Ships Re-Routed, Ships Run Aground
Andrew Ginter
“Everyone” has heard of the 5-week shutdown of Jaguar Land Rover by a cyber attack. That attack is the obvious headline for Waterfall’s up-coming webinar “Top 10 OT Cyber Attacks of 2025” that I’m currently researching. But – is this attack the most interesting of 2025?
Here are a couple other incidents for consideration:
- Container ship MSC Antonia runs aground due to GPS spoofing
- Bulker Meghna Princess carrying 25,000 tons of fertilizer runs aground due to GPS spoofing (occurred in Dec 2024, but was disclosed only in Mar 2025),
- 15-year old teen hacks maritime route of oil tanker and other vessels
While details of the investigations into these events have not been published, on the surface the three incidents seem evidence of the importance of evaluating residual risk when we design automation and cybersecurity systems.
GPS Spoofing
A bit of background first: GPS Spoofing (as opposed to simpler GPS jamming) is when false geolocation signals are transmitted, either directionally to affect a specific target, or broadcast in a region to affect indiscriminately all nearby receivers. GPS satellite signals are comparatively weak, and it does not take a very powerful transmitter to overwhelm legitimate signals. GPS spoofing has become fairly common in kinetic conflict areas such as the Middle East (the Red Sea in particular), the North/South Korean border, the Black Sea and Baltic Sea, Northern Europe, and anywhere near Ukraine and western Russia. All of which means that anyone who cares about where they are in these and other regions really cannot rely exclusively on GPS.
Rerouting Tankers
The original report of the teenager’s hack of ship routes included graphics with the appearance of an Electronic Chart Display and Information System (ECDIS), which is a shipboard system that regulators allow as a substitute for paper charts. ECDIS display the position and heading of vessels automatically, pulling information from the ship’s GPS, other location systems, as well as Automatic Identification System (AIS) broadcasts from nearby ships detailing those ships’ location, speed, heading and other navigational data. Some (all?) these ECDIS can also steer ships by auto-pilot, once a route is entered. While the news report’s ECDIS-looking graphic was entitled “Maritime traffic in the Mediterranean” and subsequent reports claimed the teenager in fact hacked into one or more ECDIS, these reports may not be accurate. It seems more plausible, to me at least, that the individual hacked into a shore-side system that managed route planning for multiple ships, rather than hacked into multiple ships at sea and modified their shipboard systems to bring about the diversions.
Assessing Residual Risks & Consequences
Managing cyber risk to physical operations involves more than blindly deploying a bunch of OT security controls, dusting our hands off, and walking away. It’s easy to say “Hah! They should have had two factor!” or some such, but 2FA isn’t going to help with GPS spoofing is it?
Once we’ve deployed an automation or security system, we need to evaluate residual risk – what’s left over? The right way to do this is not just to produce a list of missing patches in our PLC’s. The right way is to look at a representative spectrum of credible attacks – attacks that are reasonable to believe may be leveled against us, the system, or someone much like us or the system, within our planning horizon. Evaluate these credible attacks against our defensive posture and determine what are credible consequences – what consequences are reasonable to expect when a credible attack hits us? And when those consequences are unacceptable (eg: ship runs aground, oil tanker is diverted into environmentally sensitive waters), we need to change something.
For example, given the prevalence of GPS spoofing in many regions, and the prevalence of GPS jammers in many more, it seems reasonable to me that anyone (operating a ship, an aircraft, or a locomotive) who needs to know their precise position or even the precise time needs multiple, independent sources of that information. And we need alarms to sound when those independent sources disagree materially, and we need manual or other fall-back procedures when we detect such disagreement.
Another example – given the importance of a big vessel’s route, it seems reasonable that when the route changes for any reason, the captain should be notified of the change, and the change logged in an indelible / WORM ship’s log. It also seems reasonable that captains or acting captains are trained to examine unexpected route changes to make sure they make sense – not just because of potential attacks, but because of potential errors and omissions of shipboard or on-shore personnel. Note: I’m not an expert on shipboard systems – for all I know all this happens already and is how the teenager’s hack was detected? One can hope.
Reasonable Responses to Credible Threats
When we make decisions about other people’s safety, we have ethical and often legal obligations to make reasonable decisions. For that matter, when we make decisions about other people’s money, especially large amounts of it, we have similar obligations. OT security is more than OT putting our head in the sand and saying “Ship route planning is an IT system.” It is more than IT putting their head in the sand and saying “Not running aground is the captain’s responsibility.” Every business has an obligation to make reasonable design, training and other decisions about the safety of the public and workers, and reasonable decisions about the large amounts of money invested in physical processes like large ships.
More generally, we study attacks to understand what is reasonable to defend against. And we study breaches and defensive failures to try to understand whether our own management processes would really have prevented analogous breaches and failures.
About the author
Andrew Ginter
Share
Trending posts
IT/OT Cyber Theory: Espionage vs. Sabotage
Ships Re-Routed, Ships Run Aground
Stay up to date
Subscribe to our blog and receive insights straight to your inbox
