Blog | May 05, 2016

Cyber Threats to Navy and Merchant Shipping in the Persian Gulf

Recent events have opened up the possibility that future naval exercises may include drills to prepare for cyber attacks on naval forces and maritime shipping, suggests Ian W. Gray in this piece for EWI's Policy Innovation Blog.

In April, the United States Naval Forces Central Command kicked off the International Mine Countermeasure Exercise (IMCMEX) to support the security of maritime chokepoints in the Suez Canal, Bab al-Mandeb and Strait of Hormuz. IMCMEX, involving the Navies from 30 different countries, is one of the world's largest maritime exercises. According to Vice Admiral Kevin Donegan, Commander, U.S. Naval Forces Central Command, the exercise stresses the need to protect the free flow of commerce from a range of maritime threats including piracy, terrorism and mines.

However, while cyber attacks have not been addressed within the current IMCMEX, recent events have indicated that GPS spoofing may be a very real threat within the Persian Gulf, and effectively anywhere. It is possible that future naval exercises may include drills to prepare for cyber attacks on naval forces and maritime shipping by countries such as Iran or its proxies.

Since 1984, the Islamic Republic of Iran has creatively used their naval forces to control the Strait of Hormuz owing to its importance as a strategic global chokepoint. The United States was initially drawn into the Persian Gulf after Iran was blocking exports of Iraqi oil through the Shatt al-Arab during the Iran-Iraq War. The United States was thrust into the Persian Gulf to uphold the Freedom of Navigation (FON), a principle of customary international law, for Kuwaiti tankers. Both Iran and Iraq employed anti-ship cruise missiles as part of an anti-access/ area denial (A2/AD) strategy. Since the conflict during the Iran-Iraq War, known as the Tanker War, the United States has deterred anti-ship mines, missile fires, swarm attacks and general harassment from Iran. During impasses with the West, the Iranian oil minister and other government officials threatened to close the Strait to disrupt oil markets. Though the method of closure was not specified in the threat, GPS spoofing and cyber could be an effective and covert method of controlling merchant shipping in the Persian Gulf.

In 2016, the Baltic and International Maritime Council (BIMCO) released their Guidelines on Cyber Security Onboard Ships, an industry best practices to mitigate risks from the increased networking and automation onboard merchant ships. GPS was listed as a potentially vulnerable system onboard ships, however the extent of the threat was not addressed. Due to the simplicity of the attack, GPS spoofing remains the most likely attack method.

GPS spoofing could be used by Iran as part of an overarching strategy of cyber dominance to leverage control of the Gulf and oil markets abroad. It has been speculated that Iran is covertly controlling the movement of ships within their waters through a subtle manipulation of ships positioning systems, like GPS, as part of a broader A2/AD strategy. North Korea, an ally of Iran, has reportedly used GPS jamming to disrupt air and naval traffic within the demilitarized zone. GPS spoofing, an attack that attempts to manipulate a GPS receiver by broadcasting counterfeit signals, is the most likely vector for future Iranian cyber attacks.

Iran has claimed to have used spoofed signals to cause GPS receivers to estimate that an object is in a position determined by the attacker. This carry-off attack broadcasts signals that are synchronized with the legitimate signals detected by the targeted receiver. The counterfeit signal is gradually increased to overpower the signal strength of the actual GPS transmitter. By way of example, Iranian engineers claimed to have captured a RQ-170 surveillance drone in 2011 through a carry-off GPS spoofing attack.

Researchers attributed similar attack methods to the Iranian capture of two United States riverine patrol boats in January 2016. The vessels unknowingly sailed into Iranian waters and were accused of violating Iran's territorial integrity. According to international law, the ships were exercising their right of innocent passage. Iran, a signatory of the United Nations Law of the Sea Convention, has acknowledged innocent passage as a custom of international law, however with the added provision requiring prior authorization for warships exercising the right of innocent passage through the territorial sea. Several sources cited human error as the cause of the ship's transit into territorial waters, while others claim that GPS spoofing as a possible scenario to gain leverage during Joint Comprehensive Plan of Action (JCPOA) negotiations.

If tensions persist between Iran and the West, it is possible that merchant shipping will present an appealing future target. The Strait of Hormuz will continue to serve as a critical economic transit point for global oil markets and the West. Attacks on shipping will be a way for Iran to exercise its influence over the Strait while also demonstrating resistance to Western imposed sanctions.

The escalatory nature of Iran's cyber attacks suggests that they will continue to use GPS spoofing on merchant shipping as a future attack vector, made all the more possible owing to increased automation and networking onboard merchant ships. Undoubtedly, maritime trade will continue to increasingly prove vulnerable to cyber activity and The Strait of Hormuz looks to feature as an attractive setting, further pitting Iran versus the West in the Gulf.

Ian W. Gray is a graduate student at Columbia University. He is a former surface warfare officer in the U.S. Navy.

The views expressed in this post reflect those of the author and not the views of the EastWest Institute or its programmatic work in the MENA region.