Autonomous maritime vehicles and cybersecurity risks

We have already discussed autonomous maritime vehicles in several previous articles, notably in the context of the first trials of autonomous ferries in Finland, in an article about the future of maritime information systems, and when reviewing some of the emerging regulatory references on the subject.

In the maritime domain, different categories of autonomous systems exist or are expected to emerge, including UAVs (Unmanned Aerial Vehicles), USVs (Unmanned Surface Vehicles), and UUVs (Unmanned Underwater Vehicles).

Autonomous vessels are unlikely to become ubiquitous in the short term, and even in the long term their widespread use raises important questions—particularly for passenger transport, high-value cargo, or fishing activities. However, autonomy may offer clear advantages in certain contexts: congested waterways, complex and potentially dangerous maneuvers for crews, military applications, or safety improvements such as collision and grounding prevention.

That said, autonomy implies automation and, in many cases, remote connectivity. Both introduce new cybersecurity risks that must be considered from the outset. It would be unfortunate if the industry once again approached the issue backwards—focusing first on autonomous ships and smart ports, and only later on their security.

On this side of the maritime industry, companies such as Rolls-Royce and Wärtsilä have been among the most active in demonstrating their capabilities in this field, whether for tugboats, ferries, or larger autonomous vessels (see my YouTube channel for several examples of both current and futuristic concepts).

The main cybersecurity challenges associated with these vessels include:

Automation

Automation relies heavily on sensors, industrial control systems, and increasingly artificial intelligence. While these technologies can simplify daily operations, the automated execution of tasks and automated decision-making raise significant cybersecurity questions.

Key issues include:

• the trustworthiness of sensors (navigation sensors, positioning systems, environmental data, etc.)
• the reliability of onboard processing systems, including controllers and computing platforms
• the security of software, algorithms, and machine-learning models
• the integrity of training datasets used for AI systems

Sensor integrity is particularly critical. For instance, the risks associated with satellite positioning systems—such as GNSS spoofing or jamming—have already been widely documented.

Another major concern is resilience at sea. As system complexity increases, ensuring the vessel’s ability to operate safely under degraded conditions becomes increasingly challenging.

System integration

Autonomy relies heavily on the interconnection of systems that were previously isolated from one another—physically, logically, and operationally.

Modern autonomous platforms also depend on large-scale data processing and analytics (often referred to as big data) to coordinate navigation, propulsion, situational awareness, and mission planning.

While this integration enables advanced capabilities, it also increases the attack surface, as vulnerabilities in one system may propagate to others.

Remote control and maintenance

Depending on the level of autonomy, control may remain local—similar to an advanced autopilot activated by the officer of the watch—or it may be remote, with no crew present on the bridge and the vessel controlled from shore for all or part of its mission.

For operational monitoring and maintenance purposes, remote connectivity will likely become even more common on autonomous vessels. This makes the availability, integrity, and potentially the confidentiality of communication links between ship and shore critical security concerns.

These links will often rely on shared infrastructure and, in many cases, on the public Internet.

Risks

In the event of an incident, responsibility could involve multiple actors: shipowners, port operators, technology providers, and system integrators.

One can even imagine complex scenarios—for example, an autonomous vessel docking in a smart port assisted by autonomous tugboats. In such cases, determining liability after an accident could prove particularly challenging.

A key characteristic of autonomous systems is that, aside from espionage scenarios, cyberattacks are highly likely to produce cyber-physical effects. These effects may impact the environment, infrastructure, cargo, vessels, or human safety.

One of the primary risks associated with autonomous vessels stems from their reliance on sensors—such as GPS, AIS, radar, and digital charts—which can potentially be manipulated.

For example, a positioning attack (jamming or, more critically, spoofing) could have severe consequences if the vessel’s remote supervision fails. If an attacker also succeeds in deceiving both the vessel and its remote control system—somewhat reminiscent of the Stuxnet approach—implementing countermeasures becomes extremely difficult.

In such a scenario, the vessel may attempt to automatically correct its course or speed based on falsified sensor data. Without human oversight, this could lead to:

• collisions with other vessels
• groundings
• collisions with port infrastructure
• failure to safely transit critical areas such as narrow straits

Researchers demonstrated such risks as early as 2013, when a team from the University of Texas successfully spoofed the GPS system of a superyacht during a controlled experiment.

What can be done?

From my perspective, five main lines of effort should be prioritized:

1. **Regulatory action. The IMO and other regulators must establish strong cybersecurity requirements for autonomous vessels, particularly regarding data fusion between systems, sensor trust, AI behavior under abnormal conditions, and network segmentation and redundancy.

2. Industry awareness. Shipbuilders, technology providers, and maritime equipment manufacturers should recognize that security-by-design will become a competitive advantage for future autonomous platforms.

3. Testing and resilience exercises. Degraded-mode operations must be thoroughly tested to identify vulnerabilities. This should occur both during certification processes and throughout the vessel’s operational lifecycle.

4. Cybersecurity certification of maritime information systems before deployment on autonomous vessels. While this will not eliminate all risks, it can significantly reduce the attack surface.

5. Continuous cybersecurity monitoring, including remote monitoring capabilities for autonomous platforms.

Further reading

Guide from the French Maritime Cluster on maritime drones:
https://www.cluster-maritime.fr/wp-content/uploads/2020/06/CMF_guide_drones_juin2020.pdf

Sources

• https://www.marinelink.com/news/autonomous-shipping-cyber-hazards-ahead-471587
• Personal analysis