Hijacking of unmanned surface vehicles: A demonstration of attacks and countermeasures in the field

Driven by advances in information and communication technologies, an increasing number of industries embrace unmanned and autonomous vehicles for services, such as public transportation, shipping, mapping, and remote surveillance. Unfortunately, these vehicles are vulnerable to passive and active cyber‐physical attacks that can be used for industrial espionage and hijacking attempts. Since attackers can use hijacked vehicles as weapons in terrorist attacks, ensuring the secure operation of such vehicles is critical to prevent the attacks from causing dire financial consequences, or worse, the loss of human lives. This study is motivated by the observation that most cybersecurity studies provide superficial, high‐level descriptions of vulnerabilities and attacks, and the true impact of the described attacks remains unclear. To address this problem, we demonstrate advanced manipulation attacks against an underactuated Unmanned Surface Vehicle (USV) which results in successful hijackings. Using state‐of‐the‐art cryptography, we also show how the signal transmission can be secured to avoid hijacking attempts actively steering the vehicle off course. Through field experiments, we demonstrate how the attacks affect the closed‐loop guidance, navigation, and control system and how the proposed countermeasures prevent these attacks from being successful. Our study is unique in that we provide a complete description of the attacked USV and give a detailed analysis of how spoofed navigation estimates affect the closed‐loop behavior of the underactuated USV.

leaders are racing to develop advanced autonomous solutions for ferries (Rolls-Royce, 2018) and cargo ships (Quinton, 2021), respectively. Additionally, commercialization of ideas from public research projects, for example, the Autoferry project (NTNU, 2021), occurs through spin-off companies seeking to develop autonomous ferries for urban public transportation.
Unfortunately, cybersecurity concerns threaten the growth of the autonomous ships market (Research and Markets, 2021).
Hijacking attacks of autonomous ships pose a crucial threat, as they may be used for stealing goods or as weapons in terrorist attacks.
Targeting other vessels or off-shore and coastal installations, for example, cruise ships, oil & gas platforms, and on-shore centers, such attacks threaten the lives of civilians and may cause dire financial consequences (Vinnem & Utne, 2018). Consequently, several challenges remain before fully autonomous ships can be accepted by authorities, classification societies, and the general public.
At the core of autonomous vehicles are advanced guidance, navigation, and control (GNC) systems (Fossen, 2021). Often implemented as distributed systems, the GNC components communicate over buses and networks spanning the vehicle. Historically, Controller Area Network (CAN) buses have been used for this purpose; however, Ethernet is becoming an increasingly popular option for intravehicular communication (Tuohy et al., 2015;Wollschlaeger et al., 2017). Generally, we refer to feedback control systems closing the loop over networks as Networked Control Systems (NCSs) . With the ease of installation and reduced maintenance costs due to flexible software and hardware architectures, NCSs provide significant advantages over systems with independent communication channels (Hespanha et al., 2007). Nevertheless, these communication lines are inherently insecure, making NCSs vulnerable to cyber-physical attacks. Additionally, developers often use middleware frameworks such as the Robot Operating System (ROS) and the Underwater Systems and Technology Laboratory (LSTS) toolchain (Pinto et al., 2013) to implement NCSs. In fact, according to a study by ABI Research (2019), ROS is expected to be present in a large fraction of future commercial robotic systems. However, these frameworks do not provide additional security mechanisms, and researchers have expressed concerns about the security of these frameworks for some time (Dieber et al., 2020;Teixeira et al., 2020). Therefore, it is essential to address these vulnerabilities, and as such, ROS 2, currently under development, includes additional security mechanisms (Fazzari, 2021).
While researchers have expressed concerns over the security of intravehicular communication, attacks taking advantage of the vulnerabilities are rarely demonstrated. This may lead to a false sense of security among system developers when using popular software frameworks. As a result, in this paper, we describe and demonstrate how we can exploit these vulnerabilities to hijack and take control of an underactuated unmanned surface vehicle (USV), thus bridging the gap between theory and practice. We also demonstrate how we can prevent these attacks by securing the GNC communication with

