Maritime GMDSS and Satellite Communication Security

GMDSS and the Modern Satcom Estate

The Global Maritime Distress and Safety System is the internationally agreed set of safety procedures, equipment and communication protocols that ensure a vessel in distress can raise the alarm and coordinate rescue. It is mandated under the SOLAS Convention for most commercial vessels and combines several communication technologies: terrestrial VHF, MF and HF radio with Digital Selective Calling, the Inmarsat satellite services, the EPIRB distress beacon system, and increasingly the recently recognised Iridium satellite services that extended GMDSS coverage to the polar regions.

Alongside the safety-mandated GMDSS equipment sits the commercial satcom estate that the vessel uses for everyday connectivity: VSAT for broadband, FleetBroadband for IP data and voice, and Iridium Certus for resilient lower-bandwidth links. In a modern installation, these are not isolated radio sets. They are networked appliances with Ethernet interfaces, embedded operating systems, web-based configuration portals and, very often, a connection to the same ship LAN that carries other traffic. The line between the safety-critical GMDSS function and the general-purpose satcom data function has blurred, and so has the cyber risk that each carries.

This convergence is the heart of the problem. A piece of equipment whose primary regulatory purpose is to summon rescue in a life-threatening emergency now shares characteristics, and sometimes a network, with a general-purpose internet gateway. That makes the satcom estate one of the highest-priority areas in any vessel cyber assessment.

How Satcom Terminals Get Compromised

Public security research over the last several years has repeatedly demonstrated cyber weaknesses in widely deployed maritime satcom terminals. The recurring categories are consistent across vendors and product generations, and they are exactly the kinds of weaknesses a network defender would recognise from any embedded device.

The first and most common is default or hardcoded credentials. Many terminals ship with administrative usernames and passwords documented in the vendor manual, and a large proportion of installed units still use them because they were never changed at commissioning and are reset to defaults during service. The second is exposed and weakly protected management interfaces, where the web-based configuration portal is reachable from the ship LAN, or even from the public internet through the terminal itself, with authentication that can be bypassed or brute-forced. The third is firmware weaknesses, including the ability to downgrade to older vulnerable firmware, unsigned firmware updates, and known unpatched vulnerabilities that persist because patching depends on a technician visit.

The consequence of a compromised terminal goes well beyond the terminal itself. Depending on how it is connected, an attacker who controls a satcom unit may be able to read or modify traffic passing through it, reach other devices on the ship LAN, establish a persistent foothold that survives reboots, manipulate the data the terminal reports, or in the worst case interfere with the availability of the communication channel the vessel depends on. When the affected channel is part of GMDSS, the availability impact becomes a direct safety concern.

Why GMDSS Compromise Is a Safety Event

Most cyber incidents are first framed as confidentiality or operational problems: data exposed, systems unavailable, business disrupted. GMDSS inverts that priority. The primary purpose of GMDSS is the availability and integrity of distress alerting. A vessel that cannot raise a distress alert, or whose alerting is manipulated to send false or misdirected information, faces a risk to life, not merely to data or operations.

This reframing changes how GMDSS should be treated in the risk assessment and the incident response plan. The threat scenarios that matter most are availability and integrity scenarios: an attacker who can suppress a distress alert, who can flood the system with false alerts to erode trust and response, or who can manipulate the position information transmitted in a distress message. These are low-probability scenarios in normal operation, but their consequence is severe enough that they deserve explicit treatment rather than being averaged into a generic satcom risk rating.

The incident response implication is that any suspected compromise of a GMDSS-bearing terminal must be treated as a Tier 1, safety-impacting incident. The master must have a clear, drilled fallback: independent distress alerting paths such as the EPIRB, alternative GMDSS sea-area equipment, and verified non-compromised communication channels for coordinating with shore. You cannot report a GMDSS incident using the suspect GMDSS channel, so the response plan must define alternate paths in advance.

