Inland waterway transport (IWT) Cybersecurity

When we talk about maritime cyber risk, we picture the deep-sea ship: the bridge, the ECDIS, the satellite link. But a large share of the cargo that moves through the world's seaports never starts or ends at sea. It moves on rivers and canals, on barges pushed by towboats, through locks and dams controlled by industrial systems, many of them older than the people operating them.

Inland waterway transport (IWT) is one of the largest, least-discussed pieces of global freight infrastructure. It runs on almost the same technologies as deep-sea shipping (AIS, ECDIS, GNSS, traffic-management systems), it physically connects to the same seaports, and it is governed by a regulatory patchwork with a hole in the middle where a binding cyber standard should be.

This Special Edition maps IWT cybersecurity globally: where it matters, what technology it runs on, what threatens it, how it is (and is not) regulated, and why it belongs on every maritime security professional's radar.

Finding 1: Inland waterways are a global system, not a European curiosity

The reflex is to think of inland navigation as the Rhine and a few Dutch canals. The reality is far larger, and the centre of gravity is not in Europe.

China runs the world's busiest inland waterway by an enormous margin. Yangtze River port throughput exceeded 4,02 billion tonnes in 2024 — the first time above 4 billion, up 3,9% year on year, and more than all of Europe's inland waterways combined. The river has 16 ports each handling over 100 million tonnes a year; in 2024 it moved 850 million tonnes of coal, 130 million tonnes of oil and gas, and 26,2 million TEU of containers.

The United States is second, and structurally dependent on it. US inland waterways carry roughly 500-625 million tonnes a year (sources vary by year and definition) — around 14% of US intercity freight. The Mississippi alone moved 257 million tonnes in 2022. Critically, over 60% of US grain exports move by barge: a disruption on the river is a disruption to global food markets.

Europe remains the most regulated and digitally mature corridor (Rhine and Danube; Germany, the Netherlands, Belgium), with the most developed River Information Services and the only sector-specific cyber guidance.

And then there is everywhere else, which rarely makes the maritime-cyber conversation:

Region

Main waterway(s)

Annual cargo

Note

China

Yangtze, Grand Canal, Pearl

4,02 billion tonnes (2024)

World's busiest; most automated

USA

Mississippi-Ohio, Great Lakes, GIWW

~500-625 million tonnes

#2; 60% of US grain exports by barge

India

National Waterways (Ganges NW1 etc.)

145,5 million tonnes (FY24-25)

Fastest-growing (~21% CAGR); modern RIS

Russia

Volga / Unified Deep Water System

~110 million tonnes (2021)

Soviet-era infrastructure, 50-70 yrs old

Bangladesh

Ganges-Brahmaputra-Meghna delta

~194 million tonnes

River-dense; legacy fleet, seasonal

SE Asia

Mekong (Vietnam/Cambodia)

~85 million tonnes (2020, region)

Patchy tech; growing cross-border TEU

South
America

Paraguay-Paraná Hidrovía

~26 million tonnes (sections), +100 million (system)

Soy/iron-ore export backbone

Europe

Rhine, Danube

mature

Most regulated; only sector cyber guidance

Africa

Congo, Nile, Niger

underdeveloped

Nile just 0,64% of Egypt's freight; latent

The pattern matters for cyber risk, and it splits the world into three tiers. The biggest, most digitised systems (China, the US, increasingly India) carry the largest attack surface: dense AIS networks, RIS platforms, automated locks. The strategically weaponised systems (Russia's Volga-Don, used to move warships between the Caspian and Black Seas when the Bosphorus is closed; the Paraguay-Paraná, where Argentina's government signed a 2024 memorandum to station US military personnel) sit at the centre of geopolitical contests. And the legacy/emerging systems (Bangladesh, the Mekong, Africa) run on aging or minimal technology — Nigeria still surveys its rivers with handheld Garmin GPS units — yet are digitising fast, usually without any security baseline. Nearly all of them feed directly into seaports, which means an inland compromise does not stay inland.