| Related work
Because of the great benefits associated with NCSs, they are increasingly used in vehicles (El-Rewini et al., 2020). However, since NCSs connect system components across a network and are vulnerable to cyber-physical attacks, such as eavesdropping and data injection (Teixeira et al., 2012;Wang & Yang, 2019), researchers have expressed concerns about the cybersecurity of NCSs for many years (Dzung et al., 2005). In particular, with increased self-governance, F I G U R E 1 An overview of the NTNU Otter unmanned surface vehicle security breaches in onboard communication systems may directly cause altered behavior in unmanned and autonomous vehicles. As such, there is a growing concern about the cyber-physical resilience of these vehicles (Bolbot et al., 2020;Silverajan et al., 2018;Tan et al., 2020), and it is therefore critical to establish secure communication between the connected devices.
Numerous surveys and review papers have described vulnerabilities and cyber-attacks against vehicles. El-Rewini et al. (2020) describe vehicular cybersecurity challenges using a hierarchical framework to isolate threats and attacks in three layers; sensing, communication, and control. Considering a broad scope of attack vectors against inter-and intravehicular communication, Sun et al. (2021) discuss cybersecurity vulnerabilities related to autonomous cars.
Similarly, in the maritime domain, Silverajan et al. (2018) describe relevant attack surfaces for unmanned smart ships. These attack surfaces, and cyber-attacks against autonomous ships, were later analyzed and classified according to the Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service (DoS), and Elevation of privilege (STRIDE) approach by Kavallieratos et al. (2019).
With a focus on intravehicular communication, Yağdereli et al. (2015) describe attacks targeting communication lines, such as passive eavesdropping and active masquerading and message modification attacks, against unmanned and autonomous vehicles. Notably, these studies provide superficial descriptions, and the viability of executing the attacks, and the resulting consequences, remain unclear.
Considering cyber-attack demonstrations on intravehicular communication, Kang et al. (2018) implemented an attack against a CAN bus in a conventional car, where messages were first eavesdropped upon and analyzed, followed by the injection of spoofed messages. In the maritime domain, Lund et al. (2018)  Hence, the signals are not used directly in closed-loop control. As such, we find that the literature lacks studies demonstrating how unmanned and autonomous vehicles with increased self-governance are affected by such attacks.
To detect cyber-attacks against intravehicular communication, we can use cryptographic methods or anomaly-based intrusion detection systems (IDSs). The use of anomaly-based IDSs is often motivated by claims stating that encryption and authentication methods conflict with the link-layer data frames used or are too resourceintensive (Han et al., 2021;Wu et al., 2020). However, these assumptions may be problematic in many practical applications. First, anomaly detection methods are problematic themselves because they require accurate definitions of normality. This is very challenging, causing anomaly detection methods to suffer from high falsepositive rates (Jallad et al., 2020). A high false-positive rate, combined with a low probability of attack, that is, base rate, is problematic because of the base rate fallacy phenomenon (Axelsson, 2000). For this reason, anomaly-based IDSs are rarely used in practice (Jallad et al., 2020). Second, regarding the use of cryptographic algorithms, we argue that the cryptographic algorithms rarely have to be used at the link layer. Just like cryptographic operations are not applied on the payload of Ethernet frames, they need not be applied on the payload of CAN bus frames. Instead, they can often be used higher up in the communication protocol stack, for example, at the application layer. Concerning the efficiency of cryptographic algorithms, we find that modern, symmetric cryptographic algorithms are very efficient and can, therefore, be applied to feedback control systems without inducing significant time delays (Volden et al., 2021). For example, Mun et al. (2020) have suggested using cryptographic authentication methods on a CAN bus and conducted laboratory experiments for validation that demonstrated their efficiency.

