Maritime Radar Security: Navigation System Protection

The Integrated Bridge: Why One Sensor Affects All

On a modern vessel the navigation systems are no longer independent instruments. Radar, ECDIS, AIS, the GNSS receiver, the gyrocompass, the speed log and the autopilot are tied together on an integrated bridge network, exchanging data continuously so each display can show a fused picture. The radar overlays AIS targets and the chart. ECDIS plots own-ship position from GNSS and shows radar-derived targets. The autopilot follows a route held in ECDIS. This integration is what makes a modern bridge efficient, and it is also what makes it fragile.

The consequence is that a weakness in one sensor does not stay contained. If GNSS is spoofed, the false position propagates into ECDIS, into the radar's target vectors, into the AIS position the vessel broadcasts to the world, and into any system that uses GNSS timing. If the bridge network itself is compromised, an attacker could in principle alter the data flowing between systems so that the fused picture is wrong while each individual instrument appears to be working normally. The watch officer sees a coherent, confident, and incorrect display.

This is why navigation security has to be considered as a system rather than instrument by instrument. Protecting the radar alone, or the ECDIS alone, misses the point. The objective is to protect the integrity of the navigation picture as a whole, which means securing the network that fuses the sensors, hardening the individual systems, verifying the data feeding them, and ensuring the human watchkeeper retains the training and the independent references to catch a picture that has gone wrong.

GNSS Spoofing and Jamming: The Root Dependency

Satellite positioning is the dependency that sits underneath almost everything else on the bridge. GNSS, the family that includes GPS, Galileo, GLONASS and BeiDou, provides own-ship position, supports radar vector calculations, is the position source AIS transmits, and disciplines clocks across many shipboard systems. Because so much depends on it, GNSS is also the most consequential target, and both jamming, which denies the signal, and spoofing, which substitutes a false one, have been observed in several maritime regions.

Spoofing is the more dangerous of the two because it is deceptive rather than merely disruptive. A jammed receiver usually alarms or shows loss of fix, which the watch officer can recognise. A spoofed receiver can show a plausible but false position, and because that position flows into ECDIS, radar and AIS, the whole bridge can present a consistent, confident, wrong answer. Reported symptoms include sudden position jumps, vessels appearing to transit over land, and positions locking onto a single fixed point unrelated to the vessel's actual location.

Mitigation is layered. Multi-constellation receivers that combine GPS, Galileo, GLONASS and BeiDou are harder to spoof than single-constellation units. Newer receivers add antenna-array processing and authenticated signal services that can flag inconsistency. Independent references, radar fixes against known landmarks, visual and compass bearings, and gyro-corrected dead reckoning, give the watch officer a way to detect that GNSS has gone wrong. Above all, the bridge team must be trained to recognise spoofing symptoms and to switch to independent navigation methods without hesitation.

AIS Spoofing and Radar Tampering

AIS was designed in the 1990s as a collision-avoidance aid, not as a secure identity system. Its messages are unsigned and transmitted in clear, so any sufficiently equipped transmitter on the maritime VHF band can generate them. This produces a long catalogue of documented abuse: ghost vessels showing tracks no real ship is sailing, position falsification where a vessel broadcasts a false location, identity manipulation where a vessel transmits another's identifiers, and coordinated injection of multiple false targets near busy waters to confuse traffic services and bridge teams.

Because AIS targets are overlaid on the radar and the chart, false AIS data degrades the fused navigation picture directly. The defence is to treat AIS as one input among several, never as ground truth. AIS targets should be cross-checked against the radar's own returns and against visual observation, and a target that appears on AIS but not on radar, or vice versa, should raise immediate suspicion rather than quiet acceptance.

Radar itself is more robust because it senses the physical environment directly rather than receiving broadcast claims, but it is not beyond reach. Modern radar is a networked computer with processing, displays and data feeds, and where its host or its network connections are exposed, the displayed picture or its overlays could in principle be manipulated. Radar hosts that run general-purpose operating systems accumulate vulnerabilities like any other computer if left unpatched, and a radar sharing a flat network with crew or vendor systems inherits their exposure. Hardening the radar host, controlling what can connect to it, and keeping its software supported are the practical controls.