Testing Satcom and GMDSS Safely

Testing the satcom estate on a live vessel demands a safety-first methodology, because the equipment under test includes systems the vessel relies on for distress alerting. Active or disruptive testing of GMDSS-bearing equipment is never performed while the vessel is at sea or in any situation where the loss of alerting would matter. The bulk of the assessment is therefore built around passive observation and configuration review, with carefully bounded active testing reserved for port stay or dry dock, and even then only against equipment that has a confirmed, available fallback.

A typical satcom assessment begins with enumeration: building the inventory the shipowner usually does not have. The consultant catalogues every satcom and GMDSS terminal on board, its make and model, its firmware version, its network connectivity, and the management interfaces it exposes. Passive packet capture on the relevant network segments reveals how each terminal actually talks, what protocols it uses, and what it can reach. Configuration review covers credentials, exposed services, access controls and logging.

Where active testing is appropriate and safe, it focuses on the management plane rather than the radio function: testing for default credentials, authentication bypasses on the web interface, the ability to reach the terminal from segments that should not have access, and the segmentation boundary between the terminal and the rest of the vessel network. The deliverable is a hardening plan plus the firmware-and-credential inventory that lets the shipowner manage the estate going forward.

• Never disrupt GMDSS at sea: active testing of distress-bearing equipment is restricted to port or dock with a confirmed fallback
• Build the inventory first: make, model, firmware version, network connectivity and exposed interfaces for every terminal
• Capture passively to learn how each terminal actually communicates and what it can reach
• Test the management plane: default credentials, authentication bypass, reachable interfaces, not the radio function
• Verify the segmentation boundary between the satcom zone and bridge OT, crew WiFi and vendor access
• Deliver a hardening plan plus a living firmware-and-credential register the crew can maintain

Hardening the Satcom Zone

Hardening the satcom estate follows a small number of high-impact actions that, taken together, transform the risk profile of the terminals. The first and most important is credential hygiene: change every default credential at commissioning, change them again after every service visit, and maintain a record of which credentials apply to which terminal. Because technicians frequently reset terminals to defaults during maintenance, the post-service credential check must be a standing item, not a one-time task.

The second is segmentation. The satcom and GMDSS terminals belong in their own network zone, with strict access lists controlling which internal systems can reach them and which the terminals can reach in turn. Management interfaces should be reachable only from a designated engineering workstation, never from crew WiFi, the general ship office network, or the public internet. The third is firmware discipline: maintain the firmware inventory, check each terminal version against the latest vendor advisory at every routine maintenance, and apply vendor patches promptly rather than waiting for a problem to surface.

The fourth is monitoring. Outbound connections from a satcom terminal to unexpected destinations are a strong indicator of compromise and are detectable if the terminal sits behind a boundary that logs its traffic. Feeding that telemetry into a maritime SIEM lets the shore SOC spot anomalies the crew cannot. These four actions, credentials, segmentation, firmware and monitoring, are unglamorous, but they close the overwhelming majority of the real-world satcom risk.

Satcom Security, IMO 2021 and Class

The satellite communication estate is consistently among the highest-criticality assets in any vessel cyber risk assessment, which means flag state and class auditors scrutinise the controls applied to it closely. Under IMO Resolution MSC.428(98), the shipowner must demonstrate risk-based cyber management of these systems within the Safety Management System, and the BIMCO Guidelines on Cyber Security Onboard Ships treat satcom and communication systems as a core control area.

For newbuild and significantly retrofitted vessels delivered from 1 July 2024, IACS Unified Requirements E26 and E27 add design-stage cyber resilience expectations that touch the communication equipment directly, including secure update mechanisms and equipment-level security. In-service vessels are not directly bound by E26 and E27 but benefit from applying the same principles operationally to their existing satcom estate.

The practical evidence an auditor wants to see is straightforward: a complete inventory of the satcom and GMDSS terminals, a risk assessment that treats their availability and integrity as safety-relevant, documented hardening of credentials and segmentation, a firmware management process, and incident response procedures that include independent alerting fallbacks for a GMDSS compromise. Codesecure delivers satcom and GMDSS assessments that produce exactly this evidence pack, satisfying IMO 2021, BIMCO and the charterer questionnaire in one document.