| Main contributions
Rather than reiterating high-level descriptions of cyber-physical attacks and related countermeasures, the main objective of this study is to demonstrate that cyber-physical attacks can indeed be implemented and used to hijack a USV. We also show that our proposed cryptographic methods can prevent these attacks from being successful. In particular, we describe how manipulation of yaw (i.e., heading) and position estimates changes the behavior of an underactuated USV. We proceed by describing how these attacks can be implemented and then suggest countermeasures that secure the GNC communication against eavesdropping, injection, and replay attacks. Finally, we implement the attacks on the insecure and the secured system and conduct field experiments to verify that the attacks are indeed successful in hijacking the vehicle without cryptographic protection and that the cryptographic methods successfully detect and prevent such attacks. The proposed cryptographic methods are beneficial compared with previously proposed anomalybased IDSs because the problems of high false-positive rates and false-negative rates are reduced to a minimum if symmetric cryptographic algorithms are used. Consequently, contrary to anomalybased IDSs, the proposed methods are appropriate for practical applications. In summary, the following are considered the main contributions of this study: • We describe and analyze how manipulation of position and heading estimates affect the closed-loop behavior of an underactuated USV.
• We provide a detailed description of how these attacks can be implemented.
• We describe how cryptographic methods can prevent such attacks and argue that they are more practical than previously proposed anomaly-based IDSs.
• We implement and demonstrate the effect of the described attacks and defensive measures on a USV.
The remainder of this paper is structured as follows. In Section 2, we introduce cryptographic concepts relevant to securing distributed GNC systems. We then present the case study in Section 3, where we introduce USV motion control. On the basis of this, we describe how eavesdropping and spoofing attacks can be used to manipulate the USV and how cryptographic measures can prevent these attacks.
In Section 4, we show the experimental setup and describe the experiments. Then, in Section 5, we describe and discuss the experimental results. Finally, Section 6 concludes the paper.

| CRYPTOGRAPHY
When a USV uses a distributed GNC system, it becomes vulnerable to cyber-attacks if adversaries gain access to the transmission lines.
In fact, the usual assumption in security analysis is that adversaries do have access to the transmission lines. For example, an adversary with such access can eavesdrop on the communication to obtain confidential information or inject spoofed messages to manipulate the behavior of the USV. Such attacks may be used for industrial espionage and hijacking purposes. By using cryptographic methods, we can prevent these attacks from being successful.

| Cryptographic concepts and terminology
Cryptography is typically used to achieve secure signal transmission (confidentiality) across insecure communication lines. Today, in the analysis and design of cryptographic algorithms, it is assumed that the cryptographic algorithm is known by the adversary, and only the keys, and material directly derived from the keys, are kept secret. This is commonly referred to as Kerckhoff's Principle.

| Symmetric and asymmetric cryptography
Cryptographic schemes are classified as symmetric and asymmetric, depending on whether the transmitter and the receiver use the same keys or not. Asymmetric cryptographic schemes are often based on number-theoretic problems that are believed to be hard, such as finding where p and q are of approximately the same size (in bits), or finding the discrete logarithm b of a group element  ∈ a g = b given the very large group , the group element a, and the generator of the group g. On the other hand, symmetric cryptographic schemes are built using finite state automata, bitwise operators, such as AND, OR, and XOR, and transpositions and highly nonlinear substitutions. Consequently, symmetric cryptography is much faster than asymmetric cryptography in software.
However, asymmetric cryptography brings other unique properties, such as the possibility of nonrepudiation and symmetric key exchange.
Since the GNC components are assumed to be trusted entities and key exchange is not required, these properties are unnecessary. As such, we will only consider symmetric cryptography in this paper.

| Encryption
Encryption algorithms are used to obtain confidential signal transmission over insecure transmission channels. We refer to an encryption algorithm as a block cipher or a stream cipher depending on whether the algorithm is stateless or stateful. While block ciphers are N-bit substitutions parameterized by a secret K-bit key, the stream ciphers work by extending the key to a much longer pseudorandom sequence known as the keystream.
Since the encryption algorithms need to work across insecure transmission channels, the stateful stream ciphers require a cryptographic synchronization mechanism. This is typically achieved using a public parameter known as the initialization vector (IV). The IV and the secret key are used to derive an initial state of the cipher, typically on a per-message basis. The input to an encryption algorithm is called plaintext, while the resulting output is called ciphertext. By decrypting the ciphertext, the corresponding plaintext is recovered. Without access to the secret key, the ciphertext should be computationally indistinguishable from white noise. An encryption algorithm is considered broken if an attack that recovers the key and/or the plaintext with computational complexity less than 2 K exists. Today, a keysize of 128 bits or more is recommended for data that needs to be protected after 2030 (Barker & Roginsky, 2019).

