating IMO frameworks. It explores AI, blockchain, and behavior analytics to enhance maritime autonomous surface ship resilience.
[5]	2024	Blockchain implementation in the maritime industry: a literature review and synthesis analysis of benefits and challenges	This paper reviews blockchain applications in maritime logistics, highlighting its potential to improve transparency, traceability, and efficiency, while addressing challenges in standardization, scalability, and regulatory compliance, and exploring integration with IoT and AI.
[27]	2024	Maritime cybersecurity: A comprehensive review	A comprehensive survey of maritime cybersecurity, analyzing threats, incidents, countermeasures, and challenges across vessels, ports, and the global maritime supply chain to guide resilience and future research.
[54]	2024	Port cyber attacks from 2011 to 2023: a literature review and discussion of selected cases	This paper analyzes 15 cases showing that ransomware and disruption are the main motives. Weak procedures and low awareness increase risks, while timely detection, collaboration, and comprehensive disaster plans are crucial for resilience.
[55]	2023	Cyber-seaworthiness: a critical review of the literature	It reviews maritime cyber risks and policy frameworks, introducing the concept of “cyber-seaworthiness” to address rising threats from digitization and autonomous ships and to guide future industry, legal, and policy developments.
[56]	2023	Maritime cybersecurity threats: gaps and directions for future research	It examines maritime cybersecurity, identifying major research gaps, policy needs, and priorities, including the lack of real-time attack data, limited economic impact studies, inadequate professional training, and insufficient legal frameworks.
[57]	2023	Literature review on maritime cybersecurity: state-of-the-art	It reviews maritime cybersecurity research, noting current work is mostly conceptual and qualitative. It calls for quantitative methods and interdisciplinary collaboration to address complex cyber attacks and strengthen industry resilience.
[58]	2023	A survey on cybersecurity threats in the IoT-enabled maritime industry	This paper reviews the applications of IoT in the maritime industry and the major cybersecurity threats it faces, including attack types, vulnerabilities, and potential impacts. It also discusses the limitations of existing protection measures and suggests directions for future research and improvement.
[59]	2022	Cybersecurity challenges in the maritime sector	The paper maps key cybersecurity challenges in the maritime sector, but its analysis is mostly descriptive, lacking quantitative depth and concrete mitigation strategies. It usefully outlines vulnerabilities and gaps, yet more empirical and actionable research is needed.
[60]	2022	Developments and research directions in maritime cybersecurity: a systematic literature review and bibliometric analysis	The paper analyzes cybersecurity risks in the maritime industry’s digital transformation and highlights vulnerabilities in shipping and ports. It calls for stronger defenses through policies, technology, and training.
[61]	2022	Digital transformation of the maritime industry: a cybersecurity systemic approach	The paper proposes a systemic approach to maritime cybersecurity, stressing coordination across technology, organization, and policy. It argues that only a holistic governance framework can handle the evolving threat landscape.
[62]	2022	Review of ship information security risks and safety of maritime transportation issues	The paper reviews ship information security risks under digitalization, highlighting system vulnerabilities and cargo threats. It proposes risk assessment methods and stresses multilayered cyber resilience.
[39]	2022	Cyber security in the maritime industry: a systematic survey of recent advances and future trends	The paper outlines key cybersecurity challenges in maritime, stressing vulnerabilities in critical systems. It calls for regulation, technology, and training to strengthen defense.
[63]	2021	Maritime cybersecurity: a global challenge tackled through distinct regional approaches	This paper discusses maritime cybersecurity as a global challenge, analyzing IMO initiatives and regional responses in Europe and Asia. It highlights international cooperation and harmonized standards as key to strengthening overall industry cybersecurity.

Table 3. Survey papers on cybersecurity in maritime and port sectors-2.

Ref.	Year	Title	Comments
[3]	2020	Internet of ships: a survey on architectures, emerging applications, and challenges	This paper surveys the architectures, key technologies, and emerging applications of the Internet of Ships, highlighting its roles in smart shipping, port management, and maritime safety. It also identifies major challenges such as standardization, security, data processing, and cross-domain integration.
[2]	2020	Innovation and maritime transport: a systematic review	This paper reviews innovation research in maritime transport, summarizing types of innovation, driving factors, and their impact on the industry. It also points out that existing studies are fragmented and lack empirical evidence and proposes future research directions.
[64]	2019	Cybersecurity in the maritime industry: a literature review	This paper reviews maritime cybersecurity, highlighting incidents and key threats such as poor training, outdated IT, hacker targeting, and phishing. It proposes countermeasures including cybersecurity processes, training, system upgrades, and a stronger security culture.
[65]	2019	Evaluating cybersecurity risks in the maritime industry: a literature review	This paper surveys maritime cybersecurity, identifying key threats including lack of training and experts, outdated systems, and hacker targeting, and proposing mitigation strategies such as process development, training, regular system updates, and fostering a cybersecurity culture.
[66]	2018	Cyber attacks on ships: a wicked problem approach	This paper analyzes cyber attacks on ships as a “wicked problem,” emphasizing their complexity, unpredictability, and severe consequences for safety and operations. It highlights the urgent need for holistic, adaptive approaches to improve maritime cybersecurity resilience.
[67]	2018	Models and computational algorithms for maritime risk analysis: a review	This paper reviews models and computational algorithms for maritime risk analysis, covering probabilistic, simulation-based, and data-driven approaches. It identifies strengths and limitations of existing methods and suggests future research directions for improving maritime safety and decision-making.
[68]	2018	The global maritime industry remains unprepared for future cybersecurity challenges	This paper finds the maritime industry highly vulnerable to cyber attacks due to digital reliance, outdated systems, and weak preparedness. It stresses fast-growing threats, slow regulations, and the urgent need for stronger defenses, especially for autonomous vessels.
[69]	2017	Review on cybersecurity risk assessment and evaluation and their approaches to maritime transportation	This paper reviews cybersecurity risk assessment and evaluation approaches in maritime transportation, analyzing methods such as qualitative, quantitative, and hybrid models. It also highlights their limitations and emphasizes the need for more effective frameworks tailored to the maritime sector.
[70]	2016	Safety-critical maritime infrastructure systems resilience: a critical review	This paper analyzes safety-critical maritime infrastructure systems, focusing on their operations, risks, resilience, regulations, and lessons from past incidents to enhance safety and operational resilience.
[25]	2016	Threats and impacts in maritime cybersecurity	This paper analyzes cyber threats to maritime navigation, propulsion, and cargo systems, emphasizing vulnerabilities from outdated technologies. It illustrates attack scenarios and calls for stronger security design, crew training, and resilience.
[71]	2016	Maritime security: an introduction (book)	This book introduces maritime security across ports, vessels, and cargo supply chains, addressing threats like piracy, terrorism, smuggling, and cyber attacks. It also outlines legal frameworks and response strategies for industry and government.
[72]	2015	Challenges in maritime cyber-resilience	This paper discusses challenges in achieving maritime cyber-resilience, focusing on vulnerabilities in ships, ports, and supply chains. It emphasizes gaps in awareness, regulation, and preparedness, and calls for stronger collaboration, governance, and adaptive defense strategies.
[73]	2008	Port and maritime security: a research perspective	This paper reviews port and maritime security from a research perspective, analyzing existing measures, vulnerabilities, and challenges. It highlights the need for integrated frameworks, better risk assessment methods, and closer cooperation among stakeholders to address evolving threats.
[74]	2008	Security and risk-based models in shipping and ports: review and critical analysis	This paper reviews security and risk-based models in shipping and ports, examining their methodologies, applications, and limitations.

Table 3. Survey papers on cybersecurity in maritime and port sectors-2.