Why this matters: If your supply chain touches grain, coal, ore, containers, or petrochemicals, it almost certainly rode a barge at some point. The cyber maturity of that leg is usually far below the deep-sea leg, and almost nobody is looking at it.

One thing to do: When you map your maritime cyber exposure, extend the map upstream — to the inland terminals, barge operators, and river-port systems your cargo passes through, not just the ocean vessel and the seaport.

Finding 2: The technology is the same as maritime - and often older

If you know maritime OT, you already know most of inland navigation's technology. The stack is nearly identical: AIS for vessel tracking, ECDIS and electronic charts, GNSS positioning, VHF, vessel traffic services. Inland navigation adds its own integrating layer — River Information Services (RIS) — and one category maritime largely lacks: the SCADA and control systems that run locks, weirs, movable bridges, and dams.

What varies enormously is age. The same function runs on completely different generations of technology depending on where you are.

Region

Positioning

RIS / charts

Lock & dam control

Maturity

China (Yangtze)

Beidou + GPS

NIWIS; Inland ECDIS mandatory since 2018; +4200 AIS stations

SCADA-automated (ship lifts)

Cutting-edge

Europe (Rhine/Danube)

GPS / EGNOS

ES-RIS, Inland ECDIS, NtS, Inland AIS

Modern SCADA

Mature

USA

DGPS

ECDIS on lower Mississippi; legacy elsewhere

LDCS SCADA (modern) / 1930s electro-mechanical (60% of upper locks)

Hybrid

India (NW1)

DGPS

RIS, LADIS depth system, PANI charts

Conventional barrages

Modernising fast

Russia (UDWS)

GLONASS + GPS

ECDIS standard

Soviet-era SCADA, 50-70 yrs

Legacy + dual-GNSS

Bangladesh / Mekong / Africa

Handheld GPS

Minimal to none (Nigeria: Garmin eTrex surveys)

Basic or none

Legacy / minimal

The cutting edge: China's Yangtze runs a fifth-generation system — the National Inland Waterway Information System, mandatory Inland ECDIS since 2018, Beidou augmentation for narrow canyons, SCADA-controlled ship lifts. India has moved fast: RIS on NW1, the LADIS depth-information system, the PANI digital-chart portal.

The aging middle: The US lower Mississippi has modern ECDIS and automated lock control, but 60% of upper-river locks still run 1930s electro-mechanical controls, and the Army Corps operates locks averaging +60 years — past design life. Russia runs dual GLONASS/GPS and electronic charts on lock and dam SCADA that is largely Soviet-era, upgraded piece by piece.

The minimal end: Bangladesh's huge fleet is largely non-instrumented. The Mekong has no RIS downstream and VTS only in the Vietnamese delta. Nigeria surveys 10 000 km of potential waterways with handheld Garmin units. Egypt is leapfrogging — deploying a smart RIS (built by Austria's Frequentis) onto a river that still carries under 1% of national freight.

The security implication is uncomfortable. Modern systems concentrate risk: one platform, many vessels, automated control. Legacy systems cannot be patched, segmented, or monitored the way modern IT can — the same problem maritime OT faces, but on infrastructure that is often decades older and run by smaller operators. And the lock/dam SCADA layer is a genuinely safety-critical attack surface: a compromised lock that mis-controls water levels is not a data breach, it is a physical incident.

Why this matters: The technologies that carry maritime cyber risk — AIS with no authentication, spoofable GNSS, ECDIS, networked OT — are the same ones inland navigation runs on, frequently older and less maintained. If you have assessed a vessel or a port, you have already done most of the analysis for a barge operator or a river port.

One thing to do: Apply your maritime threat models — AIS spoofing, GNSS jamming, ECDIS manipulation — to inland assets too, and add the one category most maritime assessments skip: the lock, weir, and bridge control systems, which are safety-critical and usually the oldest systems on the network.

Finding 3: The threats are real - and the incidents nobody files under "inland"

Inland navigation faces the same three threat categories as maritime, plus one of its own. AIS, RIS and GNSS manipulation: inland AIS has no authentication and is spoofable, river GNSS is jammable, and RIS platforms aggregate traffic data worth attacking. Ransomware on ports and logistics: the campaigns that hit seaports hit river ports and barge operators too. And lock, dam and bridge SCADA — the category maritime largely lacks, and the one with physical-safety consequences.