| Authentication
Unfortunately, encryption does not ensure the integrity nor confirmation of the true origin of the message, that is, asserting that information received is from a trusted source. This is referred to as data origin authenticity. Data origin authenticity may be obtained through the use of message authentication codes (MACs). A MAC is a function parameterized by a secret, shared key that maps a message of arbitrary size to a fixed B-bit output. The output of the MAC is referred to as a tag and is transmitted with the message. Upon reception, the receiver, in possession of the secret key, recomputes the tag and compares the tag with the received tag. If the tags match, the message is considered authentic. In addition to resistance against key recovery attacks, a MAC should resist existential forgery attacks, that is, it should be infeasible for an adversary without knowledge of the secret key to produce a valid (message, tag)-pair for a new message.
Assuming the MAC used is cryptographically secure, the computational complexity of an existential forgery is 2 B 2 because of the birthday attack (Stinson & Paterson, 2018, p. 143). Consequently, a tag size of 128 bits results in 64-bit security against existential forgery. The key size used in the MAC should be similar to that used in encryption algorithms, while the tag size depends on other considerations, such as the feasibility of testing large quantities of (message, tag)-pairs for the adversary. The most commonly used MAC is the Keyed-Hash Message Authentication Code, which constructs a MAC from cryptographic hash functions (Dang, 2008).

| Authenticated encryption
Since both confidentiality and data origin authenticity are desirable properties, encryption and MACs are often combined. This is referred to as authenticated encryption. Authenticated encryption can be obtained through the use of generic compositions such as "encrypt-then-MAC" (Bellare & Namprempre, 2008) or through dedicated algorithms designed to provide both confidentiality and data origin authenticity directly, such as AEGIS (Wu & Preneel, 2014).

| Fault checks and cryptographic authenticity
Before continuing, we emphasize the difference between conventional fault checks and cryptographic MACs. Fault checks such as parity bits, checksums, cyclic redundancy checks (CRCs), and hash codes are public, unkeyed algorithms designed to detect inadvertent transmission errors or data integrity breaches. As such, anyone with knowledge of the specific fault check used can forge valid messages. This is fundamentally different from MACs, for which it should be computationally infeasible for an adversary to compute a valid (message, tag)-pair for a new message, that is, an existential forgery.
Communication protocols frequently use conventional fault checks to discard corrupted messages. However, the existence of such fault checks does not make the system secure against active adversaries. These adversaries can forge valid messages that the receiver accepts. Examples of frameworks that use conventional fault checks and not cryptographic MACs include the InterModule Communication (IMC) protocol, used in the LSTS toolchain. Other frameworks, such as ROS, do not even use conventional fault checks (Dieber et al., 2020).

| CASE-STUDY: ATTACKING AND SECURING A USV
We proceed by introducing motion control systems for underactuated USVs. On the basis of this, we show how we can spoof the heading and the position to cause predictable changes in the paths of USVs, illustrating that both are means of hijacking. We proceed by describing the technical implementation of the spoofing attacks. Finally, we show how cryptographic methods can be used as countermeasures to prevent such attacks.

| USV motion control
3 describe the vehicle velocity in the earth-fixed North-East-Down (NED) reference frame and the body-fixed frame, respectively. To control the USV, a motion control system consisting of three independent system blocks, guidance, navigation, and control, is usually used. Notably, many USVs have two controls, for example, a propeller and a rudder. Consequently, these USVs can only directly control u and ψ, that is, surge speed and yaw, and are, therefore, underactuated. The navigation system estimates the position, velocity, and attitude of the USV, for example, by using GNSS receivers and an Inertial Measurement Unit (IMU), and the guidance system uses these estimates and the desired path to compute the desired yaw and the desired surge speed of the USV. The control system then uses the estimates from the navigation system and the desired yaw and surge speed from the guidance system to allocate thrust to the actuators of the USV.
The signal flow between the GNC components is shown in

