Key Takeaways
- The bridge is an OT environment. ECDIS, radar, AIS, GNSS, autopilot and the integrated bridge system are networked computers, not standalone instruments.
- ECDIS chart-update integrity is a real attack path. Updates arriving on removable media or satcom without end-to-end S-63 verification can introduce navigation hazards.
- AIS and GNSS spoofing are documented worldwide. Cross-checking position against radar, visual bearings and dead reckoning is the operational defence.
- Network segmentation per IEC 61162-460 is the highest-ROI control. Bridge OT should not share a flat network with crew Wi-Fi, vendor remote access or satcom management.
- IMO MSC.428(98) and IEC 62443 both expect bridge systems treated as high-criticality assets in the vessel cyber risk assessment.
The Bridge as an Operational Technology Environment
A modern vessel's bridge is an operational technology environment that happens to float. It typically hosts ECDIS (Electronic Chart Display and Information System) on two or more workstations, ARPA radar with networked output, an AIS (Automatic Identification System) transceiver, a GNSS receiver, a gyrocompass, the Voyage Data Recorder, the autopilot, and an integrated bridge system tying many of these together on a shared network. These are not standalone instruments any more, they are networked computers running Windows or embedded Linux underneath, exchanging data over maritime network standards.
Almost all of them receive updates from shore, chart updates, software patches, configuration changes, and almost none were designed with a hostile internet in mind. The combination of VSAT broadband, vendor remote diagnostics, removable-media updates and crew bring-your-own-device traffic has put bridge systems on a threat surface that resembles a small enterprise office, but with safety consequences an office never has. A navigation error induced by a cyber event is a grounding or a collision, not a spreadsheet error.
IACS Unified Requirements E26 and E27, applying to newbuild and significantly retrofitted vessels delivered from 1 July 2024, are starting to change bridge design by mandating cyber resilience at the equipment and system level. The large in-service fleet, however, still needs operational hardening of bridge systems that were installed before cyber was a design consideration. That hardening is the focus of most bridge security work today.
ECDIS: Chart Tampering and Update Integrity
ECDIS is mandatory for most SOLAS vessels, and the chart data and route plans it holds are safety-critical. The chart update workflow is its weak point. Updates arrive as electronic navigational chart (ENC) files from chart distributors via removable media or satcom download. ECDIS verifies an S-63 digital signature where the chain is implemented end to end, but many real-world configurations end up trusting the local intermediate distributor's signature rather than the original hydrographic-office signature, which weakens the assurance.
Demonstrated risks include tampered ENC files that modify depth contours, sounding values, navigation aids or traffic separation schemes; route plans altered after distribution; an ECDIS workstation compromised through update media that also carries unrelated malware; and an ECDIS Windows host falling out of vendor support and accumulating unpatched vulnerabilities over the long life of the chart software. Any of these can put a hazard on the display the bridge team trusts.
The mitigations are concrete: enforce end-to-end S-63 verification against the original hydrographic-office certificate chain, segregate the ECDIS workstation from crew and vendor networks, harden the underlying operating system to the vendor's reference configuration, restrict update media to registered company sticks that have passed a scanning kiosk, and log every update event for after-the-fact review. Most ECDIS installations can be brought to a defensible baseline in days, not months.
Need a Maritime Cyber Assessment?
Codesecure runs IMO MSC.428(98) and IEC 62443 aligned cyber risk assessments and OT penetration tests for shipowners, managers, ports and terminals. ISO/IEC 27001:2022 certified, named consultants with OSCP, CEH and CISSP credentials, fixed-price proposals and free retest within 90 days.
See Maritime Services →AIS and GNSS Spoofing
AIS was designed in the 1990s as a collision-avoidance aid, not a tamper-proof identity system. Its messages are unsigned, transmitted in the clear, and can be generated by any sufficiently equipped transmitter. The result is a documented worldwide catalogue of AIS abuse: ghost vessels, position falsification, identity laundering where one vessel broadcasts another's identity, spoofed navigation status, and coordinated clusters of fake tracks injected near a port to confuse traffic services.