Ref.	Year	Title	Comments
[3]	2020	Internet of ships: a survey on architectures, emerging applications, and challenges	This paper surveys the architectures, key technologies, and emerging applications of the Internet of Ships, highlighting its roles in smart shipping, port management, and maritime safety. It also identifies major challenges such as standardization, security, data processing, and cross-domain integration.
[2]	2020	Innovation and maritime transport: a systematic review	This paper reviews innovation research in maritime transport, summarizing types of innovation, driving factors, and their impact on the industry. It also points out that existing studies are fragmented and lack empirical evidence and proposes future research directions.
[64]	2019	Cybersecurity in the maritime industry: a literature review	This paper reviews maritime cybersecurity, highlighting incidents and key threats such as poor training, outdated IT, hacker targeting, and phishing. It proposes countermeasures including cybersecurity processes, training, system upgrades, and a stronger security culture.
[65]	2019	Evaluating cybersecurity risks in the maritime industry: a literature review	This paper surveys maritime cybersecurity, identifying key threats including lack of training and experts, outdated systems, and hacker targeting, and proposing mitigation strategies such as process development, training, regular system updates, and fostering a cybersecurity culture.
[66]	2018	Cyber attacks on ships: a wicked problem approach	This paper analyzes cyber attacks on ships as a “wicked problem,” emphasizing their complexity, unpredictability, and severe consequences for safety and operations. It highlights the urgent need for holistic, adaptive approaches to improve maritime cybersecurity resilience.
[67]	2018	Models and computational algorithms for maritime risk analysis: a review	This paper reviews models and computational algorithms for maritime risk analysis, covering probabilistic, simulation-based, and data-driven approaches. It identifies strengths and limitations of existing methods and suggests future research directions for improving maritime safety and decision-making.
[68]	2018	The global maritime industry remains unprepared for future cybersecurity challenges	This paper finds the maritime industry highly vulnerable to cyber attacks due to digital reliance, outdated systems, and weak preparedness. It stresses fast-growing threats, slow regulations, and the urgent need for stronger defenses, especially for autonomous vessels.
[69]	2017	Review on cybersecurity risk assessment and evaluation and their approaches to maritime transportation	This paper reviews cybersecurity risk assessment and evaluation approaches in maritime transportation, analyzing methods such as qualitative, quantitative, and hybrid models. It also highlights their limitations and emphasizes the need for more effective frameworks tailored to the maritime sector.
[70]	2016	Safety-critical maritime infrastructure systems resilience: a critical review	This paper analyzes safety-critical maritime infrastructure systems, focusing on their operations, risks, resilience, regulations, and lessons from past incidents to enhance safety and operational resilience.
[25]	2016	Threats and impacts in maritime cybersecurity	This paper analyzes cyber threats to maritime navigation, propulsion, and cargo systems, emphasizing vulnerabilities from outdated technologies. It illustrates attack scenarios and calls for stronger security design, crew training, and resilience.
[71]	2016	Maritime security: an introduction (book)	This book introduces maritime security across ports, vessels, and cargo supply chains, addressing threats like piracy, terrorism, smuggling, and cyber attacks. It also outlines legal frameworks and response strategies for industry and government.
[72]	2015	Challenges in maritime cyber-resilience	This paper discusses challenges in achieving maritime cyber-resilience, focusing on vulnerabilities in ships, ports, and supply chains. It emphasizes gaps in awareness, regulation, and preparedness, and calls for stronger collaboration, governance, and adaptive defense strategies.
[73]	2008	Port and maritime security: a research perspective	This paper reviews port and maritime security from a research perspective, analyzing existing measures, vulnerabilities, and challenges. It highlights the need for integrated frameworks, better risk assessment methods, and closer cooperation among stakeholders to address evolving threats.
[74]	2008	Security and risk-based models in shipping and ports: review and critical analysis	This paper reviews security and risk-based models in shipping and ports, examining their methodologies, applications, and limitations.

In this section, some key cybersecurity mitigation guidelines and the authoritative organizations that provide them are given. These guidelines offer significant perspectives on cybersecurity, focusing not on technical and procedural details but rather on how they drive the maritime sector to take essential actions against cyber threats and enhance cyber awareness.

• International Maritime Organization (IMO): Guidelines on Maritime Cyber Risk Management (https://www.imo.org/) provide a comprehensive framework for mananaging cyber risks in the maritime sector. These guidelines are integrated into the International Safety Management (ISM) Code, which requires shipping companies to include cyber risk management in their safety management systems.
• International Maritime Bureau (IMB): Best management practices to deter piracy and enhance maritime cybersecurity (https://www.icc-ccs.org/ offer practical advice for improving cybersecurity and managing risks, particularly in relation to piracy and other maritime threats.
• Baltic and International Maritime Council (BIMCO): Guidelines on cybersecurity onboard ships (https://www.bimco.org/) provide detailed recommendations for ship owners and operators on how to implement effective cybersecurity measures onboard ships.
• International Maritime Satellite Organization (IMSO): focuses on ensuring the security of global maritime communication systems. Their guidelines (https://imso.org/) emphasize protecting maritime communication networks and systems from cyber threats.
• European Maritime Safety Agency (EMSA): offers guidelines (https://www.emsa.europa.eu/) specifically for enhancing cybersecurity in ports, focusing on protecting port facilities and operations.
• United States Coast Guard (USCG): provides a cybersecurity (https://www.uscg.mil/) framework profile for maritime (https://www.uscg.mil/) based on the NIST cybersecurity framework, offering a detailed approach to managing cyber risks in maritime operations.

3.4. Vulnerability and Analysis Tools

In the field of cybersecurity, and based on the context, the term “vulnerability” has two distinct meanings. On one hand, a system’s vulnerability can refer to a weakness or flaw within a system that an attacker may exploit to compromise the system. This can result from errors in the software, outdated software with known security issues, weak security protocols, etc. On the other hand, it can also refer to the overall susceptibility or fragility of a system to cyber attacks, representing a comprehensive evaluation of the system’s exposure to existing threats. In this perspective, a security vulnerability is any flaw that can be exploited by an intruder to breach a system’s integrity, availability, or confidentiality. In general, an attacker leverages one or multiple vulnerabilities to compromise the system.

In this paper, the term vulnerability refers mainly to the second meaning. Vulnerabilities are weaknesses that can be leveraged by an intruder to perform unauthorized actions. For example, gaining unauthorized access to data without proper credentials. In general, an attacker leverages one or multiple vulnerabilities to compromise the system. An attacker typically begins a system compromise by exploiting system flaws to get access to one element, later moving laterally through others to ultimately reach the target and obtain information [75]. The maritime industry suffers from vulnerabilities, in particular

• the exploitation of outdated IT and OT systems that are not supported and/or depend on obsolete operating platforms;
• reliance on OT systems, which cannot be patched or installed with antivirus software because of some type approval constraints;
• the participation of various stakeholders in ship operations and chartering can result in diffuse responsibility for the IT and OT infrastructure and the vessel’s systems;
• vessels that maintain online interfaces with onshore parties and various components of the global supply chain;
• ship equipment that is remotely monitored and accessed, for example, by manufacturers or service providers;
• sharing of business-critical and commercially sensitive data with shore-based entities, such as marine terminals, stevedores, and governmental authorities;
• reliance on computer-controlled critical systems that may be unpatched or inadequately secured, impacting both the vessel’s safety and environmental safeguards;
• cyber risk management culture with potential for enhancement, such as implementing structured training programs and exercises to better define roles and responsibilities;
• various subsystems assembled by shipyards with minimal attention to cyber risk considerations.