• AIS ghost vessels: fabricated tracks injected to mislead collision avoidance and traffic services
• AIS position falsification: a real vessel broadcasting a false location, requiring radar and visual cross-check to detect
• AIS identity manipulation: vessels transmitting another's identifiers, a defensive concern for coastal and port authorities
• Radar host exposure: networked radar computers on flat networks inherit the risk of whatever else shares the segment
• Core defence: cross-check every sensor against independent sources; no single feed is treated as ground truth

ECDIS Chart Integrity and Update Security

ECDIS, the electronic chart display and information system, is the heart of modern navigation and is mandatory for most vessels covered by international navigation requirements. The route plans and electronic charts it holds are safety-critical, and the weak point in the ECDIS lifecycle is the chart update workflow. Updates arrive as electronic navigational chart files from chart distributors via physical media or satcom download, and they carry digital signatures intended to prove authenticity end to end. In real installations the signature chain is sometimes only partially verified, trusting an intermediate distributor rather than the originating hydrographic office.

The risks that follow are concrete. Tampered chart files could alter depth contours, soundings, navigational aids or traffic separation schemes, introducing a hazard straight into the display the bridge trusts. Route plans could be modified after distribution. Update media, especially removable media, can carry unrelated malware onto the ECDIS host. And the underlying operating system, if it falls out of vendor support, accumulates unpatched vulnerabilities over the long service life of the chart software.

The mitigations are well understood. Enforce full end-to-end signature verification back to the originating hydrographic office. Keep the ECDIS host on a vendor-supported, hardened operating system. Restrict removable media to a controlled set of company-issued devices and scan them before use. Segregate the ECDIS workstation from crew and vendor networks so it does not inherit their exposure. Log update events so that a problem can be investigated after the fact. Most ECDIS installations can be brought to a safe baseline quickly once these controls are applied.

IEC 61162 and Securing the Bridge Network

The bridge network that fuses the navigation sensors is governed by the IEC 61162 family of standards. Its parts cover serial interfaces derived from long-standing navigation data formats, Ethernet networking for bridge equipment, and a more recent secure variant that adds device authentication, redundancy and network integrity monitoring. The secure variant is a meaningful uplift because it explicitly addresses cyber risk: authenticating the devices on the bridge network, protecting control channels, and monitoring the integrity of the message streams that flow between systems.

The practical difficulty is that most in-service vessels were built to the earlier, non-secure networking standard, which assumed a closed and trusted bridge network. Retrofitting the protections of the secure variant generally requires hardware support that older installations do not have. For those vessels, defenders rely on compensating controls: physically and logically segmenting the bridge network from everything else, firewalling the conduits between bridge and other zones, and tightly controlling what may be connected to bridge ports.

The first practical action on any vessel is to determine which networking generation the bridge actually uses, inventory the connected equipment, and design segmentation around it using the IEC 62443 zones-and-conduits model, with bridge navigation in one of the most restrictive zones. The bridge network should not share trust with crew welfare WiFi, with the ECDIS chart-update workstation, or with vendor remote-access paths. Where wireless exists on or near the bridge, it must be controlled with the same discipline as the wired network.

Defence in Depth and the Trained Watchkeeper

No single control secures navigation, because the threats span the satellite signal, the radio broadcast, the chart data and the network. The right posture is defence in depth: harden each system, secure the network that fuses them, verify the data that feeds them, and preserve independent references so that no sensor is ever treated as a single point of truth. Multi-constellation positioning, verified chart updates, cross-checked AIS, a segmented bridge network and supported, hardened hosts together raise the bar far higher than any one of them alone.

The human watchkeeper remains the most important layer. Technology can fuse sensors and flag inconsistencies, but it is the trained officer of the watch who recognises that the radar and the chart disagree, that the GNSS position has jumped impossibly, or that an AIS target has no radar return, and who responds by switching to independent methods. A bridge team that has practised navigating on radar fixes, visual bearings and dead reckoning can ride out a spoofing event that would disorient a team wholly dependent on the electronic picture. Some vessels have allowed traditional navigation skills to lapse since electronic systems became mandatory, and that gap is itself a vulnerability.

Bringing this together is a programme, not a product. It means assessing the bridge network and navigation systems, hardening and segmenting them, verifying chart and signal integrity, training the watch team to recognise and respond to anomalies, and reviewing periodically as equipment and threats evolve. IMO cyber risk management expectations and class society cyber-resilience requirements both point in this direction. Codesecure assesses and hardens navigation systems and integrated bridges with a safety-first methodology, and reports in a form the master, the navigation officer and the company cyber lead can all act on.