GNSS spoofing is now routine in several geographies, with reported incident clusters in busy and contested waters. Vessels report position jumps of tens to hundreds of nautical miles, tracks that appear to transit over land, and position locks onto a single anomalous point. Spoofing affects far more than the chart: ECDIS uses GNSS for own-ship position, ARPA radar uses it for vector calculation, AIS transmits it to the world, and many shipboard clocks are GNSS-disciplined, so a single spoofed signal corrupts multiple systems at once.
The defences are operational and procedural. Cross-check GNSS against radar fixes, visual bearings and gyro-corrected dead reckoning. Treat AIS as one source among several, verified against radar and visual observation rather than trusted alone. Use multi-constellation receivers, which are more resilient than single-system GPS, and newer anti-spoofing receivers where fitted. Above all, brief and drill the bridge team to recognise spoofing symptoms and switch sources without hesitation, because the human cross-check is the control that does not depend on the compromised signal.
Radar, Autopilot and the Integrated Bridge System
Beyond ECDIS and AIS, the radar, autopilot and integrated bridge system (IBS) deserve specific attention because they bind the bridge into a single networked whole. Modern ARPA radar outputs onto the bridge network and consumes GNSS and AIS data, so a compromise of those inputs propagates into the radar's vectors and alarms. The autopilot, which steers the vessel automatically, is the most safety-critical bridge actuator, and its integrity depends on the trustworthiness of the heading and position data it receives.
The integrated bridge system ties these together, sharing data among ECDIS, radar, AIS, GNSS, the conning display and the autopilot over a common network. That integration is operationally valuable and a security concern at once: a single compromised node or a single tampered data stream can affect multiple displays and the autopilot simultaneously. The IBS network is exactly where the IEC 61162 family of standards applies, governing the serial and Ethernet interfaces between bridge equipment.
Vessels built or upgraded to IEC 61162-460 gain a meaningful security uplift over the older 61162-450, because 460 adds device authentication, integrity monitoring of message streams and network redundancy. For older 450-only installations, those protections often cannot be retrofitted without hardware support, so defenders rely on physical segmentation, firewalling between the bridge and other networks, and tight control of what may be connected to bridge ports. The autopilot in particular should be drilled for manual fallback, hand steering, so the bridge team can take control immediately if its data integrity is ever in doubt.
Network Segmentation and Hardening Priorities
Most in-service vessels still run flat or near-flat networks where bridge OT, crew Wi-Fi, satcom management and vendor remote access share too much trust. Segmentation is the single highest-ROI control for the bridge, and it maps directly onto the IEC 62443 zones-and-conduits model: bridge OT belongs in the most restrictive zone, with every crossing into it gated by a firewall and an explicit allow-list.
A pragmatic segmentation model places bridge OT (ECDIS, radar, AIS, GNSS, autopilot, IBS) in its own zone, separate from engine OT, vessel IT, satcom management and the crew network. Crossings between zones pass through firewalls with explicit rules, the satcom terminal sits in its own restricted segment, and vendor remote diagnostics reach the bridge only through a hardened jump host with session recording, never as a flat inbound path.
Hardening priorities, in order of ease: change default credentials on all networked bridge equipment, segregate crew Wi-Fi at the access-point level so it cannot reach bridge OT, deploy removable-media controls on ECDIS and other update-receiving workstations, restrict and log vendor remote access, harden each workstation to its vendor reference configuration, and log all firewall-allowed connections for periodic review. None of these is exotic, and together they move a vessel from a flat, trust-everything bridge to a defensible one.
Flag State Audit or Customer Questionnaire?
Whether you need cyber evidence for a flag state, a P&I club query, a charterer security questionnaire or an ISPS Code review, our maritime cyber lead is available for a 30-minute free scoping call.
Talk to a Maritime Lead →Standards, Risk Assessment and Vessel Pentesting
Bridge security is not freelance hardening, it sits inside the frameworks that govern maritime cyber. IMO Resolution MSC.428(98), in force since 1 January 2021, requires cyber risk to be managed within the ship Safety Management System under the ISM Code, and bridge systems are almost always the highest-criticality assets in a vessel risk assessment, so the controls applied to them are scrutinised most closely at flag state and class audits.