System fragility against cyber threats can be analyzed through several dimensions, each reflecting a distinct aspect of vulnerability analysis. One type of analysis is to measure how likely or easy it is for an attacker to compromise the system; this analysis may also include assessing the system’s susceptibility to specific types of attacks, which may involve calculating the likelihood of successfully targeting the system by one particular type of attack or evaluating the time an intruder may need to compromise the system using a specific attack, etc. Another type of analysis includes assessing the performance of the implemented attack detection strategy and measuring how effectively and quickly this strategy identifies the intrusions. An efficient detection strategy can significantly reduce the impact of an attack. Finally, fragility analysis can also be measured by assessing the impact of a successful attack on the system; this analysis provides a critical assessment of the system’s resilience and the potential consequences of each type of attack. Each sequence of vulnerabilities can be modeled as a series of state changes of the system, which finally transfers the system from a secure state to an attacked state. The network topology is a graph-based structure, which makes the graphical tools the best way for cyber attack modeling. In the literature, there exist numerous models that describe the interactions and lead to a good and effective evaluation. In order to detect and mitigate the consequences of cyber attacks, modeling and simulation need to be undertaken [76]. To model and analyze the attacks, several tools have been proposed and used, e.g., attack graphs, attack trees, and cyber kill chain [77].

Cyber kill chains: describe a cyber attack with a number of steps that must be completed in the correct order, each of which has a certain duration. These actions are organized into logical groups and carried out sequentially to form a cyber attack process, which often has a limited lifespan. Cyber kill chains, or cyber attack life cycles, are terms used for such descriptions of a cyber attack [78,79]. A cyber kill chain is generally composed of seven phases of modeling, namely “reconnaissance”, “weaponization”, “delivery”, “exploitation”, “installation”, “command and control”, and “actions on objectives” [79].

Attack paths and graphs: widely used to deal with the problem of security assessment due to their great ability to describe a detailed network attack process [80,81]. They were proposed for the first time by Swiler et al. [28] in 1998 to visually display the possible attack sequences in a system [82]. The sequences or paths are obtained by a comprehensive and deep analysis of the information flow, topology, and vulnerabilities [83]. An attack graph is an acyclic graph, composed of two main components: nodes and edges. The nodes represent the system’s hosts, the vulnerabilities, or the devices. The edges represent the possible evolution within the graph nodes and indicate that the attacker can gain more privileges in the network. In the maritime and port sectors, attack graphs are valuable tools for analyzing and visualizing the potential cyber threats that could compromise critical infrastructure, systems, and operations. Given the complexity and various interconnections of maritime and port systems, which include everything from onboard ship systems and cargo management to port communication networks and logistics, attack graphs provide a structured way to understand how vulnerabilities might be exploited by cyber attackers.

Attack trees: first introduced by Shneir et al. in [84]. They are a graphical tool, similar to attack graphs, that represents security situations by methodically displaying the successive steps an intruder may take to achieve an attack objective [85,86]. In particular, attack trees describe situations where several attack paths exist. The choice of one path relies on the attacker’s experience and knowledge about the system. The root node of an attack tree represents the attacker’s goal, and the intermediate nodes represent the sub-goals of the attacker. Finally, the leaf nodes represent the ”atomic” actions realized by the attacker. An individual leaf or the combination of several leaves leads to one or more sub-goals until reaching the root node. There exist three possible combinations between nodes: conjunctive relation, i.e., all the actions should occur to satisfy the condition; disjunctive relation, i.e., one or more actions should be satisfied; and conjunctive sequential relation, i.e., all the actions should occur in a specific order to satisfy the condition.

4. DES Models for the Security of Maritime and Port Domains

4.1. Vessel Traffic Management System

A Vessel Traffic Service (VTS) is the authority responsible for controlling and regulating vessel traffic. The Vessel Traffic Management System (VTMS) is the computerized system that the VTS uses to support this task. A VTMS helps port authorities dock, undock, and operate the vessels (https://www.elmansrl.com/port-of-aden-vtmis/, accessed on 31 July 2025). In detail, the role of a VTMS is to assist the VTS in managing and organizing vessel movements to ensure safe, efficient, and orderly traffic flow. It aids port authorities by monitoring ship positions, coordinating arrivals and departures, etc. For simplicity, we consider the case where the VTMS handles one vessel at a time. The process starts in an idle state, waiting for a vessel to arrive. When a vessel reaches the port neighborhood, the system starts communication to monitor its location and confirm its identification, allowing admission or not. Once verified, the vessel is assigned a specific dock. The vessel may have to wait before entering the port if the assigned dock is still occupied and no other dock is available. When the dock becomes available, the vessel moves forward under the guidance of the VTMS. After docking, the cargo operations begin, where cargoes are either loaded or unloaded. Once cargo handling is completed, the VTMS assigns a departure time and provides the vessel with navigation instructions for exiting the port. The vessel leaves the dock, moving along its designated route until it exits the port neighborhood. After the vessel leaves the port vicinity, the system resets and returns to the idle state, ready to manage the next incoming vessel.

This VTMS can be subject to different types of attacks, such as fake vessel injection, where an attacker may introduce a fake vessel into the VTMS system, making it appear as a legitimate vessel that has entered the port neighborhood. The normal VTMS process and the attack scenario can be modeled using a Labeled Timed Probabilistic Automata. A Labeled Timed Probabilistic Automata (LTPA) [87,88,89,90] is a 6-tuple $G=(\mathcal{S},E,\mathcal{Q},Obs,\delta ,\mathrm{\Pi }(0\left)\right)$, where

• $\mathcal{S}$ is a finite set of states, so that $\left|\mathcal{S}\right|=n$;
• E is an event set, so that $E=E_o\cup E_u$, where $E_o$ is the set of observable events and $E_u$ is the set of unobservables ones;
• $\mathcal{Q}=\mathcal{Q}$ is an alphabet of observable labels;
• $Obs:E\to {\mathcal{O}}_{\epsilon }$ is a labeling function that assigns a label to each event, ${\mathcal{Q}}_{\epsilon }=\mathcal{Q}\cup \left\{\epsilon \right\}$ and $\epsilon$ is the symbol used to notify that an event is silent;
• $\delta \subseteq \mathcal{S}\times E\times {\mathbb{R}}^{\ast +}\times \mathcal{S}$ is a transition relation, where ($s_i$, $e_{s_i,s_j}$,$\mu$, $s_j$) $\in \delta$ means that there is a transition from the state $s_i$ to the state $s_j$ triggered by the event $e_{s_i,s_j}$ that occurs with a rate $\mu$;
• $\mathrm{\Pi }\left(0\right)\in {[0,1]}^{1\times \left|\mathcal{S}\right|}$ is the vector of initial state probabilities, where its $i^{th}$ entry represents the probability that the system is initially in the state $s_i$.

