Siemens dropped 18 ICS security advisories on 13 May. Several hit equipment you will find in every major port and offshore installation. We lead with what needs patching and why Ruggedcom switches should be first on the list.

This issue also covers two stories that are not from last week but deserve your attention now: the Adriatic Port Authority breach (56 000 files leaked, 36 days before anyone was told, an Italian Senate inquiry) and a mounting case that offshore wind farms are becoming an OT attack surface with no clear owner. These are the stories that belong on your risk register even when they do not make the headlines.

On 13-14 May, Siemens published 18 new ICS security advisories. Schneider Electric added four. Several describe critical vulnerabilities in hardware that is standard in ports, terminals, offshore platforms, and vessel monitoring systems.

Here is what matters for maritime:

Ruggedcom Rox (industrial Ethernet switches) — command execution as root. If you run Ruggedcom switches in your port network, and most European ports do, an attacker who reaches the management interface can execute arbitrary commands with full system privileges. Versions before V2.17.1 are affected. Siemens also disclosed crypto weaknesses and buffer overflows in the same product line.

Ruggedcom APE1808 — affected by the Palo Alto Networks PAN-OS vulnerability (CVE-2025-0128), actively exploited in the wild with possible attribution to Chinese state-sponsored actors. The APE1808 runs third-party security applications alongside Ruggedcom switches. The device meant to protect your OT network is itself compromised.

SIMATIC S7 PLC web server — cross-site scripting. S7 PLCs run port cranes, terminal automation, cargo handling, power distribution. The web server is often the only management interface operators touch.

Sentron 7KT PAC1261 Data Manager — critical device takeover in energy monitoring equipment used in port electrical infrastructure and offshore installations.

SIMATIC CN 4100 — +300 vulnerabilities in third-party components of this cloud connector for OT environments. CN 4100 is showing up more often in remote monitoring setups for maritime and offshore assets. One device, +300 ways in.

What to do: Patch Ruggedcom first. Root-level command execution on your core network switches is the highest blast radius item on this list. Check whether your APE1808 units have PAN-OS exposed to the internet. For S7 PLCs, restrict web server access to management VLANs. Full advisory list at CISA ICS advisories, 14 May 2026.

This is from January 2026. We have not covered it before. It deserves attention, not for the attack itself, but for everything that happened after.

On 11 December 2025, the Anubis ransomware group breached the Adriatic Port Authority in Ancona, Italy. They took 36 GB across 56 000 files in 8000 folders. Medical certificates. Salary records. IBANs. Identity documents. Infrastructure reports. Budget forecasts. PNRR project credentials. Documents related to MSC Cruises' terminal management proposal.

The attack landed during the port's migration to Italy's national strategic cloud (Polo Strategico Nazionale). Worst possible timing.

But the breach is not the story. The notification timeline is.

By the time employees were formally told, their personal data was already circulating. Staff had to contact banks to change IBANs, redo identity documents. Regional officials found out from newspapers.

Italy's Privacy Authority (Garante) opened an investigation. The Senate launched a formal inquiry. Postal Police started a criminal case.

Under NIS2, essential entities must send an early warning within 24 hours and a full notification within 72 hours. Ancona took 36 days. The port called the attack "not particularly sophisticated." It was also the second breach of the same systems. The first was in March 2024 and affected over 2250 GB.

I keep coming back to one thing here. Every port has an incident response plan somewhere. Most of them have never been tested against a real clock. Ancona shows what happens when the plan exists on paper but nobody runs it under pressure.

Not one incident. A pattern.

Offshore wind farms are maritime assets that generate power. They sit in the middle of the sea, connected to shore by subsea cables and satellite links, maintained by crew transfer vessels and service operation vessels, and controlled remotely via SCADA running on Siemens, ABB, and Schneider PLCs. The same vendors we just covered in Story 1.

In 2022, three separate cyberattacks hit German wind energy operations. ENERCON lost remote monitoring of 5800 turbines after the Viasat satellite hack. Deutsche Windtechnik confirmed a direct cyberattack. Nordex SE shut down IT systems after Conti ransomware. Three attacks, one country, one year.

In April 2026, Polish CERT and Denmark's CFCS coordinated a response after credential stuffing attacks hit maintenance contractor portals for North Sea and Baltic wind farms (we covered this in Issue #7). DNV and Equinor launched the CLUE taxonomy for offshore near-miss incident sharing.

Idaho National Laboratory's attack surface assessment documented turbine cabinets pickable in under 60 seconds, unsegmented networks where one compromised turbine gave access to the entire farm, and remote SCADA connections with weak authentication.

The structural problem is simple. DNV and Siemens Energy launched a joint project in late 2024 to write OT cybersecurity guidance for offshore wind, because no standard tells operators how to implement IEC 62443 or NIS2 in a wind farm. The regulation exists. The how-to does not.

Maintenance crews regularly connect laptops and diagnostic equipment to turbine control systems. Vendor remote access tunnels run around the clock. OEM firmware updates arrive over satellite links with limited integrity checks. If you have spent time looking at commercial vessel cybersecurity, this will feel familiar. The difference is that wind farms feed into national power grids. The blast radius is not one ship. It is a regional blackout.

What to do: If you operate or insure offshore wind, demand an OT asset inventory. Verify that vendor remote access is authenticated, logged, time-limited, and monitored. Segment turbine control networks from corporate IT. And test the scenario where an attacker moves from a compromised CTV laptop to the farm SCADA. That path is open today.

"Countdown to Zero Day" by Kim Zetter — the full story of Stuxnet, the first cyberweapon to cross the line from data to physical destruction. It targeted Siemens S7 PLCs, the same product family that showed up in this week's advisories. If you run industrial control systems in a port or offshore installation and want to understand what a state-sponsored OT attack actually looks like from the inside, this is the book.

Browse maritime cyber book recommendations →