What IMO framework governs cybersecurity for MASS autonomous vessels?

IMO maritime cyber risk management derives from MSC-FAL.1/Circ.3 (Maritime Cyber Risk Management Guidelines, 2017) and Resolution MSC.428(98) (mandatory under ISM Code from January 2021). MASS cybersecurity is addressed by IMO MSC.1/Circ.1604 (MASS Trials Guidelines, 2019) and IACS UR E26/E27 (Cyber Resilience of Ships, mandatory for ships contracted from January 2024). UR E27 Section 3 covers software update integrity and remote access but does not address AI adversarial robustness for MASS perception systems.

Can AIS cross-checking detect adversarial ARPA display injection?

AIS cross-checking provides partial mitigation only for AIS-equipped targets. Small fishing vessels, recreational craft below 300 GT, and vessels with AIS transponders off are not AIS-traceable. Additionally, the adversarial injection that suppresses an AI collision risk flag for a specific target removes the automation that would trigger the officer to initiate AIS cross-checking for that target. Manual radar re-plotting for CPA/TCPA is a 3-5 minute process per target, impractical in coastal transits with 15-25 simultaneous ARPA targets.

How do IACS UR E26/E27 apply to port terminal AI anti-collision systems?

IACS UR E26/E27 are vessel-centric class rules covering onboard systems, and do not apply to shore-side port terminal AI anti-collision systems (ASC, STS crane, AGV). Port terminal AI falls under EU NIS2 Directive (for EU critical infrastructure port operators), ISO/IEC 27001, and OSHA machinery safety standards (ISO 3691-4). The adversarial ML robustness gap exists in both vessel (UR E27) and terminal (NIS2) frameworks.

What is the adversarial injection surface for VTS fusion AI vs standalone ARPA?

VTS AI processes a composite ECDIS-style overlay fusing AIS track, radar track, and camera-detected vessel bounding box — a multi-source redundancy that provides partial resilience against single-source adversarial suppression. However, a perturbation targeting the rendered fusion display's track correlation output (rather than individual source symbols) can suppress the fused track for non-AIS-cooperative vessels in ambiguous radar clutter environments — exactly the high-value non-cooperative vessel scenario VTS AI was deployed to address.

ARPA radar collision avoidance AI · MASS autonomous vessel perception · AIS-camera fusion AI · port terminal crane AI · IMO SOLAS / MSC

Prompt injection in maritime autonomous navigation AI

Q: How does adversarial injection in ARPA AI differ from GPS spoofing?

GPS spoofing targets the raw GNSS signal at the receiver, corrupting position inputs before visualization. Adversarial injection in ARPA AI targets the rendered PPI display image of correct radar measurements — after accurate CPA/TCPA computation from raw radar returns, before the AI collision risk classifier receives the display image. Radar measurements are accurate; the attack operates between the render step and the AI classification step. GPS spoofing is detected by RAIM and AIS cross-checking; ARPA AI injection requires runtime scan gates at the image classification boundary.

Global seaborne trade moves approximately 11 billion tonnes of cargo annually across 50,000+ commercial ships, operating under the International Maritime Organization’s (IMO) Convention on the International Regulations for Preventing Collisions at Sea (COLREGs) and the Safety of Life at Sea (SOLAS) Convention — the foundational regulatory frameworks that govern vessel navigation, collision avoidance, and safety systems in international waters. The maritime industry’s progressive adoption of artificial intelligence spans four distinct operational domains: Automatic Radar Plotting Aid (ARPA) radar AI for AI-assisted collision avoidance decision support, Maritime Autonomous Surface Ship (MASS) multi-sensor perception for autonomous vessel navigation at IMO MASS Degrees 2 and 3, Automatic Identification System (AIS) and camera sensor fusion AI for traffic management in port approaches and Vessel Traffic Services (VTS) zones, and port terminal automated stacking crane (ASC) and automated guided vehicle (AGV) anti-collision vision AI in container terminal operations. The IMO’s Maritime Safety Committee has progressed the MASS regulatory framework through MSC.1/Circ.1604 (Guidelines for MASS Trials, 2019) and the Regulatory Scoping Exercise for MASS (MSC 102, 2020), establishing the pathway toward mandatory MASS regulations expected under SOLAS Chapter V amendment by 2028–2030. At each layer of this maritime AI architecture, rendered radar plot displays, synthetic ECDIS chart overlays, camera and lidar perception frames, and crane anti-collision camera images are processed at AI classification boundaries that are exposed to adversarial pixel perturbation — creating adversarial injection surfaces within safety-critical maritime infrastructure operating under IACS (International Association of Classification Societies) Unified Requirements for Cyber Resilience (UR E26/E27).