As shown in Figure 3, $VTMS=(\mathcal{S},E,\mathcal{Q},Obs,\delta ,{\mathrm{\Pi }}_0)$, where

• $\mathcal{S}=\{s_0,s_1,s_2,s_3,s_4,s_5,s_6,s_7,s_8,s_{0^{\prime }},s_{1^{\prime }},s_{2^{\prime }},s_{8^{\prime }}\}$ is the set of states;
• $E_o=\{e_{s_0,s_1},e_{s_{0^{\prime }},s_{1^{\prime }}},e_{s_{8^{\prime }},s_{1^{\prime }}},e_{s_1,s_2},e_{s_{1^{\prime }},s_{2^{\prime }}},e_{s_2,s_3},e_{s_3,s_4},e_{s_2,s_4}{e}_{s_4,s_5},e_{s_5,s_6}{e}_{s_6,s_7},e_{s_7,s_8}{e}_{s_2,s_8},e_{s_{2^{\prime }},s_{8^{\prime }}},e_{s_8,s_0}\}$ is the set of observable events and $E_{uo}=\left\{e_{s_0,s_{0^{\prime }}}\right\}$ is the set of unobservable ones;
• ${\mathcal{Q}}_{\epsilon }=\{a,b,c,d,k,g,h,i,j,l,p\}$ is the set of labels;
• $Obs$ is the labeling function, where $Obs\left(e_{s_0,s_1}\right)=Obs\left(e_{s_{0^{\prime }},s_{1^{\prime }}}\right)=Obs\left(e_{s_{8^{\prime }},s_{1^{\prime }}}\right)=a$, $Obs\left(e_{s_0,s_{0^{\prime }}}\right)=\epsilon$, $Obs\left(e_{s_1,s_2}\right)=Obs\left(e_{s_{1^{\prime }},s_{2^{\prime }}}\right)=b$, $Obs\left(e_{s_2,s_3}\right)=c$, $Obs\left(e_{s_3,s_4}\right)=g$,$Obs\left(e_{s_2,s_4}\right)=d$, $Obs\left(e_{s_4,s_5}\right)=h$, $Obs\left(e_{s_5,s_6}\right)=i$, $Obs\left(e_{s_6,s_7}\right)=j$, $Obs\left(e_{s_7,s_8}\right)=Obs\left(e_{s_2,s_8}\right)=Obs\left(e_{s_{2^{\prime }},s_{8^{\prime }}}\right)=k$,$Obs\left(e_{s_8,s_0}\right)=l$;
• $\delta =\{$$(s_0,e_{s_0,s_1},1,s_1),$$(s_{0^{\prime }},e_{s_{0^{\prime }},s_{1^{\prime }}},1,s_{1^{\prime }}),$$(s_{8^{\prime }},e_{s_{8^{\prime }},s_{1^{\prime }}},1,s_{1^{\prime }})$, $(s_0,e_{s_0,s_{0^{\prime }}},0.01,s_{0^{\prime }})$, $(s_1,e_{s_1,s_2},1,s_2)$, $(s_{1^{\prime }},e_{s_{1^{\prime }},s_{2^{\prime }}},1,s_{2^{\prime }})$, $(s_2,e_{s_2,s_3},1,s_3)$, $(s_3,e_{s_3,s_4},1,s_4)$, $(s_2,e_{s_2,s_4},1,s_4)$, $(s_4,e_{s_4,s_5},1,s_5)$, $(s_5,e_{s_5,s_6},1,s_6)$, $(s_6,e_{s_6,s_7},1,s_7)$, $(s_7,e_{s_7,s_8},1,s_8),$$(s_2,e_{s_2,s_8},1,s_8),$$(s_{2^{\prime }},e_{s_{2^{\prime }},s_{8^{\prime }}},1,s_{8^{\prime }})$, $(s_8,e_{s_8,s_0},1,s_0)\}$ is the transition relation;
• ${\mathrm{\Pi }}_0=[1$$0_{|1\times 12|}]$ is the initial state probability distribution.

• The designation of the states and the observations is reported in Table 4. The attack pattern of the fake vessel injection is illustrated in Figure 4, where $FP=(\mathcal{N},E,{\delta }_p,N,Att)$, with

• $\mathcal{N}=\{N,Att\}$ is the set of states of the attack pattern;
• E is the set of events of the attack pattern, which is exactly the same as the set of events of the VTMS model;
• ${\delta }_p=\{(N,e_{s_i,s_j},N),\forall e_{s_i,s_j}\in E-\left\{e_{s_0,s_{0^{\prime }}}\right\}\}\cup \{(Att,e_{s_i,s_j},Att),\forall e_{s_i,s_j}\in E\}\}$$\cup (N,e_{s_0,s_{0^{\prime }}},Att)$ is the set of transitions of the attack pattern;
• N is the attack pattern initial state;
• $Att$ is the attack pattern finale state.

Figure 3. VTSM modeled with LTPA (each transition is associated to a label and to a firing rate.

Table 4. States and labels designation of a VTMS.

States	Labels
$s_0:$ No vessel in VTMS range;	$a:$ A vessel entered in port neighborhood;
$s_1:$ Vessel approaching port;	$b:$ Request to dock;
$s_2:$ Vessel authentication and waiting for authorization to dock;	$c:$ Request accepted but no dock is currently available;
$s_3:$ Vessel waiting the dock to be available;	$d:$ Request accepted and a dock is assigned;
$s_4:$ Vessel approaching port;	$k:$ Authentication failed and docking refused;
$s_5:$ Docking in progress;	$g:$ Dock assigned;
$s_6:$ Cargos loading or unloading;	$h:$ Docking start;
$s_7:$ Vessel departure;	$i:$ Docking finished and begin of cargos loading or unloading;
$s_8:$ Vessel is leaving VTMS range;	$j:$ Cargos operations completed;
$s_{0^{\prime }}:$ Idle state (Attack);	$p:$ Vessel starts leaving VTMS range;
$s_{1^{\prime }}:$ Fake vessel approaching port;	$l:$ Vessel quits VTMS range;
$s_{2^{\prime }}:$ Fake vessel authentication and waiting authorization to dock;	$\epsilon :$ Begin of an attack.
$s_{8^{\prime }}:$ Fake vessel is leaving VTMS range.

Table 4. States and labels designation of a VTMS.

States	Labels
$s_0:$ No vessel in VTMS range;	$a:$ A vessel entered in port neighborhood;
$s_1:$ Vessel approaching port;	$b:$ Request to dock;
$s_2:$ Vessel authentication and waiting for authorization to dock;	$c:$ Request accepted but no dock is currently available;
$s_3:$ Vessel waiting the dock to be available;	$d:$ Request accepted and a dock is assigned;
$s_4:$ Vessel approaching port;	$k:$ Authentication failed and docking refused;
$s_5:$ Docking in progress;	$g:$ Dock assigned;
$s_6:$ Cargos loading or unloading;	$h:$ Docking start;
$s_7:$ Vessel departure;	$i:$ Docking finished and begin of cargos loading or unloading;
$s_8:$ Vessel is leaving VTMS range;	$j:$ Cargos operations completed;
$s_{0^{\prime }}:$ Idle state (Attack);	$p:$ Vessel starts leaving VTMS range;
$s_{1^{\prime }}:$ Fake vessel approaching port;	$l:$ Vessel quits VTMS range;
$s_{2^{\prime }}:$ Fake vessel authentication and waiting authorization to dock;	$\epsilon :$ Begin of an attack.
$s_{8^{\prime }}:$ Fake vessel is leaving VTMS range.

This attack pattern corresponds to the single event attack $e_{s_0,s_{0^{\prime }}}$. Observe that stochastic Petri nets [91,92] can be used instead of probabilistic automata for the purpose of modeling and analyzing various systems subject to attacks, failures, or other unpredictable events [93,94,95,96].

Figure 4. The attack pattern of the attack fake vessel injection.

