Framework IACS UR E26 · NIS2 Audience Chief Engineer · ETO · DPA Read time 8 min Published 17 April 2026

The 340% Problem: Why GPS Spoofing Is Now a Core Cyber Risk for Your Vessel

What the 2026 Marlink Intelligence Report tells us about navigation integrity — and why IACS UR E26/E27 compliance matters more than ever.

340%

Increase in reported GPS spoofing incidents in 2025

88%

Of vessels rely primarily on GPS for positioning

Hotspot regions: Baltic Sea, Persian Gulf, South China Sea

The headline number

Reported GPS spoofing incidents in maritime operations rose by approximately 340% in 2025 compared to the previous year, according to Marlink’s Cyber Intelligence Report for Maritime 2026. The activity is concentrated in geopolitically sensitive waters — the Baltic Sea, the Persian Gulf, and the South China Sea — but the operational implications extend to any vessel transiting these regions or relying on the same positioning infrastructure.

For context, roughly 88% of vessels rely primarily on GPS as their core positioning input. That dependency, combined with a threat vector that has exploded in twelve months, means navigation integrity is no longer a niche concern for vessels operating in contested waters. It is a core cyber risk issue that now sits on the desks of ETOs, Chief Engineers, DPAs, and technical managers alike.

This article unpacks what GPS spoofing actually is, why it’s a cyber problem rather than just a navigation one, and what practical steps vessel operators should be taking right now.

What GPS spoofing actually is — and why it’s different from jamming

Two related threats affect satellite positioning, and they’re often confused:

Jamming

Attacker broadcasts noise on GPS frequencies, overwhelming the legitimate signal. The vessel loses GPS fix entirely. Bridge alarms trigger. The crew knows something is wrong.

Spoofing

Attacker broadcasts a counterfeit GPS signal that the vessel’s receiver accepts as legitimate. The bridge display shows a position — but it’s the wrong position. The crew may not know anything is wrong.

Key insight

GPS spoofing does not require any intrusion into the vessel’s onboard systems. No malware. No phishing. No compromised credentials. The attack happens in the radio frequency domain, before the signal ever reaches the onboard receiver. This makes traditional IT-centric cyber defences almost entirely irrelevant.

That distinction matters because it reframes the problem. Navigation integrity isn’t something your firewall protects. It requires resilience built into operational procedures, bridge system configuration, and crew training.

Why this is a cyber risk, not just a navigation risk

It’s tempting to file GPS spoofing under “navigation issues” and leave it with the deck department. That would be a mistake, and here’s why.

Modern vessels don’t use GPS in isolation. Positioning data feeds into:

ECDIS — electronic chart display and information systems
AIS — automatic identification systems transmissions to other vessels and shore authorities
Dynamic positioning systems on offshore assets
Engine management and fuel optimisation systems that factor in route and speed
Voyage data recorders and performance monitoring
Ship-to-shore reporting for fleet management and regulatory compliance

A corrupted position input doesn’t just mislead the officer of the watch. It cascades through interconnected systems, producing downstream errors in cargo operations, port coordination, fuel reporting, and regulatory data submissions. This is exactly the kind of IT/OT convergence risk that the Marlink report identifies as defining the modern maritime threat landscape.

The core risk is often not a single compromised system, but degraded trust across multiple data inputs.

— Marlink Cyber Intelligence Report for Maritime 2026

When GPS, AIS, and sensor data become inconsistent, crews must fall back on manual verification procedures that may not be regularly exercised. Decision confidence erodes, and the window for human error widens.

The AIS dimension: a related exposure

AIS manipulation compounds the spoofing problem. AIS data — vessel identity, position, speed, course — can be falsified or altered, either by the vessel transmitting false data or by injection of spoofed AIS signals into the maritime environment. In congested waters or during port approach, this directly affects collision avoidance and port authority coordination.

The combined scenario

When you combine spoofed GPS with manipulated AIS, you have a situation where:

Your own vessel’s displayed position is wrong
Surrounding vessels’ positions as shown on your bridge may also be wrong
Your reported position to shore authorities may be wrong
Nobody involved has any immediate indication that anything is wrong

This is why navigation redundancy — multiple independent positioning sources, cross-verification procedures, and crew familiarity with manual navigation techniques — has to be treated as part of cyber resilience planning, not a separate discipline.

Where IACS UR E26/E27 fits in — and where it doesn’t

It’s worth being precise about what IACS Unified Requirements E26 and E27 can and cannot do when it comes to GPS spoofing — because the honest answer is more nuanced than most compliance guidance suggests.

Important distinction

E26/E27 cannot protect against the RF layer. No network architecture, no segmentation design, and no conduit hardening prevents a spoofed satellite signal from entering a vessel’s NMEA data stream and being accepted as legitimate by downstream systems. GPS spoofing happens before the data ever touches your onboard network. This is not a weakness in the standard — it’s simply outside its scope.

NMEA 0183 — the protocol most vessels use to distribute GPS data to ECDIS, autopilot, AIS, and other subscribers — is classically a one-way serial link. The receiver broadcasts, downstream systems listen. There is no handshake, no authentication, and no mechanism for a firewall or intrusion detection system to distinguish legitimate positioning data from spoofed coordinates. The data arrives looking correct because, from the receiver’s perspective, it is correct.