TL;DR

Maritime ARPA radar AI, MASS autonomous vessel perception AI, AIS-camera fusion AI, and port terminal crane anti-collision AI all process rendered images at AI classification boundaries within IMO SOLAS regulatory environments. Adversarially crafted images can suppress COLREGS Rule 8 collision avoidance alerts, corrupt vessel track displays on ECDIS overlays, and disable crane anti-collision functions in container terminals — at a threshold of 40 across all maritime autonomous navigation AI contexts. Free tier — 10 scans/day, no card required.

Four adversarial injection surfaces in maritime autonomous navigation AI

1. ARPA radar AI — COLREGS Rule 8 collision avoidance decision support

Automatic Radar Plotting Aid (ARPA) systems — integrated into ship navigation bridges by Furuno FAR-3220/3230, JRC JMA-5300 series, Kongsberg K-Bridge, and Wärtsilä Voyage systems — have incorporated AI-based collision avoidance decision support that assists bridge officers in evaluating COLREGs-compliant manoeuvres for developing traffic situations. The ARPA AI processes the rendered radar plot display — a synthetic plan-position indicator (PPI) showing tracked vessel targets as ARPA vector plots with course-over-ground (COG) and speed-over-ground (SOG) velocity vectors, closest point of approach (CPA) and time to CPA (TCPA) parameter annotations, and collision risk shading overlaid on a range-azimuth grid — through a neural network that classifies each tracked target’s collision risk level and generates a ranked list of COLREGS-compliant avoiding action recommendations. The ARPA AI’s output directly informs the officer of the watch’s collision avoidance decision-making, and in MASS Degree 2 systems (remote operation with onboard automation), it drives the automated manoeuvring recommendation pipeline that the remote operator approves or overrides.

A structured adversarial perturbation on the rendered ARPA PPI display — a pixel-level modification that compresses the displayed velocity vector of a fast-approaching target (vessel with high SOG on a converging course) to appear shorter than its true magnitude — causes the ARPA AI to compute a lower closing speed for the target, extending the computed TCPA beyond the collision risk alert threshold and suppressing the collision avoidance alert for the developing risk situation. In a Strait of Malacca transit — one of the world’s highest-traffic chokepoints handling 90,000+ vessel transits annually with mandatory Traffic Separation Scheme (TSS) compliance under COLREGS Rule 10 and IMO Resolution A.827(19) — a suppressed ARPA collision alert in a complex multi-ship situation (overtaking, head-on, and crossing situations simultaneously present in the traffic picture) removes the primary automated decision-support mechanism for COLREGS Rule 8 action timing, leaving the bridge officer to independently identify and assess the converging target without AI assistance in a visual and radar scanning environment already saturated with traffic. The SOLAS Chapter V Regulation 19 requirements mandate fitted ARPA on vessels of 500 gross tonnage and above in international voyages; the IMO Resolution A.823(19) specifies ARPA performance standards but does not address AI decision-support adversarial robustness.

2. MASS autonomous vessel perception — multi-sensor fusion and obstacle classification

Maritime Autonomous Surface Ships at IMO MASS Degree 2 (remotely controlled with seafarers onboard) and Degree 3 (remotely controlled without seafarers onboard) — including Kongsberg’s Yara Birkeland zero-emission container vessel, Wärtsilä’s IntelliTug autonomous tug platform, Rolls-Royce (now Kongsberg) INTELLISHIP autonomous ship management, and the EU AUTOSHIP project vessels — deploy multi-sensor perception systems that fuse GNSS positioning, ARPA radar tracks, LIDAR point cloud scans, and high-definition EO/IR camera feeds into a unified situational awareness picture. The perception AI processes rendered sensor fusion visualizations — synthetic overhead views of the vessel’s operational environment with detected obstacles, tracked vessels, navigational hazards (floating debris, uncharted rocks, other small craft), and COLREGS-relevant targets represented as classified bounding boxes on a fused radar/camera/lidar background — through a real-time obstacle classification network that assigns each detected object a category (vessel, buoy, pier structure, floating debris, small craft, person-in-water) and a collision risk score.

