Why Maritime OT Security Matters Now

The maritime sector sits at the intersection of two threat escalation trends that dominate the 2026 threat landscape: nation-state targeting of critical infrastructure and the ransomware ecosystem’s expansion into operational technology. Shipping moves roughly 90% of global trade by volume. A compromised port terminal controller, a manipulated ECDIS chart, or a spoofed AIS signal creates consequences that extend well beyond the vessel or facility directly affected.

The attack surface is wider than most land-based OT environments. A modern container ship runs dozens of networked systems — navigation, propulsion control, cargo management, communications, and crew welfare — across a vessel that may spend weeks without reliable connectivity to onshore IT support. Patch cycles measured in years, legacy operating systems on navigation hardware, and a crew that cannot call the help desk from mid-Atlantic define the operational context.

ECDIS: The Navigation System Attackers Target

Electronic Chart Display and Information Systems (ECDIS) are the navigational backbone of commercial shipping since the IMO mandated their use for SOLAS vessels from 2012 onward. An ECDIS system displays nautical charts, vessel position (via GPS/GNSS), radar overlays, AIS data, and route planning information. If an attacker can manipulate what the ECDIS displays, they can influence navigational decisions.

The security profile of operational ECDIS is poor. A 2024 survey by maritime cybersecurity firm CyberOwl found that the majority of audited ECDIS installations ran Windows XP or Windows 7, operating systems that Microsoft ended support for in 2014 and 2020 respectively. These systems receive chart update packages via USB drives delivered at port — a physical supply chain vector that bypasses network controls entirely.

Known vulnerability classes:

  • Type approval lag: ECDIS hardware typically holds a type approval certificate valid for several years. Vendors are reluctant to push OS updates that could invalidate the certificate, leaving known-vulnerable OS versions in production long after patches are available.
  • Chart update vectors: Infected USB media delivering malware alongside legitimate chart updates. There is no standard integrity verification for SENC (Standard Electronic Navigation Charts) update packages.
  • Network convergence: Modern vessels route ECDIS data across the same VLAN as crew WiFi and VSAT connectivity in poorly segmented installations, creating a pathway from the internet-facing network to navigation systems.

ICSA-format advisories relevant to ECDIS: Multiple CVEs affecting Furuno, Transas, and JRC ECDIS hardware have been published in the 2023–2025 period, primarily covering authentication bypass, remote code execution via chart parsing, and denial-of-service in web management interfaces.

AIS Spoofing and Manipulation

The Automatic Identification System (AIS) transmits vessel identity, position, speed, and heading on VHF frequencies. It was designed for collision avoidance and traffic management, not security. AIS messages contain no authentication — any transmitter can broadcast any MMSI number with any claimed position.

AIS spoofing has moved from proof-of-concept to documented operational use:

  • GPS/position manipulation: Vessels in the Red Sea and Eastern Mediterranean have reported AIS tracks placing them inland or in airports — likely GPS spoofing affecting their onboard GPS receivers, which then propagates incorrect position data into AIS broadcasts. These incidents increased sharply following the 2025–2026 Middle East conflict escalation.
  • Ghost vessel creation: Spoofed AIS signals creating phantom vessels that don’t physically exist, used to obscure the movements of actual vessels evading sanctions or monitoring.
  • Tanker tracking manipulation: Nation-state actors (primarily assessed as Iranian-affiliated and Russian-affiliated operations) have manipulated AIS to conceal the movements of sanctioned tankers, a technique documented extensively in 2024–2025.

GNSS jamming around conflict zones — notably the eastern Mediterranean, Baltic approaches, and Red Sea — affects not just AIS position accuracy but ECDIS chart overlays, timing systems used for communications synchronisation, and vessel management systems that rely on GPS for time-of-day functions.

Ship Management Systems

Beyond navigation, vessels run management systems from vendors including Kongsberg Maritime, Wärtsilä, and NACOS that control propulsion, ballast water, cargo loading calculations, and engine management. These systems increasingly have remote access capabilities for vendor support and performance monitoring.

The risk profile mirrors other OT remote access scenarios: legitimate support connections using VPNs or vendor-specific remote tools that are infrequently monitored, running over the same VSAT link used for everything else on the vessel. Compromised vendor credentials or MitM attacks on the support connection can provide direct access to propulsion and cargo control systems.

Port Operational Technology

Port OT is better-documented than shipboard OT from a security perspective, partly because port operators are more likely to have dedicated IT/OT staff and partly because land-based connectivity makes incident response more tractable.

Key systems:

  • Terminal Operating Systems (TOS): Manage container tracking, berth assignment, crane scheduling, and cargo manifests. Ransomware targeting TOS has caused significant operational disruption — the COSCO Americas ransomware incident and similar events have demonstrated the cascading effect of TOS unavailability on port operations.
  • Crane control systems: Electromechanical controllers from Liebherr, Konecranes, and Wärtsilä Marine drive ship-to-shore cranes. Remote maintenance access to crane PLCs has been documented as an attack vector.
  • Gate systems: Optical character recognition systems, weighbridges, and access control integrated with TOS — disruption to these creates landside bottlenecks even when waterside operations continue.

Regulatory and Standards Frameworks

IMO Resolution MSC-FAL.1/Circ.3: The IMO’s foundational maritime cyber risk management guidance requires ship operators to incorporate cyber risk into their Safety Management Systems (SMS) under the ISM Code. This became effective for all ships on their first Document of Compliance audit after 1 January 2021.

IMO MSC-MSC/Circ.1526: Technical guidance for addressing cyber risk in existing ISM Code frameworks.

DNV Recommended Practice DNV-RP-0496: DNV (formerly DNV GL) publishes detailed technical guidance for maritime cyber resilience including network segmentation models specific to vessel architectures, update management procedures that work within type approval constraints, and incident response frameworks for at-sea scenarios.

US Coast Guard Maritime Cyber Strategy: USCG published its refreshed Maritime Cyber Strategy in 2024 with specific guidance for both vessels and port facilities under MTSA (Maritime Transportation Security Act) compliance frameworks.

Practical Priorities for Maritime Security Practitioners

Network segmentation audit: Verify that ECDIS, bridge systems, and engine room controls are on isolated VLANs not reachable from crew WiFi or VSAT management interfaces. Many vessels that nominally have segmentation have exceptions and port-forwarding rules that undermine it.

USB media controls: Implement a controlled procedure for chart update media — known-clean USB drives, verified offline against clean systems before vessel use. The physical supply chain for ECDIS updates is one of the most practical intervention points.

GNSS monitoring: Deploy GNSS monitoring software that detects jamming and spoofing indicators. Maritime Information Technology Services (MITS) and dedicated GNSS monitoring systems can log anomalies that would otherwise be invisible.

Incident reporting to flag state and coastal authorities: IMO encourages voluntary cyber incident reporting; several coastal states (including the UK’s MCGA) have begun collecting maritime cyber incident data. Reporting improves collective threat intelligence for the sector.

The maritime sector’s threat exposure has grown materially in the past three years as nation-state operations in conflict-adjacent shipping lanes have increased. Baseline hygiene — segmentation, update management, and GNSS anomaly monitoring — addresses the majority of the exploitable attack surface even before vessel-specific hardening programmes are in place.

Tags
maritimeECDISAIS-spoofingship-securityport-OTGPS-spoofingIMODNVICScritical-infrastructureGMDSS