Key Takeaways
- ECDIS chart tampering is a real attack vector. Update files arriving through USB or satcom without integrity verification can cause navigation hazards.
- AIS spoofing is documented in multiple regions: ghost vessels, position falsification, and identity laundering for sanctioned tonnage.
- GMDSS systems are increasingly software-defined. Modern Inmarsat C and Iridium terminals are general-purpose computers connected to ship networks.
- GPS/GNSS spoofing events have been reported in the Black Sea, Persian Gulf, eastern Mediterranean and South China Sea. Multi-constellation receivers and inertial backup reduce exposure.
- Network segmentation per IEC 61162-460 is the single highest-ROI control. Bridge OT should not share a flat network with crew WiFi, ECDIS chart update PCs, or vendor remote access.
The Ship OT Landscape in 2026
A modern vessel built or retrofitted in the last decade is an operational technology environment that happens to float. The bridge alone typically hosts: ECDIS (Electronic Chart Display and Information System) running on two or more workstations, ARPA radar with networked output, AIS (Automatic Identification System) transceiver, GMDSS (Global Maritime Distress and Safety System) including Inmarsat C, Iridium and VHF DSC, GPS or multi-GNSS receiver, gyrocompass, VDR (Voyage Data Recorder), autopilot and integrated bridge displays.
Behind the bridge sit engine monitoring (alarm systems, performance monitoring, increasingly engine condition telemetry over satcom), cargo control (especially complex on tankers, chemical carriers and gas carriers), ballast water treatment, scrubber control, machinery automation, and shore-connected planned-maintenance systems.
All of these are network-connected, almost all run Windows or embedded Linux underneath, almost all receive updates from shore (chart updates, software patches, configuration changes), and almost none were designed with a hostile internet in mind. The cyber threat model has caught up faster than the equipment design cycle. IACS UR E26 and E27 from July 2024 are starting to change newbuild design; the in-service fleet still needs operational hardening.
ECDIS: Chart Tampering and Update Integrity
ECDIS is now mandatory for most SOLAS vessels. The chart data and route plans it holds are safety-critical. The chart update workflow is the weak point. Updates arrive as ENC files from chart distributors (Primar, IC-ENC, ChartCo, plus several national hydrographic offices) via CD, USB stick, or satcom download. The ECDIS verifies an S-63 digital signature where the chain is implemented end to end, but many real-world configurations end up trusting the local intermediate distributor signature rather than the original hydrographic-office signature.
Documented and demonstrated risks include: tampered ENC files modifying depth contours, sounding values, navigation aids, traffic separation schemes or chart datum; route plans modified after distribution; ECDIS workstation compromised through update USB media that also carries unrelated malware; ECDIS Windows host falling out of support and accumulating unpatched CVEs over the support life of the chart software.
Mitigations: enforce end-to-end S-63 verification with the original hydrographic-office certificate chain, segregate the ECDIS workstation from crew and vendor networks, harden the underlying OS to the vendor's reference configuration, restrict USB media to a controlled subset of company-issued sticks, log update events for after-the-fact review.
Need Maritime Cyber Assessment?
Codesecure runs IMO 2021 and BIMCO-aligned cyber risk assessments and OT pentests for shipowners, managers, ports and terminals. ISO/IEC 27001:2022 certified, named consultants with OSCP and ICS credentials, fixed-price proposals and free retest within 90 days.
See Maritime Services →AIS: Spoofing, Ghost Vessels and Identity Laundering
AIS was designed in the 1990s as a collision-avoidance aid, not as a tamper-proof identity system. Messages are unsigned, transmitted in clear, and can be generated by any sufficiently equipped transmitter on VHF maritime frequencies. The result is a long catalogue of documented AIS abuse worldwide.
Well-known patterns include: ghost vessels (AIS transmissions showing tracks that no vessel is actually sailing), position falsification (a real vessel transmitting a fake position to conceal its location, common in sanctions evasion), identity laundering (sanctioned vessels broadcasting another vessel's MMSI or IMO number), spoofed Navigation Status (a vessel claiming to be at anchor when underway, or vice versa), and coordinated cluster attacks where multiple fake tracks are injected near a port to confuse traffic services.
Mitigations are mostly defensive: cross-check AIS positions against radar, GPS, ECDIS dead-reckoning and crew visual observation, treat AIS as one source among several, integrate satellite AIS for over-the-horizon verification, and report suspected spoofing to coastal authorities. For coastal infrastructure operators (ports, VTS), tools like AISguard and similar spoofing-detection layers are starting to mature.
GMDSS, VSAT and Satcom Exposure
GMDSS terminals (Inmarsat C, Inmarsat FleetBroadband, Iridium Certus, the new IDP and the recent GMDSS recognition of Iridium services) increasingly look like general-purpose computers with an Ethernet port, a configuration web interface, default credentials documented in vendor manuals, and connectivity back to the ship LAN.
Public security research over the last several years has demonstrated default-credential access, web admin authentication bypass, firmware downgrade attacks, and (in some cases) the ability to read or write data on the ship LAN once the satcom terminal is compromised. Most affected vessels do not know whether their installation is patched, because patches are issued by the vendor and applied by the service technician at the next port visit.
Mitigations: change all default credentials on commissioning and after every service visit, place the satcom terminal in its own VLAN with strict access lists, restrict management interfaces to the engineering workstation, monitor outbound connections for unexpected destinations, and verify firmware version against the latest vendor advisory at every routine maintenance.
GPS and GNSS Spoofing
GPS and GNSS spoofing is now routine in several geographies. Reported incident clusters include the Black Sea (since 2017), the Persian Gulf and Strait of Hormuz (multiple years), the eastern Mediterranean near conflict zones, and parts of the South China Sea. Vessels report position jumps of tens to hundreds of nautical miles, vessels apparently transiting on land, and AIS tracks that lock on to a single 'circle' position commonly associated with airports.