| Vehicle manipulation
Underactuated USVs usually solve the path following problem by defining a two-dimensional (2D) workspace consisting of alongtrack and cross-track errors and then using a line-of-sight (LOS) guidance law to minimize the cross-track error (Fossen, 2011, p. 258). Let the variables ψ ψ ,ˆ, and ψ d denote the true yaw, the estimated yaw, and the desired yaw of the vehicle, respectively.
+1 . Moreover, we consider a path-fixed reference frame, rotated by a positive angle α k relative to the x-axis of the NED frame, whose origin is located in p k n and whose the x-axis is tangential to the path. The position of the USV in the path-fixed frame is computed as is a rotation matrix from the earth-fixed NED frame to the path-fixed frame. As such, the path-fixed s-coordinate describes the along-track distance, and the e-coordinate describes the cross-track error. Additional details are found in Fossen (2011, p. 258).
The desired yaw is given by c is the crab angle caused by currents and wind. Assuming the crab angle is slowly varying, it can be handled with integral action and set to zero (Borhaug et al., 2008). The desired yaw of the vehicle, assuming a lookahead-based LOS guidance system is used, is then given by where s Δ denotes the look-ahead distance to an intersection point x y ( , ) los los on the desired path to p k n +1 (Borhaug et al., 2008). Assuming an adversary manages to spoof the yaw angle by an offset ψ Δ , we have where external disturbances are neglected. The yaw error used by the heading controller is then given bỹ Consequently, the control system steers the yaw to ψ ψ ψ = − Δ d to minimize (5). As such, the USV will pursue a path parallel to the desired path, with a cross-track error given by Hence, we see that adding an offset ψ Δ to the yaw results in a predictable change in the USV path. Similarly, if an adversary manages to spoof the position of the vehicle by an offset x y (Δ , Δ ) , we have x y x x y y (ˆ,ˆ) = ( + Δ , + Δ ), where external disturbances are neglected. Using (1), this translates to offsets in the path-fixed frame as Consequently, assuming a lookahead-based LOS guidance system is used, the guidance system seeks to steer the vehicle towards the desired heading sending the vehicle to x x y y . Illustrations of the expected behavior when the yaw or the position is spoofed are seen in Figure 3a,b, respectively.

| Injection attack
Assuming a distributed GNC architecture is used, we can connect a single-board computer to an insecure switch and use ARP spoof to redirect the traffic going from the navigation system to the guidance and control system. The computer then runs a script where the contents of the IP packets are analyzed. The IP packets that do not contain the navigation parameter of interest are passed through to the intended recipient, while the IP packets containing the navigation parameter are manipulated. This is possible since the content and the structure of the unencrypted messages are available to the adversary. We use the Python packages NFQUEUE (Fox, 2021) and SCAPY (Biondi, 2021) to intercept, inspect, manipulate, and retransmit IP packets.
In this case study, the IMC protocol is used to transmit messages.

| Securing the navigation data
To secure the navigation data against injection and replay attacks, we can use authenticated encryption with the addition of timestamps or sequence numbers. In our example, we add a fresh timestamp to the navigation data before both are encrypted. We then compute a MAC tag over the resulting ciphertext, the header of the message, and the IV. Upon reception, we recompute the MAC tag and decrypt the navigation data and the timestamp. If the recomputed and received tags match and the timestamp is fresh, the navigation data are ac- cepted. An illustration of the signal flow with the proposed secure transmission and reception algorithms is shown in Figure 5, and pseudocodes for the secure transmitter and receiver are found in Algorithms 3 and 4, respectively. We use the authenticated encryption algorithm AEGIS, a cryptographically strong authenticated encryption algorithm that has been shown to provide excellent performance in software with negligible time delays (Volden et al., 2021). The AEGIS implementation used is publicly available and described by Solnør (2020).

| The NTNU Otter
The NTNU Otter is underactuated with fixed starboard and port thrusters mounted at the stern. The software and hardware architectures were designed and built at the Department of Engineering Cybernetics, NTNU, while the body, thrusters, batteries, and the power interface board were purchased from Maritime Robotics AS. A schematic of the hardware onboard the NTNU Otter is shown in Figure 7. We use the LSTS software toolchain, consisting of DUNE, the IMC protocol, and the Neptus Graphical User Interface (GUI), to control and interact with the vehicle.
DUNE is used for guidance, control, and navigation and to interface with hardware components, while the IMC protocol is used to transmit data between individual DUNE tasks. Finally, we use the Neptus GUI to interact with the vehicle by passing maneuvers to the guidance system or remote controlling the USV from the land station.

| Navigation system
The NTNU Otter uses two independent navigation systems. The first navigation system consists of an ADIS 16490 IMU (Analog Devices, 2021) and two U-blox F9P GNSS receivers (U-blox, 2021) with synchronized data acquisition through a SentiBoard (Senti Systems, 2021). The first GNSS receiver is configured as a "moving base" and receives raw GNSS data from an antenna mounted at the stern of the NTNU Otter and correction data from the RTK base. The second GNSS receiver is configured as a "rover" and receives raw GNSS data from an antenna mounted at the bow of the NTNU Otter and correction data from the moving base. As such, the rover finds the yaw of the USV. The second navigation system consists of an SBG Ellipse 2D INS (SBG Systems, 2021), which receives raw GNSS data from the stern and bow antennas and correction data from the base station.
For our experiments, the navigation data from the SBG Ellipse 2D was used in feedback control, while the navigation data from the SentiBoard was used as ground truth measurements for comparison.
Since the navigation systems receive corrections from the same base with centimeter precision, the navigation data produced are almost identical. As such, the effect of measurement noise is reduced to a minimum. The navigation system also contains vision-based sensors, Here, C t is a positive constant. To avoid problems with integral windup resulting in large overshoots, the integral action of the ILOS guidance law is only used when the USV is located within a certain distance from the desired path (Caharija, 2014). In practice, we use a cross-track distance of 2.5 m to determine whether integral action is enabled or not.

