From Connected Car to Connected Ship — Mapping Automotive Cyber Concepts to Maritime Security

💡 Insight OT Security Maritime Cybersecurity IACS UR E26 / E27

From Connected Car to Connected Ship: How HU, TCU, and ECU Map to Shipboard Cybersecurity

Automotive security concepts don't map 1:1 to maritime — but the attack flow logic translates directly. Here's how to read a ship through a connected-car lens.

Captain Ethan

Maritime 4.0 · AI, Data & Cyber Security
- LinkedIn : https://www.linkedin.com/in/shipjobs/
Collaborator : Lew, Julius, Jin, Morgan, Yeon

📅2025

Security professionals coming from an automotive background often ask: "How does what I know about HU, TCU, and ECU apply to a ship?" The terminology doesn't map 1:1, but the attack flow logic translates almost directly. This article bridges the two worlds — mapping connected-car security concepts to their maritime equivalents, and explaining how tools like Attack Hosts, Jump Kits, Ping Sweep, ARP analysis, and SDR apply in a shipboard OT security context.

Ⅰ. HU · TCU · ECU — What Are the Ship Equivalents?

Automotive terms don't map directly to maritime, but from a role perspective, the parallels are close enough to be useful. The attack flow in a connected car — HU → TCU → ECU — has a direct shipboard analogue.

1) HU (Head Unit) → Ship HMI / Bridge Console / Monitoring Panel

Automotive HU

Infotainment, navigation, radio, WiFi, Bluetooth — screen + input + network, all in one exposed point

Ship Equivalent

ECDIS, VDR Viewer, IPMS HMI, bridge integrated console, situational monitoring panels — often Windows-based + Ethernet + occasional vendor VPN

Security Lens

The human-facing screen/PC that is also the frontmost exposed interface connected to the OT network

👉 HU vulnerability analysis in automotive security translates directly to port scanning, service version checks, and authentication bypass testing on shipboard HMI/console systems — within ROE limits.

2) TCU (Telematics Control Unit) → SATCOM Modem + Shore Gateway

Automotive TCU

LTE/5G modem, backend server comms, remote start, location transmission

Ship Equivalent

VSAT/Inmarsat modem, ship-shore data gateway, fleet monitoring equipment (perf data / engine status), vendor remote maintenance VPN gateway

Security Lens

Which ports are open, what encryption/auth is used, and how it connects to the internal network

👉 TCU-based comms analysis in automotive → Understanding SATCOM terminal + shore server structure on ships: open ports, encryption, and internal network interconnection.

3) ECU (Electronic Control Unit) → Engine, Steering, Power, Ballast Control

Automotive ECU

Engine, brakes, steering — physical control via CAN protocol network

Ship Equivalent

Engine control, steering, PMS, ballast control, automation panels — CAN, Modbus, Profibus, NMEA, proprietary fieldbus

Security Lens

How to design and verify the IT→OT security boundary — the exact point IACS UR E26/E27 targets

👉 If the car attack flow is HU/TCU → ECU, the ship equivalent is: External network / SATCOM / HMI → Control network (engine · steering · power).

---

Ⅱ. Attack Host & Jump Kit — Redefined for Ships

Attack Host → Security Diagnostic Workstation

The Kali/Parrot OS attack host from automotive security is needed in maritime — but repurposed:

• OS: Kali Linux, Parrot OS, or Hardened Linux
• Tools: Nmap, Wireshark, OpenVAS, tcpdump
• Checks: VLAN structure, exposed ports, default passwords, SATCOM router config

Not an attack machine — an official security diagnostic tool used strictly within defined ROE.

Jump Kit → Ship Security Diagnostic Kit

Redefined for ships as: "A verified, controlled test kit containing the equipment and software needed for shipboard cyber security diagnostics."

• 1–2 laptops (analysis + backup)
• Managed switch / small router (lab network reproduction)
• SDR (BladeRF, HackRF) — lab use only, not on operating vessels
• USB serial adapters, CAN/RS-485 interfaces (console monitoring)

⚠️ Jump Kit errors = unreproducible tests, collapsed result credibility, rejected certifications.