The incidents are not hypothetical. The clearest involve dam control systems:

Bremanger, Norway (April 2025). Pro-Russian hackers breached the control system of the Lake Risevatnet dam and opened a floodgate, releasing roughly 7,2 million litres of water over four hours before anyone noticed. Norwegian authorities attributed it to pro-Russian actors in August 2025. The intrusion vector was not sophisticated — a weakly secured, internet-facing control interface. In investigators' framing it was a demonstration: proof that remote sabotage of European dam infrastructure is possible.

Bowman Avenue Dam, New York (2013, charged 2016). An IRGC-affiliated hacker repeatedly accessed the SCADA system of a dam in Rye, NY, reading water levels and sluice-gate status. The gate happened to be manually disconnected for maintenance — the only reason he could not manipulate water flow. The US Justice Department charged seven Iranians in 2016. The pattern continues: in 2023 CISA warned that IRGC-affiliated actors were exploiting the same class of PLCs across US water and wastewater systems.

Port of Kennewick, Washington (2020). Ransomware crippled the IT systems of an inland river port — one of the few inland-port incidents ever reported in technical detail.

And not every threat is cyber. Russian drone strikes on Ukrainian Danube river ports (Reni, Izmail, 2023-24) showed that inland hubs are high-value strategic targets in conflict — which only sharpens the case for hardening their digital systems.

The deeper problem is visibility. Most inland incidents are filed under "port" with no distinction of mode, or never reported at all: inland ports are often small entities with no disclosure obligation and no PR function. Bremanger and Bowman are alarming precisely because they are the documented exceptions, not because they are isolated.

Why this matters: A compromised lock or dam is not a data breach. It is water at the wrong level, a gate open when it should be shut — a physical-safety event. And the most damaging documented inland-cyber incidents to date have been state-linked, aimed squarely at this OT layer.

One thing to do: Find every internet-facing control interface on your locks, weirs, dams, and movable bridges, and assume an attacker can reach it. Bremanger happened because a control system sat on the internet with weak authentication. That is a one-afternoon audit that would have prevented the highest-profile inland OT attack in Europe.

Finding 4: The regulatory hole where a cyber standard should be

Deep-sea shipping has a binding cyber baseline. IMO Resolution MSC.428(98) requires cyber risk to be addressed in every SOLAS ship's safety-management system — cyber compliance is part of being allowed to sail. Inland navigation has no global equivalent. None. A barge, a river port, or a lock operator is governed only by whatever regional rules happen to apply.

Those regional rules are a patchwork:

  • EU — the most developed. NIS2 explicitly covers inland water transport companies and inland-port managing bodies as essential/important entities above size thresholds (risk management, 24/72-hour incident reporting, management liability). The RIS Directive's Article 9 requires protection of RIS data. CESNI publishes sector-specific cyber good-practice guidance (notably for inland ports). The Cyber Resilience Act adds product-level requirements. It is still mostly voluntary at the vessel level, but it is a framework.

  • USA — fragmented across agencies. USCG MTSA regulations cover qualifying ports and facilities. The US Army Corps of Engineers, which operates the locks and dams, runs its own internal cybersecurity programmes for that infrastructure. CISA provides general critical-infrastructure guidance. No single inland-navigation cyber rule ties them together.

  • China — a national cybersecurity law and heavy use of AIS for inland and coastal monitoring point to growing critical-infrastructure focus, but sector-specific inland norms are opaque.

  • Everyone else — national laws and port-authority policies of varying maturity, or nothing.

The gap sits exactly where it is most dangerous: at the seam between inland and maritime, where the same cargo, vessels, and digital systems cross from a heavily regulated domain into a lightly regulated one.

Why this matters: Your seagoing vessels carry a mandatory cyber baseline. The barge that delivered their cargo, and the river port that loaded it, almost certainly do not. Attackers do not respect the regulatory boundary; your risk assessment should not either.