| Control system
The control system consists of a proportional-integral speed controller and a proportional heading controller. On the basis of the estimated state from the navigation system and the desired speed and yaw from the guidance system, the control system produces desired revolutions per minute of the starboard and port thrusters. The speed controller contains logic that disables the controller if the difference between desired and estimated yaw exceeds 36°to reduce the cross-track error following sharp turns. The control system also permits remote operation, in which manual control signals can be transmitted from a PlayStation 4 (PS4) controller connected to the remote control laptop. An illustration of the signal flow of the closed-loop system is shown in Figure 8.

| Synchronization
We use the Precision Time Protocol (PTP) to synchronize the hardware clocks onboard the NTNU Otter. With PTP, the devices are synchronized with sub-microsecond precision using a master-slave setup (Chaloupka et al., 2015). We configure the Beaglebone Black computer (Kridner et al., 2021) in the guidance and control system to be the master clock, and we configure the Jetson Xavier computer (Nvidia, 2021) in the navigation system to be the slave clock. The master clock derives the time from a GNSS receiver using the NMEA ZDA message, as shown in Figure 7. Furthermore, we use a Senti-Board for data synchronization. The SentiBoard is synchronized with Coordinated Universal Time (UTC) using a time-of-validity (TOV) signal, often referred to as the pulse per second, from the GNSS receivers. The IMU also produces a TOV each cycle, after which the SentiBoard reads and timestamps the IMU data, in hardware, with its internal clock. With this setup, the data are synchronized to UTC with a root-mean-squared clock drift of 1.9 μs/s (Albrektsen, 2018).

| Land station
The land station consists of a remote control computer running the Neptus GUI and an RTK base station that transmits corrections to the navigation system. We used the remote control computer to create and upload missions to the guidance system or control the vehicle manually with a PS4 controller. The RTK base station consists of a GNSS antenna, a U-blox F9P GNSS receiver, and a Beaglebone Black, as shown in Figure 9. We configured the GNSS receiver to estimate the phase of the GNSS carrier wave over 17 h before we conducted the experiments. This surveying procedure resulted in an absolute precision of 6 cm, negatively affected by a cruise ship that docked close to the GNSS antenna during the survey.

| Experimental description
We perform five field experiments to demonstrate the vulnerability of the distributed GNC system onboard the USV in the harbor environment. The desired paths of the vehicle during the experiments are shown in Figure 10. Experiments 1-4 are conducted with desired path 1, where the desired speed between WP1 1 and WP2 1 is set to 0.5 and 0.25 m/s in Experiments 1 and 2 and Experiments 3 and 4, respectively. Experiment 5 was conducted using desired path 2 with desired speed set to 0.5 m/s between the WPs.
We manipulate the vehicle by adding fixed offsets to the yaw and latitude estimates in Experiments 1 and 2, respectively. In Experiment 1, we alter the heading by adding a fixed offset of 57.3°, and in Experiment 2, we change the latitude by adding a fixed offset of approximately 10 m. Since large offsets are easy to detect, we also implement attacks where the yaw and latitude are changed by incremental offsets, slowly dragging the vehicle off course. Consequently, we manipulate the was lowered to 0.25 m/s for the incremental spoofing attacks to take effect over an extended period. In Experiments 1-4, we initiate the attacks when the vehicle is between WP1 1 and WP2 1 . We proceed by performing a replay attack in Experiment 5, where a sequence of encrypted and authenticated messages containing heading information from the navigation system is recorded and replayed with a 30-s delay to manipulate the vehicle. The vehicle heading is recorded between WP1 2 and WP2 2 and replayed just before the planned course change at WP2 2 . We use the second path in this experiment to see how the vehicle handles the planned course change while receiving delayed heading information.
We include three scenarios for each experiment. First, we execute a reference scenario to observe how well the vehicle follows the path while affected by environmental forces, such as winds and currents. We then perform an attack scenario to show how the USV is affected by the attack. Finally, we execute a secured scenario to see how well the added countermeasures protect the vehicle against the attacks.