So where does E26/E27 actually add value in a spoofing scenario? In three specific areas:

Lifecycle management

E26 requires documented lifecycle management for shipboard systems including navigation equipment. In practice, this means GPS receivers and ECDIS systems should carry current firmware. Newer firmware generations increasingly include GNSS anomaly detection — flagging unusual signal-to-noise ratios, suspicious satellite geometry, or sudden position jumps that are characteristic of spoofing attempts. An unmaintained receiver running old firmware is less likely to detect anything.

Security testing requirements

E27 requires security testing of integrated shipboard systems. Applied to bridge and navigation systems, this should include testing system behaviour under degraded or contradictory positioning inputs — what happens when GPS and radar-derived position disagree significantly? Are alarms configured and meaningful? Do crew response procedures exist? These are questions E27 compliance review should be surfacing.

Access control and the distraction vector

This is the subtler point. GPS spoofing in geopolitically sensitive regions is sometimes used as a distraction — while bridge teams are focused on a position anomaly, a simultaneous attacker with network presence may exploit the confusion. E26’s access control and remote access governance requirements reduce the likelihood that an attacker has that network presence in the first place. The segmentation requirements don’t stop spoofed NMEA data; they reduce the risk that spoofing is one component of a larger coordinated attack.

Incident response preparation

E26 requires defined incident response procedures integrated with the Safety Management System. A vessel with documented procedures for navigation system degradation — including positioning anomalies — is better positioned to respond to a spoofing event quickly and correctly. The value is in the preparation, not the detection.

The controls that actually matter for spoofing

The primary defences against GPS spoofing are not network controls. They are positioning redundancy, cross-verification procedures, and crew capability — none of which are purely cyber controls, but all of which belong in a maritime cyber resilience framework.

What actually works

Multi-constellation receivers — requiring simultaneous spoofing of GPS, GLONASS, Galileo, and BeiDou is significantly harder than spoofing GPS alone
Independent position cross-verification — radar-derived position, eLoran where available, and visual fixes provide references that cannot be spoofed remotely
GNSS signal monitoring — configuring receivers and ECDIS to alert on signal-to-noise anomalies, unusual satellite geometry, and impossible position or speed changes
Trained bridge procedures — defined intervals for cross-checking electronic position against independent references, with clear authority for when to distrust GNSS and revert to manual navigation
AIS cross-verification — checking own-vessel AIS transmitted position against independently-derived position at regular intervals

For vessels contracted on or after 1 July 2024, E26/E27 compliance provides the governance framework within which these controls should be documented, tested, and maintained. For legacy fleets, the same controls apply — the difference is that implementing them requires deliberate retrofit effort rather than compliance-driven design.

Compliance with E26/E27 does not make a vessel spoofing-resistant. Operational readiness — maintained equipment, trained crews, and exercised procedures — does.

— Tagsia Maritime Cyber Briefings

What operators should actually do

Based on the Marlink findings and the IACS UR E26/E27 framework, here are the concrete actions vessel operators should be taking — organised by role.

⚓

ETOs and bridge teams

Verify ECDIS and bridge systems alert on positioning anomalies (sudden position jumps, loss of signal, inconsistencies between GPS receivers)
Ensure secondary positioning sources (eLoran where available, inertial navigation, radar-based positioning, celestial as fallback) are functional and crew-familiar
Confirm AIS configuration and cross-verification procedures are documented and exercised

⚙️

Chief Engineers and technical staff

Map which engine, cargo, and operational systems depend on GPS input — direct or indirect
Identify compensating controls where GPS-dependent automation exists
Review patching status of networked bridge and navigation equipment

📋

DPAs and safety management

Integrate GPS/GNSS spoofing scenarios into Safety Management System risk assessments
Ensure incident response procedures cover navigation degradation alongside traditional cyber incidents
Run drills that include positioning compromise, not just IT system outages

📊

Technical Managers

Verify E26/E27 compliance status across the fleet, including retrofit plans for pre-July-2024 tonnage
Review vendor contracts for bridge and navigation systems — who is responsible for security updates, and on what timeline
Assess insurance exposure: policies written with exclusions for unpatched systems or nation-state activity could affect spoofing-related claims

The uncomfortable truth

GPS spoofing is a reminder that maritime cyber risk doesn’t respect the boundaries we’d like to draw. It’s not an IT problem that stops at the server room. It’s not a bridge problem that stops at the wheelhouse. It’s not a compliance problem that stops at the next classification audit.

It’s an operational integrity problem that runs through the whole vessel, and it requires ETOs, engineers, DPAs, and managers to be looking at the same picture from their respective angles.

The 340% figure will almost certainly be higher in next year’s report. The threat isn’t going away. What changes is whether your vessels are architecturally, procedurally, and contractually ready for it.

Where to go next

Tagsia.com maintains a structured library of operational playbooks mapped directly to IACS UR E26 and E27 section requirements — covering network segmentation, access control, navigation system hardening, and the broader controls that determine whether an incident like GPS spoofing stays contained or spreads.

If you’re preparing for classification, retrofitting a legacy fleet, or building cyber resilience into a newbuild specification, the playbooks give you section-by-section operational guidance rather than generic compliance framing.

Explore the IACS UR E26/E27 playbooks →

Source: This briefing draws on findings from Marlink’s Cyber Intelligence Report for Maritime 2026. For the full report, visit marlink.com/solutions/cyber-security. Tagsia.com is an independent maritime OT cybersecurity platform and is not affiliated with Marlink.