One thing to do: If you operate across both domains, do not wait for an inland MSC.428 that may never come. Extend your maritime cyber-risk management voluntarily to inland assets and contracts — the controls are the same, and NIS2 (in Europe) may already require it of your inland partners whether they realise it or not.

Finding 5: Why this is a maritime problem, not someone else's

The reason inland waterway cyber risk belongs in a maritime newsletter is simple: the two domains are physically and digitally fused.

Physically, inland waterways are the hinterland reach of the seaport. Barges deliver and collect cargo from ocean vessels at the quay; grain from the US Midwest, soy from the Paraguay-Paraná, iron ore from the Amazon's Arco Norte, containers from the Mekong delta and India's Ganges all transit a river before or after they touch a ship. A disruption on the river is a disruption at the port, and vice versa.

Digitally, they run on the same systems: AIS, ECDIS, GNSS, terminal operating systems, and port community systems span both domains, often from the same vendors. A compromise in a shared TOS or a shared satellite provider does not stop at the waterline. Cyber incidents at seaports can cascade upstream to inland barges and terminals; disruptions to inland navigation infrastructure ripple back to vessel operations at the seaport.

This is why siloed security fails here. The barge operator, the river port, the seaport, and the ocean carrier share an attack surface, shared vendors, and — increasingly — shared adversaries running geopolitical campaigns against the whole logistics chain.

Why this matters: You can secure your vessel and your seaport perfectly and still inherit risk from an inland partner you never assessed, through a shared system or a cascading disruption. The maritime supply chain is only as secure as its least-secured mode, and right now that is almost always the inland leg.

One thing to do: Add the inland leg to your supply-chain cyber due diligence. Ask your barge operators, river ports, and inland terminals the same questions you ask your seaport partners — and treat shared vendors (TOS, satellite, RIS/port-community platforms) as a bridge an attacker can cross in either direction.

Six takeaways

  1. Inland waterways are global systems, not a European niche. China's Yangtze alone moved 4,02 billion tonnes in 2024 — more than all of Europe's inland waterways combined.

  2. The technology is maritime's technology, often older. AIS, ECDIS, GNSS, the same stack. If you know maritime OT, you already know most of inland navigation — what you are missing is the lock and dam control layer.

  3. Lock and dam SCADA is the extra attack surface, and it is safety-critical. A compromised lock is not a data breach, it is water at the wrong level. The clearest documented incidents (Bremanger, Bowman Avenue) hit exactly this layer.

  4. State actors are already there. The most serious inland-cyber incidents to date are Russia- and Iran-linked, aimed at dam and water control systems.

  5. The regulatory gap is real. There is no inland equivalent of IMO MSC.428. NIS2 is the closest thing, and only in Europe.

  6. It is a maritime problem. Inland and seaport are physically and digitally fused. Your maritime supply chain is only as secure as its inland leg — the one almost nobody assesses.

What I'm watching next

  • Whether any body moves toward an inland cyber baseline — a CESNI standard, an IMO extension, or a US inland-specific rule

  • Copycat or demonstration attacks on dam and lock OT in the wake of Bremanger

  • The security of India's RIS rollout as National Waterways traffic scales at ~21% a year

  • The cyber dimension of Russia's militarised Volga-Don and the INSTC corridor

  • Whether NIS2 enforcement actually reaches inland operators and inland ports in 2026-27

Resources

  • CESNI / EFIP Good Practice Guide on Cybersecurity in Inland Navigation (2023) — the most concrete inland-specific guidance: threat taxonomy, asset mapping, ~120 mitigation measures. Europe-centric but the controls travel. cesni.eu

  • PIANC Task Group 204 Awareness Paper on Cybersecurity in Inland Navigation — the foundational reference

  • Bremanger dam incident — coverage via BleepingComputer / SecurityWeek (April 2025)

  • DOJ indictment, Bowman Avenue Dam (2016) — justice.gov

  • IWAI National Waterways data (India) — iwai.nic.in

Keep reading