Spoofing affects more than navigation. ECDIS uses GNSS for own-ship position; ARPA radar uses it for vector calculation; AIS uses it as the position source it transmits to the world; GMDSS uses it for distress message positioning; many shipboard clocks are GNSS-disciplined.
Mitigations: cross-check GNSS with radar fixes, visual bearings, gyro-corrected dead reckoning, and inertial reference where fitted. Modern multi-GNSS receivers (GPS plus Galileo plus GLONASS plus BeiDou) are more resilient. Newer anti-spoofing receivers with antenna-array processing and authenticated signals (Galileo OS-NMA) are entering the market. Brief and train the bridge team to recognise spoofing symptoms and to switch sources without delay.
Flag State Audit or Customer Questionnaire?
Whether you need cyber evidence for a flag state, P&I club query, charterer security questionnaire or BIMCO gap closure, our maritime cyber lead is available for a 30-minute free scoping call.
Talk to a Maritime Lead →IEC 61162: Network Standards for the Bridge
IEC 61162 is the family of standards governing maritime navigation and radio-communication equipment, with specific parts covering serial interfaces (NMEA 0183 derived in 61162-1 and 61162-2), Ethernet networks for bridge equipment (61162-450), and a more recent secure variant (61162-460) which adds authentication, redundancy, and network monitoring.
Vessels built or upgraded to 61162-460 have a meaningful security uplift over 61162-450 because 460 explicitly addresses cyber risks (authentication of devices, encrypted control channels, integrity monitoring of message streams). For older 450-only installations, retrofitting the protections from 460 requires hardware support that may not be present. In the meantime, defenders rely on physical segmentation, firewalling between bridge and other networks, and tight controls on what can be connected to bridge ports.
The practical action: identify each vessel's bridge network revision (450 vs 460), inventory the connected equipment, and design segmentation per IEC 62443 zones and conduits with bridge OT in the most restrictive zone. See our companion guide on IEC 62443 for maritime for the zones-and-conduits framework.
Network Segmentation and Hardening Priorities
Most in-service vessels still have flat or near-flat networks where bridge OT, crew WiFi, satcom management and vendor remote access share too much trust. Segmentation is the single highest-ROI control.
A pragmatic segmentation model for a typical modern vessel uses five zones: Bridge OT (ECDIS, AIS, GMDSS, GPS, ARPA, autopilot), Engine OT (engine monitoring, alarms, automation), Cargo OT (where present), Vessel IT (administration, planned maintenance, fleet ops), and Crew Network (welfare WiFi, BYOD). Crossings between zones happen through firewalls with explicit allow-lists, satcom terminal access is restricted by zone, and vendor remote diagnostic is gated through a hardened jump host with session recording.
Hardening priorities by ease of execution: change default credentials on all networked equipment, disable unused services on satcom terminals, segregate crew WiFi at the access-point level, deploy USB-media controls for ECDIS workstations, document and restrict vendor remote access, log all firewall-allowed connections for monthly review.
Frequently Asked Questions
Is my ECDIS at risk from cyber attack?
If chart updates arrive through unverified USB media, if the underlying Windows host is out of support, if the workstation shares a network with crew WiFi or vendor remote access, then yes. The risk is mitigated through S-63 end-to-end verification, vendor-supported OS versions, USB controls and segmentation. Most ECDIS installations can be brought to a safe baseline in days, not months.
Can AIS be spoofed against a moving vessel?
AIS messages can be injected by any sufficiently equipped transmitter. A moving vessel can be spoofed in two senses: its own AIS transmissions can be falsified by tampering with the on-board transceiver or its inputs, and incorrect AIS messages claiming to be from nearby vessels can be injected to confuse collision avoidance. Cross-checking against radar and visual observation is the operational mitigation.
Does IMO 2021 require us to secure ECDIS, AIS and GMDSS specifically?
IMO 2021 requires risk-based cyber management. ECDIS, AIS and GMDSS are typically high-criticality assets in any vessel risk assessment, so the controls applied to them are scrutinised closely. There is no per-system mandatory checklist, but flag states and class societies expect to see specific cyber risk reasoning for these systems.
What about IACS UR E26 and E27?
IACS Unified Requirements E26 (cyber resilience of ships) and E27 (cyber resilience of onboard systems and equipment) apply to newbuild and significantly retrofitted vessels delivered from 1 July 2024. They mandate technical cyber controls at the design stage, including segmentation, secure update mechanisms, and equipment-level security. In-service vessels are not directly covered by E26/E27 but benefit from applying the same principles operationally.
Do you do vessel cyber penetration testing?
Yes. Codesecure runs vessel cyber pentests at port stay or in dock, covering bridge OT segmentation, satcom and VSAT exposure, ECDIS update integrity, crew WiFi separation, and vendor remote-access paths. We follow a safety-first methodology, avoid any disruptive testing during cargo or navigation operations, and produce reports that satisfy IMO 2021 risk-assessment evidence and BIMCO gap closure.
How long does a vessel cyber assessment take?
A single-vessel cyber assessment plus pentest at port stay typically runs 3 to 5 days on board plus reporting. Fleet-wide programmes use a representative class approach where one vessel per class is tested deeply and findings are extrapolated. Codesecure delivers fixed-price proposals after a scoping call.
Harden Your Bridge OT Before The Next Audit Or Incident
Codesecure delivers vessel cyber assessments, OT pentests and IMO 2021 SMS support for shipowners across India, Singapore, UAE and the Middle East. ISO/IEC 27001:2022 certified, named consultants with bridge OT experience, free retest within 90 days.