4.2. Radar System

In the complex maritime domain, the operation of commercial vessels increasingly relies on efficient information transmission and precise navigation systems to ensure the safe and timely delivery of cargo. Different types of vessels, such as container ships, bulk carriers, and tankers, depend on radar systems to detect surrounding targets, effectively avoid collision incidents, and optimize navigation paths. During the execution of tasks such as cargo transport, route monitoring, and port operations, vessels must have real-time awareness of the environmental conditions in their vicinity and the precise positions and headings of other vessels. This requires not only a keen insight into marine environments but also emphasizes the necessity of close collaboration among vessels to minimize collision risks and effectively respond to potential hazards. In this context, radar systems serve as the core sensing technology for vessels, and their role becomes increasingly significant. Through the mechanism of transmitting and receiving radar signals, vessels can instantly capture the position, speed, and heading information of other vessels, allowing for rapid decision-making. Given the simplicity and intuitiveness of automata modeling in describing system behavior, we can employ automata to optimize the radar information exchange processes among fleets, thereby enhancing overall operational effectiveness and safety assurance.

Let us consider the example of a cargo tracking system, illustrating a discrete event system under attack in the maritime domain. This model is inspired by [97], but it is configured in the entire cargo system. For instance, to illustrate the collaborative dynamics within a fleet, consider a specific operation involving four cargo vessels: Vessel A (VA), Vessel B (VB), Vessel C (VC), and Vessel D (VD), as depicted in Figure 5a. This scenario is designed to demonstrate how vessels with distinct roles and responsibilities can work together to achieve efficient navigation and hazard avoidance.

Figure 5. (a) A squadron, and (b) an automaton G for the behaviors of the squadron.

In detail, VA is positioned to the north and serves as the node for detection and information gathering. It initiates communication and provides data to the fleet. VB is located to the east and focuses on route monitoring and surveillance, ensuring the fleet follows the planned path and identifies obstacles. VC, situated to the south, acts as the support and coordination hub, facilitating communication between vessels and managing logistics. VD is positioned to the west and is tasked with hazard detection and emergency response, identifying and mitigating risks to ensure fleet safety. The main objective of these four vessels is to use radar to detect their surroundings, process reflected signals, and update navigation decisions accordingly. Specifically, a vessel emits radar signals that bounce back when encountering other ships, the coastline, or obstacles such as rocks. By measuring the travel time of the reflected signals, the vessel estimates the distance to the detected objects, while the Doppler effect allows it to calculate their relative speed. Initially, VA is responsible for emitting radar signals to detect the positions and movement directions of other vessels, while VB, VC, and VD receive the signals from VA and relay their positional information and headings back. Subsequently, VA adjusts its course based on the feedback received and sequentially passes the adjustment priority (i.e., the token) to the other vessels. After adjusting their headings, each vessel emits new signals to reflect its adjusted state, ensuring that other vessels can obtain the latest navigation information. Ultimately, all vessels adjust according to the feedback received to avoid collisions.

The automaton $G=\{Q,E,\delta ,q_0\}$ models this system, as detailed in Figure 5b and Table 5. In this model, the set of the states is $Q=\{0,1,2,3,4,5,6,7\}$, the set of the events is $E=\{e_0,e_1,$$e_2,e_3,e_4,$$e_5,e_6,e_7\}$, and the initial state is $q_0=0$. The transitions are visualized near the edges. For example, the transition $\delta (1,e_1)=2$ means that a transition starting from state 1 is fired with the event $e_1$ and will reach state 2. In this scenario, the problems within the maritime system can be modeled, analyzed, and processed as automaton problems [98].

Table 5. Meanings of the states and events in Figure 5a.

State	Meaning of the State	Event	Meaning of the Event
0	All vessels are on standby, ready to commence the mission	$e_0$	VA initiates the reconn- aissance mission
1	VA is on standby	$e_1$	VA transmits Radar signals to VB, VC, and VD
2	VB, VC, and VD receive Radar signals from VA	$e_2$	VB, VC, and VD transmit Radar signals to VA
3	VA receives Radar signals from VB, VC, and VD	$e_3$	VA analyzes the status of the surrounding vessels
4	VA adjusts its own course, and completes the course correction	$e_4$	VA passes the token to VB
5	VB adjusts its own course, and completes the course correction	$e_5$	VB passes the token to VC
6	VC adjusts its own course, and completes the course correction	$e_6$	VC passes the token to VD
7	VD adjusts its own course, and completes the course correction	$e_7$	VD passes the token to VA

Typically, attackers can compromise the system by manipulating, deleting, or substituting signals within the system, i.e., manipulating, deleting, or substituting the events of the system. A possible attack plan is proposed in Table 6, where each row represents the events generated by the system (including the empty event $\epsilon$), and each column illustrates the corruption resulting from the attack. For instance, “$(e_2,e_3)$” in Row 2 Column 3 denotes that the generated event $e_2$ can be replaced by $e_3$, “delete $e_5$” in Row 4 Column 6 implies that the event $e_5$ can be deleted (i.e., replaced by $\epsilon$), and “insert $e_7$” in Row 6 Column 5 indicates the insertion of the event $e_7$. In this case, the attack detection problem in maritime systems is formulated as an attack problem within the DES framework. According to [99], a modified automaton can be constructed based on the underlying attack events. Then, the modified automaton can be utilized to determine whether the system is under attack.

Table 6. Example of attack plan.

Original/Attack	${\mathit{e}}_1$	${\mathit{e}}_3$	${\mathit{e}}_4$	${\mathit{e}}_7$	$\mathit{\epsilon }$
$e_2$		$(e_2,e_3)$
$e_3$			$(e_3,e_4)$
$e_5$					delete $e_5$
$e_6$	$(e_6,e_1)$
$\epsilon$				insert $e_7$

4.3. Port Automated Guided Vehicles System

Consider a port system shown in Figure 6a, which comprises five loading areas, $Z_1$–$Z_5$, representing different sections of the port, such as warehouses, storage yards, and docks. These areas serve as the central hub for cargo loading, unloading, transshipment, and storage, ensuring efficient logistics operations and seamless integration across multiple transportation modes. Initially, several automated guided vehicles (AGVs) are waiting to enter the system and move between loading areas to perform various tasks, such as transporting cargo from one loading area to another or delivering goods to external transport vehicles (e.g., trucks or vessels). For each loading area, vehicles can enter, pick up and drop off goods, and exit designated quay interfaces. When moving from one loading area to another, vehicles should navigate through these entry points.

Figure 6. (a) AGV navigation routes in a port system, and (b) A labeled Petri net model.

A labeled Petri net models the movements of vehicles in this port system and is depicted in Figure 6b. Specifically, places $p_1$–$p_5$ correspond to loading areas $Z_1$–$Z_5$, while the firing of each transition represents the transit of one vehicle through the respective quay interface, detected by sensors installed at these locations. Letters $q_1$–$q_8$ indicate the labels sent by the sensors.

These examples have illustrated how automata and Petri nets can be used to model communication systems and sensor networks used in maritime and port domains.

5. Cybersecurity Analysis and Enforcement with DES

5.1. Security Metrics

Metrics play a crucial role in security analysis. They help in measuring the effectiveness of security policies, mechanisms, or implementations [100]. They can also help in the identification of system vulnerabilities, guide in the prioritization of corrective measures, and enhance security awareness. This section presents several graph-based security metrics that are widely used in the literature [101,102].

• Shortest path: This metric is used to assess the security of a system by identifying the shortest path from the initial security state to the targeted one. Roughly speaking, it represents the least effort required by an attacker to compromise the target.
• Number of paths: This metric quantifies the number of routes an attacker can take to compromise the system. The higher the number of routes, the lower the security level, because the attacker has more opportunities to succeed.
• Mean path length metric: This metric assesses the average number of exploits an attacker needs to exploit to reach the target.
• Mean time to security failure: This metric measures the expected time an attacker needs to successfully compromise a system. Generally, it is expressed as the mean time to the first security failure.
• Steady-state security: This metric evaluates the level of security in a system in the long run i.e., as time approaches infinity.
• The type of security failure: This metric classifies the security issues. As in practice, different attack paths exist that the attacker may follow to compromise the system, i.e., an intruder can breach the security of the system with different privilege levels, and this metric is the probability of each attack path being selected.

