Around the world, maritime infrastructure is apparently under attack.
In 2022, a suspected covert operation widely believed to have involved deep-sea explosives ruptured three of the four Nord Stream gas pipelines in the Baltic Sea. In 2023, the Chinese container ship Newnew Polar Bear dragged its anchor across the Gulf of Finland for more than 100 miles, ripping open a natural gas pipeline and a telecommunications cable. And in 2024, the Chinese bulk carrier Yi Peng 3 dragged its anchor through the Baltic Sea — severing two fiber-optic cables linking Finland, Germany, Sweden and Lithuania.
While intent remains disputed and formal attribution has not been publicly assigned, these incidents highlight possible “Gray Zone” warfare attacks that are taking place against maritime infrastructure today. A Gray Zone attack is one whose origin is uncertain, and has enough ambiguity attached to it that it stays below the threshold of declared war against the attacker. But the threat to equipment, commerce, and national security is very real — and growing in severity every day.
So what can be done to protect maritime infrastructure; not just submerged pipelines and cables, but floating oil platforms and ships, especially when hostile actors are increasingly hiding behind the veil of routine civilian traffic? To find out, TSI spoke with three experts in the field.
Nate Knight is the press and marketing contact for Maritime Information Systems, Inc./MotionInfo. Their Maritime Information Systems (MIS) division focuses on tracking ships, protecting subsea cables, and environmental monitoring (such as their “StationKeeper” project, which protects whales from ship strikes).
Lasse Krabbesmark is the product manager for Maritime Security, and Kartheeban Nagenthiraja is the director for business development (critical infrastructure) for Systematic. Systematic is a Danish software developer of “SitaWare,” a suite of command-and-control systems used by navies and intelligence agencies worldwide to integrate sensor data and monitor maritime threats.
TSI: When we speak about attacks on maritime infrastructure, what precisely are we talking about, and who is behind them?
Nate Knight: In terms of asking “what” is at risk, the categories of attacks on maritime infrastructure include assets such as floating offshore platforms, fixed oil and gas installations, offshore wind farms, liquefied natural gas (LNG) terminals, subsea pipelines and cables, port approaches, anchorage zones, and associated support infrastructure. These assets are often geographically dispersed, difficult to physically secure, and essential to national energy, communications, and transportation systems.
Lasse Krabbesmark: The “who” part of your question is actually very hard to answer. We have seen a lot of these threats, especially here in our region around Denmark. We have seen a lot of situations with cables being cut in one way or another. One example is the Yi Peng 3, where a Chinese-flagged bulk carrier dragged an anchor and severed critical cables for telecommunication. We have also seen cable cutting between Finland and Germany, and the very notable situation with the Nord Stream pipelines back in 2022.
These incidents do have the characteristics of Gray Zone warfare, because it is very hard to detect who actually did it. I mean, you can see the particular ship that did it, but who is behind these attacks and why do they do it?
Well, typically it is done to cause some sort of destabilization without triggering a real military response. These Gray Zone attacks can happen in multiple vectors. It can be physical sabotage, such as the cable cuts, but also cyberattacks. There are a lot of cyberattacks going on right now.
Knight: Threats increasingly stem from deliberate human actions rather than purely environmental or accidental causes. These include unauthorized vessel proximity, intentional anchoring over pipelines or cables, tampering with equipment, surveillance by hostile actors, and in some cases sabotage. Recent global incidents involving damaged subsea cables, suspicious vessel loitering near offshore energy assets, and intentional interference with maritime operations highlight the growing vulnerability of these systems. Many of these assets to be secured are also in international or near-international waters where heavy traffic as well as disputes can arise. Nations are as big a concern as “lone wolves” to many companies.
TSI: What technological remedies exist to deter and protect against these attacks — and is AI playing a role in countering them?
Krabbesmark: In terms of detection, if we look at the Yi Peng 3 case, it was AIS — the Automatic Identification System for shipping — that actually tracked the movement of that ship.
If we look at Danish waters, around 4,000 to 5,000 ships pass through every year. It is too much for a human operator to get a view of the entire picture on their own. What AI can do is detect patterns and identify anomalies in the way that these ships are operating.
We did this kind of analysis after the Yi Peng 3 cut a cable between Estonia and Finland. Using AIS, we analyzed how it behaved when it sailed into the Baltic Sea. We could actually see when the Yi Peng 3 decreased speed and changed course when it was in Danish waters, just over a cable between Denmark and Sweden.
On the way going into the Baltic, the Yi Peng 3 actually tried to cut a cable into Denmark. That was detected by AIS running the ship’s track post-event in Finland, and it was not detected by the operators at the time.
Unfortunately, we had the data, but we lack the real-time integration and automatic response triggering. And that was just AIS. We also need a lot of other sensors to get the full picture. We need to include radar as well, because AIS can be spoofed, it can be jammed, and it can be manipulated to send out what you want to send out. Radar is a lot harder to do anything with because it is observing what is going on in the real world.
We need to include satellite navigation because that can detect the vessels out of range for radars. We also have the possibility to add Distributed Acoustic Sensing (DAS), which is a cable monitoring system, on our subject cable infrastructure and our fiber optic cables. Then, we need to apply pattern analysis algorithms across it.