IEC 62443 provides the technical model, treating bridge systems as the most restrictive security zones with controlled conduits, while the IEC 61162 family governs the bridge network interfaces themselves. The ISPS Code, increasingly carrying a cyber dimension in national interpretations, adds the security-planning framing where physical and cyber bridge access meet. Together these define what a defensible bridge looks like and what an auditor expects to see.
Codesecure assesses and pentests bridge systems at port stay or in dock, following a safety-first methodology: passive observation while operational, deeper active testing only when navigation is not in progress, and no disruptive testing of the autopilot or other safety-critical actuators on a live bridge. The engagement covers segmentation, ECDIS update integrity, satcom exposure, crew Wi-Fi separation and vendor remote-access paths, and produces a report that satisfies the IMO MSC.428(98) risk-assessment requirement and maps findings to IEC 62443 and ISO/IEC 27001:2022. A single-vessel bridge assessment plus pentest at port stay typically runs three to five days on board plus reporting, with free retest within 90 days.
Frequently Asked Questions
Is our ECDIS at risk from cyber attack?
If chart updates arrive on unverified removable media, if the underlying operating system is out of vendor support, or if the workstation shares a network with crew Wi-Fi or vendor remote access, then yes. The risk is mitigated through end-to-end S-63 chart verification, vendor-supported OS versions, removable media controls and network segmentation. Most ECDIS installations can be brought to a defensible baseline in days, not months.
Can AIS and GNSS spoofing really affect a vessel underway?
Yes. AIS messages can be injected by any sufficiently equipped transmitter, and GNSS spoofing has been documented in several regions, causing position jumps and tracks that appear over land. Because ECDIS, radar, AIS and shipboard clocks all depend on GNSS, a single spoofed signal can corrupt multiple systems at once. The defence is cross-checking against radar, visual bearings and dead reckoning, and a bridge team trained to trust that cross-check over the screen.
What is the single most effective bridge security control?
Network segmentation. Most in-service vessels run flat networks where bridge OT shares trust with crew Wi-Fi, satcom management and vendor remote access. Placing bridge OT in its own restrictive zone, with firewalled, allow-listed crossings and vendor access gated through a recorded jump host, delivers the largest risk reduction per unit of effort. It maps directly onto the IEC 62443 zones-and-conduits model.
Do we need to secure the autopilot specifically?
Yes. The autopilot is the most safety-critical bridge actuator and its integrity depends on the heading and position data it receives, so it must sit in the protected bridge OT zone and consume only trusted inputs. Just as important, the bridge team should drill manual fallback to hand steering, so they can take control immediately if the autopilot's data integrity is ever in doubt. The procedural fallback is as important as the technical control.
How do IMO MSC.428(98) and IEC 62443 apply to the bridge?
IMO MSC.428(98) requires cyber risk to be managed in the ship Safety Management System, and bridge systems are typically the highest-criticality assets in the vessel risk assessment, so their controls are examined closely at audits. IEC 62443 supplies the technical model, treating bridge systems as the most restrictive security zones with controlled conduits. The two are complementary: MSC.428(98) for the SMS obligation, IEC 62443 for the technical control design.
Can Codesecure pentest our bridge systems safely?
Yes. Codesecure runs bridge and navigation equipment assessments at port stay or in dock with a safety-first methodology: passive observation while the vessel is operational, active testing only when navigation is not in progress, and no disruptive testing of the autopilot or other safety-critical actuators on a live bridge. The engagement covers segmentation, ECDIS integrity, satcom exposure and vendor access, mapped to IEC 62443 and ISO/IEC 27001:2022, with free retest within 90 days.
Harden Your Bridge Before the Next Audit or Incident
Codesecure delivers bridge and navigation equipment cyber assessments and OT pentests for shipowners and managers across India, Singapore, UAE and the wider Middle East. ISO/IEC 27001:2022 certified delivery, named consultants with bridge OT experience, free retest within 90 days.