In the context of vulnerability analysis, and as far as DES is concerned, three primary tools are generally used to model interactions between the system and potential attacks: attack and defense graphs, attack and defense trees, and cyber kill chains, alongside other models that incorporate both the system’s baseline behavior and attack scenarios. Based on these models, various analytical methods are employed to evaluate system security against cyber threats. Logic-based methods, such as graph algorithms [103,104], kill chain [105,106], and cost algorithms [107]. Additionally, some methods are extended to the probabilistic setting, like Bayesian networks [108,109,110,111,112,113] and Markov models [83,102,114,115,116,117,118], which provide quantitative metrics for assessment. These approaches hold significant potential for the maritime sector, as they can assist in identifying weaknesses in vessels or ports, thereby contributing to the development of more resilient and secure systems.

Remark 1. 

It is important to note that the assessment of these metrics depends on the proposed approach and the underlying model. For the reader’s convenience, detailed approaches and practical examples are provided in [83,102,114,115].

5.2. Cybersecurity in Discrete Event Systems

Recent advances in cyber attacks on networked DES focus on understanding how cyber vulnerabilities in networked control frameworks can be exploited and protected. Key research topics include vulnerability analysis, attack detection, and attack mitigation and defense, as detailed in Table 7. All referred papers include modeling aspects and can be separated into three main groups depending on the main objective, which is either analysis, detection, or mitigation. Less than 25 percent of these papers directly concern the maritime and port domains, but most of the contributions are ready to be extended to those sectors. Most of the contributions are based on automata or Petri nets (PNs) tools. As far as vulnerability is concerned, some papers also use Bayesian models, Markov models, or other probabilistic models (see Figure 7).

Figure 7. Use of DESs for cybersecurity problems.

These efforts are essential for enhancing the security of systems across sectors like maritime logistics, smart grids, and autonomous transportation, ensuring they are better protected against evolving cyber threats.

Vulnerability modeling and analysis: identifying the weak points in the communication networks and control logics of DES, which can be leveraged for attacks like data manipulation, denial of service (DoS), and false data injection.

Attack detection: Advancements in machine learning, anomaly detection algorithms, and real-time monitoring tools have improved the ability to identify malicious activities in DES. Researchers are exploring detection mechanisms that can swiftly respond to abnormal patterns within event-driven frameworks.

Attack mitigation and defense: Recent studies have focused on designing more resilient networked DES architectures by implementing robust fault-tolerant control systems, encryption, and secure communication protocols that can withstand cyber attacks and reduce their impact on system operations.

5.3. Performance Evaluation with Markov Models and Probabilistic Automata

A security threat is a stochastic process that can be modeled as a Markov chain. The probability of transition from one state to another is based on the vulnerability present in the next state. A Markov chain is composed of several paths, and each path represents an attack path, which the attacks can follow to reach a cybersecurity breach, and each attack path can be composed of a sequence of states.

In [89], the authors propose an approach that evaluates the performance of fault detection functions (FDD). The FDD function is defined as a complete deterministic finite automata $FDD=(\mathcal{A},\mathcal{Q},{\delta }_D$, ${\overline{A}}_0,A)$, where $\mathcal{A}$ is the set of FDD states, $\mathcal{Q}$ is the set of observable labels, ${\delta }_D$ is the transition function of the FDD, ${\overline{A}}_0$ is the FDD initial state, such that $\mathcal{A}=\overline{A}\cup \left\{A\right\}$, where $\overline{A}=\{{\overline{A}}_1,{\overline{A}}_2,\dots \}$ stands for the states set that trigger no alarm and A is the unique stable state, which indicates that an alarm has been triggered in a timed and probabilistic setting. The objective of a fault detection function is to determine, based on observations, whether the system is in a faulty mode or not. In this contribution the authors study the performance of such FDD in terms of non-detection (the case where the system is in a faulty mode and the non-alarm is triggered), false alarm (the alarm is triggered while the system is working in normal mode), and detection delay (the delay refers to the time lag between the system’s transition into a faulty mode and the activation of the alarm). In [89], three quantitative metrics are proposed: the non-detection rate, the false alarm rate, and the detection delay. The approach is based on the Markovian approximation of the system behavior in the long run. This work has been initially developed in the context of fault diagnosis but can be extended to the evaluation of the Attack Detection Function (ADF). A fault pattern automaton is a complete deterministic finite automaton $FP=(\mathcal{N},E,{\delta }_p,N_0,Att)$, where $\mathcal{N}$ is a finite set of states, E is the set of events, ${\delta }_p:\mathcal{N}\times E\to \mathcal{N}$ is a transition function, $N_0\in \mathcal{N}$ is an initial state, such that $\mathcal{N}=N\cup \left\{Att\right\}$ so that $N=\{N_0,N_1,\dots \}$ stands for the normal states set and $Att$ is a unique stable state, which represents the pattern occurrences.

A possible ADF designed to identify fake vessel injection, for the VTMS modeled in Figure 3 with the attack pattern in Figure 4, is illustrated in Figure 8, where $FDD=(\mathcal{A},\mathcal{Q},{\delta }_D$, ${\overline{A}}_0,A)$, and

Figure 8. An ADF to detect the attack fake vessel injection represented in Figure 3 and Figure 4.

• $\mathcal{A}=\{{\overline{A}}_0,{\overline{A}}_1,{\overline{A}}_2,A\}$ is the set of states;
• $\mathcal{Q}$ is a set of events, which corresponds to the system set of labels;
• ${\delta }_D=\{({\overline{A}}_0,q,{\overline{A}}_0), \forall q\in \mathcal{Q}-\left\{a\right\}\}\cup \{({\overline{A}}_1,q,{\overline{A}}_1), \forall q\in \mathcal{Q}-\left\{b\right\}\}$$\cup \{({\overline{A}}_2,q,{\overline{A}}_2), \forall q\in \mathcal{Q}-\left\{k\right\}\}\cup$$\{({\overline{A}}_0,a,{\overline{A}}_1),$$({\overline{A}}_1,b,{\overline{A}}_2),$$({\overline{A}}_2,k,A)\}$ is the set of transitions;
• ${\overline{A}}_0:$ is the initial state;
• $A:$ is the final state.

This ADF activates an alarm upon observing the sequence of observations $abk$. By leveraging the approach developed in [89], the effectiveness of this ADF in detecting fake vessel injection can be thoroughly evaluated. The approach is based on the Markovian approximation of the system behavior in the long run, and the proposed schema is developed according to two successive compositions: first between the model of the system and the fault pattern, and second between the obtained structure and the ADF.

Table 7. Papers on cybersecurity with DES.

Ref.	Year	Analysis	Detection	Mitigation	Method	Maritime
[119]	2017			✓	PN	✓
[120]	2017			✓	PN	✓
[5]	2024				Blockchain	✓
[102]	2014	✓			Markov
[26]	2023	✓	✓	✓	DES
[121]	2021		✓		DES
[122]	2021			✓	DES
[123]	2022	✓	✓	✓	CPS
[124]	2015	✓			PN	✓
[125]	2023	✓			PN	✓
[126]	2025	✓			PN
[101]	2013	✓			Markov
[127]	2019	✓			PN	✓
[128]	2021	✓			Automata
[129]	2018		✓		Automata
[130]	2017			✓	DES
[99]	2022		✓		DES
[131]	2009			✓	PN
[132]	2019			✓	DES
[133]	2025			✓	PN
[134]	2025			✓	PN
[135]	2017	✓	✓		DES
[107]	2023	✓	✓		Automata
[108]	2005	✓			Bayesian
[109]	2008	✓			Bayesian
[83]	2016	✓			Attack graph
[89]	2023	✓			Markov

Table 7. Papers on cybersecurity with DES.