Overall, we need to apply a correlation between all of this. If we can do that, then we will be able to find out who did the thing that we are interested in. However, before the owners of critical infrastructure will agree to include additional sensors, they need the right incentive to do this integration. I think a lot of it comes down to having the right legislation and the right legal framework to tell the owners and operators of critical infrastructure that they need to, one, monitor the area around their critical infrastructure — both on the surface and below the surface — and two, share it with the authorities that are responsible for protecting that critical infrastructure.
Knight: Detection relies on layered sensor systems such as AIS, radar, ADS-B (in aviation-adjacent environments), acoustic sensors, satellite data, and time-series telemetry. AI plays a role in filtering massive data streams, identifying anomalous behavior, distinguishing routine traffic from potential threats, and prioritizing alerts to operators. Machine learning models are particularly good at recognizing patterns like loitering, course deviations, or repeated boundary incursions that would otherwise be missed.
TSI: How well have these deterrence and defense remedies worked to date?
Knight: Deterrence is most effective when detection is paired with a visible, timely response. These include automated warnings, targeted digital messaging to vessels or operators, enforcement notifications, and integration with regulatory or security agencies. AI supports these efforts by enabling faster decision-making, reducing false positives, and ensuring that interventions are proportionate and well-timed rather than reactive or overly broad.
When properly deployed, these systems have proven effective in reducing non-compliant behavior and increasing operator awareness. The most successful implementations combine technology with clear operational protocols and human coordination. MotionInfo has experienced significant success with this system, achieving a nearly 100% message reception rate and nearly 90% adherence from the vessel.
Krabbesmark: Typically, at least in Denmark, the owners of critical infrastructure are not allowed to react to a threat physically. They can just report it and then sit back and wait. That goes for most countries. We do not allow the operators to shoot down aircraft that are approaching their infrastructure.
That is a good thing. I do not think the owners of critical infrastructure should be allowed to shoot down potential threats because that is a lot of responsibility to put on them. After all, if they do not know for sure that it is really a threat to their infrastructure, then accidents are bound to happen.
Kartheeban Nagenthiraja: I completely agree. Energy infrastructure owners would not like to have this responsibility to act on threats because they do not have the experience, the capability, the personnel, and so on. But they are willing to invest in equipment and share their data with national defense agencies, if those agencies will take the responsibility to do something to neutralize the threat. So, there is a willingness from the private owners to invest in these kinds of technologies and build the technology framework to have this kind of assurance.
TSI: What future threats to maritime infrastructure do you anticipate, and what needs to be done to protect against them?
Knight: Future threats will likely involve more sophisticated probing of infrastructure, increased use of unmanned systems, and blended physical–cyber tactics. Addressing these risks requires greater integration between sensor networks, stronger data-sharing frameworks, and continued investment in analytics that can adapt to evolving threat behaviors rather than static rule sets.
Krabbesmark: Now that drones are becoming increasingly cheap, we might see swarm attacks on critical infrastructure by drones in different ways. We might also see our cables being targeted at greater depths because Remotely Operated Vehicle (ROV) technology is becoming more and more accessible. So perhaps we will see cable cuts at two to four-kilometer depths.
We also might see multi-domain coordination so that a cyberattack on, for instance, some monitoring system will be coordinated with a physical attack, so it is impossible to find the adversary afterwards. Another option is to stage a small physical attack on infrastructure that will render that infrastructure inaccessible in the cyber domain so that the owners of the infrastructure cannot really do anything.
You might also see that instead of focusing on specific critical infrastructure like cables and turbines, some adversaries will focus on economic choke points — for instance, a harbor entrance. Coming from a background in mine warfare, I know how hard it is to find a sea mine at the bottom of the ocean. If some adversary drops a mine in the entrance to a great harbor, then that harbor is closed for a very long time. And if they combine it with throwing in some old refrigerators or debris to clutter up the picture and make the mine-hunters look for a lot more objects, then it will be closed for even longer. It is just a question of how creative you are in your attack vectors.
TSI: Finally, do we need to rethink the design of maritime infrastructure to build deterrence and defense into future projects?
Knight: Yes. Future infrastructure projects should incorporate security and monitoring as core design elements rather than add-ons. This includes built-in sensor integration, data connectivity, and defined response pathways. Designing with deterrence in mind from the outset reduces long-term risk, lowers operational costs, and improves resilience across the asset’s lifespan.
Krabbesmark: We need to rethink both the legislation around it and also how the infrastructure itself will be built. So, first of all, we need some sort of legal requirement for mandatory surveillance around critical infrastructure. It could either be the operators putting it up or providing a platform for the military or the defense forces to set up monitoring systems on the infrastructure.
We also need to centralize the responsibility to make sure that it is just a single authority that is responsible for end-to-end protection of critical infrastructure. It must not be split between agencies because then we will not be able to react in time.
We must also ensure that we invest in AI and data analytics to be able to detect the threats coming from this vast amount of data inputs. We will not be able to monitor it all with just human operators. We also must ensure greater international cooperation and coordination because these threats are international. It was a Chinese ship passing through Danish waters that ended up cutting a cable in Finnish waters.
Finally, we must be transparent about our capabilities. That will make adversaries think twice before they do something — if they know that what they potentially will do will be recorded and they will be put to trial afterwards. Luckily, we do see some of these things being implemented. For instance, Poland has put out a tender for a new wind farm, and they have put in requirements that the sensors should be installed there as well. So, it is definitely coming.