---

Ⅲ. Ping Sweep & ARP Analysis — Applied to Ships

In automotive security, Ping Sweep and ARP Cache Analysis find live devices on a test network. On a ship, the same techniques serve a different, defensive purpose.

Ping Sweep — Asset Discovery

• 10.x.x.x range → engine room OT devices
• 192.168.x.x range → office/bridge PCs
• Response patterns reveal network segmentation status

⚠️ Indiscriminate scanning on an underway vessel can overload OT devices. Must be executed within planned scope, with ROE + Class/owner approval.

ARP Cache Analysis — Relationship Mapping

Reading ARP caches from switches, routers, or local OS reveals which IP maps to which MAC — and which manufacturer (OUI) the device belongs to.

✓ Highly effective for finding "shadow devices" not in documentation — maintenance laptops left plugged in, crew-installed NAS units. In automotive, it finds attack paths. On ships, it validates the asset inventory.

---

Ⅳ. Wireless Interfaces: WiFi/BLE/GSM → SATCOM/AIS/GMDSS

Connected car hacking centered on wireless interfaces — WiFi, Bluetooth, cellular. Ships have a parallel structure, but with different types and roles.

Shipboard Wireless Interfaces

SATCOM (VSAT, Inmarsat)

Ship-shore data communication

WiFi

Crew/passenger, maintenance, equipment management

LTE/5G

Data comms during coastal navigation

AIS / GMDSS / VHF

Navigation and safety comms — strict regulatory constraints apply

What automotive security skills apply here:

✓Wireless network identification: SSID/Hidden SSID/ESSID/BSSID — distinguishing equipment APs from crew/passenger APs

✓Encryption/authentication review: WPA2/WPA3, captive portal, VLAN tagging

✓Wireless segment separation check: "Does Crew WiFi have any path to the OT network?"

⚠️ Attack scenarios like Evil Twin are legally and operationally sensitive on real vessels. Automotive attack concepts should be converted into defensive design requirements and inspection checklists for shipboard use.

---

Ⅴ. SDR & GNU Radio — What They Can Do on Ships (Lab Context Only)

SDR tools (HackRF, BladeRF) and GNU Radio are tools for receiving and understanding wireless signal structure. On ships, their realistic use is in lab environments only.

Lab: AIS / GMDSS Signal Analysis

• Understand AIS signal structure in a simulator/testbed
• Learn GMDSS concepts and satellite/VHF communication flow
• Goal: understand protocol structure to inform encryption/auth design decisions

Lab: VSAT/LTE Traffic Metadata (within legal bounds)

• Via lawful TAP/mirror port: observe which servers the vessel communicates with
• Monitor normal traffic volume and pattern baselines
• Meaningful for security monitoring, not signal manipulation

The Key Distinction

Creating a fake BTS to trick a vehicle TCU — like in the automotive book — is legally and operationally near-impossible on real vessels. Instead, the SDR/GNU Radio stack is best applied on ships for defensive research: protocol understanding, anomaly detection modeling, and intrusion detection algorithm development.

---

Key Takeaways

🚗→🚢 Attack Flow Maps

HU→TCU→ECU = HMI/Bridge→SATCOM/Gateway→Engine/Steering. The terminology differs, but the attack path logic is identical.

🔧 Tools Shift Purpose

Attack hosts and jump kits become official diagnostic equipment on ships — same tools, defensive intent, strictly bounded by ROE.

🔍 ARP = Asset Audit

On ships, ARP analysis is used to find undocumented shadow devices — not to map attack paths. Same technique, entirely different application.

⚠️ Attacks → Defenses

Offensive techniques (Evil Twin, fake BTS, etc.) are legally/operationally restricted on real vessels — convert attack knowledge into defensive design checklists.

#MaritimeCybersecurity #OTSecurity #IACSE26 #ConnectedShip #AutomotiveSecurity #SDR #PenTest #NetworkZoning #Maritime40

Captain Ethan

Maritime 4.0 · AI, Data & Cyber Security

Maritime professional focused on the intersection of vessel operations, classification society regulations, and OT/IT cybersecurity. Writing for engineers, consultants, and operators navigating Maritime 4.0 together.

🌐 More Articles ↗