Ref.	Year	Analysis	Detection	Mitigation	Method	Maritime
[119]	2017			✓	PN	✓
[120]	2017			✓	PN	✓
[5]	2024				Blockchain	✓
[102]	2014	✓			Markov
[26]	2023	✓	✓	✓	DES
[121]	2021		✓		DES
[122]	2021			✓	DES
[123]	2022	✓	✓	✓	CPS
[124]	2015	✓			PN	✓
[125]	2023	✓			PN	✓
[126]	2025	✓			PN
[101]	2013	✓			Markov
[127]	2019	✓			PN	✓
[128]	2021	✓			Automata
[129]	2018		✓		Automata
[130]	2017			✓	DES
[99]	2022		✓		DES
[131]	2009			✓	PN
[132]	2019			✓	DES
[133]	2025			✓	PN
[134]	2025			✓	PN
[135]	2017	✓	✓		DES
[107]	2023	✓	✓		Automata
[108]	2005	✓			Bayesian
[109]	2008	✓			Bayesian
[83]	2016	✓			Attack graph
[89]	2023	✓			Markov

Applying the approach presented in [89], the evaluation of the performance metrics of this ADF in detecting fake vessel injection leads to a false alarm rate of 99 %, a non-detection rate of 0 %, and an average detection delay of three time units.

5.4. Security Enforcement with Petri Nets

For this port system, an excessive concentration of vehicles in any loading area can lead to significant congestion, causing delays in cargo handling and disrupting the overall task scheduling. This situation can ultimately diminish system efficiency, leading to economic losses and increasing the risk of vehicle collisions or accidents. To mitigate these challenges, each area is required to have a defined capacity. It is essential to highlight that, in this context, the capacity of each area is determined by specific control constraints that account for berth scheduling, vessel turnaround times, and other logistics dynamics, rather than being solely dictated by the physical spatial limits of the area.

For example, consider the AGV modeled with the Petri net in Figure 6 and the scenario such that loading area $Z_4$—a container terminal berth—has a capacity of three vehicles, which can be formalized as the control specification, called generalized mutual exclusion constraint (GMEC) [131]. This constraint ensures that, at any reachable state, the number of AGVs at $p_5$ does not exceed three. The constraint can be defined as GMEC $J=({[0,0,0,0,1,0,0]}^{\mathrm{T}},3)$, which restricts the token count (or vehicle count) in $p_5$ to three.

Now, assume that the port system is vulnerable to a type of sensor deception attack, where an attacker manipulates the sensor data to misreport vehicle movements between loading areas by altering the observations of a vehicle entering area $Z_4$ to appear as if it is entering $Z_2$. In other words, if an attack occurs after the system generates label $q_5$ (i.e., transition $t_7$ or $t_6$ fires), the observation will be altered as $q_2$. This attack can be represented as $R=\left\{(q_5,q_2)\right\}$.

Next, we demonstrate how such an attack can lead to exceeding the capacity of loading area $Z_4$. By firing a transition sequence $\sigma ={t_1}^4{t_2}^2{t}_5{t}_6{t_3}^2{t}_7$ at the initial marking $M={\mathbf{0}}^{\mathrm{T}}$, the port system reaches marking $M=2p_3+2p_4$, indicating two vehicles in loading area $Z_3$ and two in $Z_4$. If transition $t_7$ fires at M (a vehicle moves from $Z_3$ to $Z_4$), the system reaches $M^{\prime }=p_4+3p_5$, with the corresponding sensor generating label $q_5$. In this case, if an attack $(q_5,q_2)$ occurs, the new observation will be $q_2$, instead of $q_5$, leading the port authorities to believe that loading area $Z_4$ only has two vehicles. Based on this faulty information, the operators may allow another AGV to enter $Z_4$, resulting in the number of vehicles in the area exceeding the defined capacity of three if transition $t_6$ or $t_7$ fires at $M^{\prime }$.

The supervisory control theory [132] for DESs offers an effective solution to this issue. This approach typically involves designing a supervisor to properly guide or restrict a system’s evolution such that its behavior under supervision meets predefined control specifications by typically disabling certain events depending on the observed system output. In a realistic scenario, a supervisor observes the occurrence of events by getting the readings from sensors and disables some of the events by issuing control commands to the related actuators.

According to the work in [133], an online supervisory control policy for this example is stated as follows:

• Step 1: (Initialization) observation: $\omega \leftarrow \lambda$, set of forbidden transitions at $\omega$: $\nu \left(\omega \right)\leftarrow \varnothing$
• Step 2: (Online) Wait until a label q is observed

  Step 2.1: 

  $\omega \leftarrow \omega q$

  Step 2.2: 

  Compute $\zeta \left(\omega \right)\leftarrow 3-({\pi }_{\omega }\left(q_5\right)+{\pi }_{\omega }\left(q_2\right))+{\pi }_{\omega }\left(q_4\right)+{\pi }_{\omega }\left(q_6\right)$, where ${\pi }_{\omega }\left(q_i\right)$ with $i\in \{2,4,5,6\}$ refers to the number of occurrences of $q_i$ in $\omega$

  Step 2.3: 

  Disable all transitions in $\nu \left(\omega \right)\leftarrow \{t\in T_q|q\in Q,\eta \left(q\right)>\max \{0,\zeta \left(\omega \right)\}\}$

It is verified that although the port system under consideration is vulnerable to sensor deception attacks $R=\left\{(q_5,q_2)\right\}$, the acquired supervisor by [133] can still dynamically guide the behavior of AGVs according to the above predefined control rules to prevent the overconcentration of AGVs in area $Z_4$.

6. Open Problems and Future Directions

As the maritime and port sectors continue their digital transformation, the cyber–physical infrastructures supporting them are becoming increasingly complex, interconnected, and vulnerable to sophisticated cyber threats. While DES methodologies have demonstrated strong potential for modeling, detection, and control of cybersecurity incidents, several fundamental challenges remain unresolved. This section outlines the main open problems and promising research directions that emerge from current findings and trends.

Data availability and dataset generation: One recurrent problem in research applied to the maritime domain and more generally industrial cybersecurity is the lack of data [136]. The complexity and heterogeneity of vessels make it difficult to generate adapted datasets. In addition, data is often considered confidential, making it difficult to create public datasets. For maritime cybersecurity, researchers have found three solutions for this issue: using open datasets, creating laboratory datasets, and simulating data. There exist several open datasets, including maritime information. Admiral [137] database lists cyber attacks targeting the maritime sector. However, most cyber attacks remain confidential or are not communicated. This database includes open references for listed cyber attacks, but technical details are often reduced. Also, AIS data are commonly used for research because they are very accessible. Some examples of datasets including these data are AIS-hub and MarineTraffic. Some datasets have been conceived with learning platforms in controlled operational environments. These works allow simulating a big set of anomalies and attacks targeting a particular system [135]. Other works looked to create adapted datasets based on simulation tools. As ships include general industrial systems, they can be modeled by general tools taking into account maritime constraints, as for water distribution systems [138].

The lack of standardized, high-quality datasets continues to impede empirical validation and benchmarking across different modeling paradigms. Future work should focus on developing shared maritime cybersecurity datasets and testbeds to support reproducible and comparable experiments.