| EXPERIMENTAL RESULTS
We present the results of the experiments by plotting the USV position during the attack scenario against the position of the vehicle in the reference scenario and the secured scenario. The manipulated parameter, that is, heading or position, is plotted against the true value of the parameter obtained by the redundant navigation system. When the heading is spoofed, we also plot the desired heading from the guidance system. At last, we show the effect of using the proposed secure transmitter and receiver, described in Algorithms 3 and 4.

| Experiment 1: Fixed heading spoof
The results from Experiment 1 are shown in Figure 11. Figure 11a shows how the vehicle deviates from the desired path, and

| Experiment 2: Fixed latitude spoof
The results from Experiment 2 are shown in Figure 12.

| Experiment 3: Incremental heading spoof
The results from Experiment 3 are shown in Figure 13. Figure 13a shows the paths of the vehicle in the three scenarios. The effect of The increasing deviation between the true and estimated heading of the vehicle is visible in Figure 13b. When the signal transmission is secured with authenticated encryption, the spoofing attack is detected and all spoofed messages are dismissed. Similar to Experiment 1, the vessel continues along its desired path; however, the heading oscillations are more pronounced because the USV operates without an updated heading estimate for an extended time period, as can be seen in Figure 13c.

| Experiment 4: Incremental latitude spoof
The results from Experiment 4 are shown in Figure 14. Figure 14a shows the paths of the vehicle in the three scenarios. We successfully drag the USV off course in the attack scenario by adding an incremental offset to the latitude estimate. We show this in Figure 14b, where we plot the true and the estimated path of the USV. When we secure the system using authenticated encryption, the spoofed messages are dismissed, and the vehicle enters an error state. Consequently, the mission is aborted.

| Experiment 5: Replay attack
The results from Experiment 5 are shown in Figure 15. Figure 15a shows the paths of the vehicle in the three scenarios. The replay attack is seen to cause a slightly delayed action compared with the reference path. Furthermore, Figure 15b shows that the replay attack successfully changes the estimated heading immediately before the USV reaches WP2 2 . When we secure the system by adding authenticated timestamps, the replayed messages are identified and  As shown from the desired and the true heading in Figure 15b, the replay attack resulted in delayed action of the heading controller.
This delay resulted in a slight change of the path. From Figure 15a, we also observed that the mission was fulfilled approximately 8 m before WP3 2 . Because of the planned course change in WP2 2 , the This resulted in a significant increase in surge speed u. Consequently, because of the increase in surge speed, the inequality (10) was satisfied early, and the path planner prematurely announced that the mission had been completed. In the reference path, the speed controller largely remained on, and the USV got much closer to WP3 2 before the path planner announced that the mission had been completed. Unfortunately, the distance between WP2 2 and WP3 2 was not sufficiently large to fully capture the consequence of the attack. Nevertheless, the attack successfully changed the estimated heading of the USV. When the communication was secured using Algorithms 3 and 4, the replay attack was immediately detected.
When messages with old timestamps were detected, and no fresh heading estimates were available, the USV aborted the mission and went into an error state instead of continuing along the desired path.
It is clear that when Algorithms 3 and 4 were used, the attacks still managed to take the USV out of service. However, when an adversary gains access to the transmission lines of the GNC system, DoS attacks are trivial to execute. Additionally, the proposed algorithms do not prevent delay attacks where the MiTM device merely delays messages instead of replaying them. However, actively steering the vehicle through such an attack with encrypted messages is highly unlikely since the device has no means of knowing the contents of the delayed messages. Consequently, we classify this as a DoS attack. Possible methods to detect such attacks range from comparing the interval between received messages to an expected value and comparing timestamps on received messages to the local clock. Importantly, keeping the USV in service should not be the goal.
Instead, the important takeaway is that spoofed and replayed messages are detected and discarded such that the vehicle cannot actively be steered, that is, hijacked, by the adversary.

DATA AVAILABILITY STATEMENT
The data that support the findings of this study are available from the corresponding author upon reasonable request.