Modeling and system complexity: As the maritime domain continues to evolve, future research should address the increasing complexity of ship operations, multi-agent collaboration, and advanced threat management from the perspective of cyber–physical and networked systems. The integration of more sophisticated vessels equipped with advanced sensors and artificial intelligence (AI)-driven systems will necessitate enhanced formal and numerical models capable of handling dynamic, real-time decision-making under uncertainty at various scales. For example, future work could explore the incorporation of probabilistic and timed automata to better model environmental uncertainties, such as weather conditions and unpredictable hazards, as well as the temporal aspects of navigation and communication. Additionally, the rise of multi-agent systems will require scalable hybrid and discrete event-based frameworks to optimize collaborative behaviors among larger fleets, enabling seamless coordination and resource allocation. As cyber–physical threats grow more complex, DES models must also account for advanced attack strategies, including coordinated multi-vector attacks and AI-driven adversarial behaviors.

Comparative modeling approaches: A necessary direction for future work lies in conducting a comparative analysis between formal approaches, in particular, DES-based methods, and other traditional cybersecurity analysis techniques, such as Bayesian networks [108,109,110,111,112,113] and Markov models [83,102,114,115,116,117,118]. Such comparisons could provide deeper insights into the relative advantages and limitations of DES for modeling cyber–physical security in maritime and port environments. To date, however, there is limited evidence of studies applying Bayesian or Markov formalisms to analyze cybersecurity issues specifically within the maritime and port sectors, as discussed in Section 4 and Section 5. Existing research employing these approaches in related maritime contexts illustrates the breadth of probabilistic and stochastic modeling but differs substantially in scope and objectives. For example, Mohsendokht et al. [110] extract dependencies among maritime cybersecurity risk factors from historical incidents, and John et al. [113] employ Bayesian networks to assess seaport resilience—both focusing on high-level risk reasoning rather than modeling attack–defense dynamics in port IT/OT systems. Aydin et al. [111] propose a Z-number–based Bayesian network for maritime autonomous surface ships, while [112] uses Bayesian models to distinguish intentional attacks from accidental failures in floodgate systems. With respect to Markovian approaches, the work [116] presents an educational Markov-chain treatment of ship cybersecurity, [117] leverages hidden Markov models for intent classification in maritime surveillance, and Wolsing et al. [118] review AIS track anomaly detection methods. These studies primarily address navigation, surveillance, or pedagogical contexts rather than the operational cybersecurity of port infrastructures. Furthermore, the lack of shared datasets, standardized evaluation protocols, and consistent model setups currently prevents a rigorous, like-for-like comparison with DES-based analyses of attack detection and protection.

Therefore, while these studies provide valuable methodological perspectives, they do not yet supply the empirical basis required for systematic comparative evaluations. Establishing such benchmarks and developing hybrid approaches that integrate DES with probabilistic models represent important open challenges for future research.

Adaptive and distributed supervisory control: Future research will also focus on developing adaptive, distributed supervisory control mechanisms capable of dynamically reconfiguring in response to cyber attacks targeting key port operations, such as quay-side activities, berth management, and container terminal automation. These mechanisms will allow for rapid adjustments to vessel scheduling, cargo handling, and AGV management, ensuring efficient resource allocation across berth zones, quay interfaces, and storage areas, enabling maritime and port systems to effectively manage both routine challenges and emerging cybersecurity threats. In fact, supervisory control approaches provide an efficient framework to prevent decisions or operations that may drive the system into a security vulnerability. By limiting the capacities of the system, one also leverages its resilience. There is also a need to elaborate advanced supervisory schemes that integrate decisions and operations enforcement in order to fully support cybersecurity issues.

Software tools: There is currently no numerical or software tool exclusively based on DES for vulnerability analysis, attack detection, and security protection in computer systems and networks managing maritime and port infrastructures.

However, a number of widely used cybersecurity tools and frameworks exist for these purposes in general IT and OT environments. Examples include Tenable.ot (https://www.tenable.com/products/ot-security, (accessed on 1 August 2025)), Nessus (https://www.tenable.com/products/nessus, (accessed on 1 August 2025)), OpenVAS (https://openvas.org/, (accessed on 1 August 2025)) and Greenbone (https://www.greenbone.net/en/, (accessed on 1 August 2025)), for vulnerability assessment; Zeek (https://zeek.org/, (accessed on 1 August 2025)), Suricata (https://suricata.io/, (accessed on 1 August 2025)), Snort (https://www.snort.org/, (accessed on 1 August 2025)), Nozomi Networks Guardian (https://fr.nozominetworks.com/products/guardian, (accessed on 1 August 2025)), Claroty Platform (https://claroty.com/platform, (accessed on 1 August 2025)), and Dragos Platform (https://www.dragos.com/cybersecurity-platform/, (accessed on 1 August 2025)) for network monitoring and intrusion detection; and Elastic Security (https://www.elastic.co/docs/solutions/security, (accessed on 2 August 2025)), Splunk Enterprise Security (https://www.splunk.com/, (accessed on 2 August 2025)), IBM QRadar (https://www.ibm.com/products/qradar, (accessed on 2 August 2025)), and Wazuh (https://wazuh.com/), and OSSEC (https://www.ossec.net/, (accessed on 2 August 2025)) for integrated security management. In addition, the MITRE ATT&CK and MITRE D3FEND frameworks provide standardized taxonomies for adversary behavior and defensive countermeasure mapping. MITRE ATT&CK effectively covers the multidimensional nature of modern cyber attacks. In parallel, MITRE D3FEND offers a similar knowledge base focused on cyber defense strategies [7].

In future work, these tools and frameworks may be considered in combination with the proposed DES-based models to support practical implementation and validation.

Integration of AI and blockchain technologies: Combining the application of AI and blockchain can provide new perspectives and research directions for maritime and port cybersecurity research, in particular for smart ports [139]. The decentralization, immutability, and transparency of blockchain technology provide new ideas for the network security of smart ports, especially in data sharing, identity authentication, transaction security, and supply chain traceability.

Specifically, decentralized security authentication and access control using blockchain technology can create a distributed identity authentication system so that different entities in the port can safely access and share data. Prevent unauthorized access and information leakage through smart contracts and encryption mechanisms. In addition, studying how to apply blockchain technology to the port supply chain management system enhances data transparency and traceability while preventing forgery and tampering in the supply chain. Blockchain can help achieve secure logistics tracking and improve the security of goods and data.

Meanwhile, AI techniques such as machine learning, deep learning, and anomaly detection can be employed to identify abnormal behaviors, predict cyber threats, and optimize incident response strategies in real time. When integrated with DES control theory, AI could assist in dynamic decision-making, system state estimation, and adaptive control under uncertain or adversarial conditions. Blockchain could serve as a trust layer that records DES-based events, control decisions, and system transitions in an immutable ledger, thereby improving traceability, accountability, and resilience of cybersecurity management frameworks. In summary, the joint use of AI, blockchain, and DES control theory represents a promising direction for developing autonomous, transparent, and verifiable cybersecurity architectures in maritime and port environments.

7. Conclusions

The increasing integration of connected and automated systems in the maritime and port sectors has greatly improved operational efficiency but also introduced significant cybersecurity challenges. As digitalization expands, vulnerabilities across OT and IT layers become more critical, requiring continuous assessment, rapid detection, and effective protection mechanisms. This survey emphasized the potential of DES modeling as a formal and systematic approach for analyzing, detecting, and mitigating cybersecurity issues in maritime and port domains. DES-based methods enable structured representation and proactive defense design for complex event-driven systems.

Future research should address current limitations such as data availability, standardization, and tool interoperability while exploring integration with emerging technologies like AI, digital twins, and blockchain. Advancing these directions will help build more adaptive and resilient frameworks to secure next-generation smart ports.