An adversarial perturbation on the rendered MASS perception fusion visualization — a structured pixel modification that degrades the visual bounding box confidence of a small craft (fishing vessel, recreational motorboat) approaching on an intersecting course from the MASS vessel’s starboard side — can cause the MASS obstacle classification AI to misclassify the small craft as floating debris, assigning a lower collision risk score and suppressing the COLREGS Rule 15 (crossing situations: stand-on and give-way vessel obligations) collision avoidance manoeuvre recommendation. MASS autonomous vessels are designed with COLREGs compliance as a certification prerequisite under the IMO MASS Regulatory Scoping Exercise; an adversarially induced COLREGs Rule 15 violation in a confined coastal waterway — the operational profile of the Yara Birkeland in the Borg Fjord, Norway, or an IntelliTug in a port approach channel — creates both a collision risk and a flag-state regulatory liability under SOLAS Chapter XI-2 and the ISM Code (International Safety Management Code).

3. AIS-camera sensor fusion AI — VTS traffic management and port approach

Vessel Traffic Services (VTS) systems operated by port authorities at major container ports — Port of Rotterdam’s PortMaster AI, Port of Singapore’s VTMS AI, Hamburg Port Authority’s DIVA AI, and Port of Los Angeles’s COMPASS system — fuse AIS transponder position reports with radar tracks and CCTV/IR camera imagery to generate an integrated port traffic management picture. The VTS AI processes rendered sensor fusion displays — synthetic ECDIS-style chart overlays showing vessel AIS tracks, radar plots, camera-identified vessel positions, and designated anchorage, fairway, and restricted area zones — through an AI traffic anomaly detection and conflict prediction engine that generates early warnings for crossing situations, unsafe speed in traffic separation zones, and vessels approaching restricted areas. The AIS-camera fusion layer also supports port authority VTIS (Vessel Traffic Information Service) broadcasts to approaching vessels under IMO Resolution A.857(20), alerting masters to developing traffic situations in port approach channels.

An adversarial perturbation on the rendered VTS sensor fusion display image — suppressing the track symbol for a vessel that has deviated from its declared route and is now on a collision course with a departing VLCC (Very Large Crude Carrier) in the port’s main fairway — prevents the VTS AI from generating the traffic conflict alert that would trigger a VTIS broadcast to the VLCC master. The Rotterdam Europoort fairway handles more than 30,000 sea-going vessel transits per year in a 2-nautical-mile wide channel with multiple parallel traffic streams; adversarial suppression of a VTS conflict alert in this environment removes the primary shore-based early warning function that supplements onboard ARPA-based collision avoidance. A VTS fairway deviation incident in confined port approach waters is a significant marine casualty risk under the IMO Casualty Investigation Code (MSC-MEPC.3/Circ.4).

4. Port terminal automated crane and AGV anti-collision AI

Automated container terminals — APM Terminals Maasvlakte II (Rotterdam), HHLA Container Terminal Altenwerder (Hamburg), Qingdao Port fully automated terminal (China), and PSA Singapore Pasir Panjang Terminal T5 — deploy automated stacking cranes (ASC), ship-to-shore (STS) crane automation, and automated guided vehicles (AGV) in high-density container handling operations. The crane and AGV anti-collision AI processes camera feeds from CCTV arrays and crane-mounted vision systems — rendered overhead views of the terminal operating area with container positions, AGV track positions, personnel-detected zones, and crane operating radii represented as classified objects on a facility map — through a real-time anti-collision classification network that detects personnel intrusion into crane operating zones, AGV path conflicts, and container stack instability. The anti-collision AI directly controls crane operating zone lockouts and AGV path modifications that prevent collisions between cranes, AGVs, and personnel in an operating environment where crane lift weights reach 60–80 tonnes and AGV collision with personnel is a fatal incident.

An adversarial perturbation on the rendered terminal camera view — a pixel modification that suppresses the person-detection bounding box for a maintenance technician who has entered an AGV operating zone without completing the terminal safety check-in procedure — prevents the anti-collision AI from triggering the zone lockout that would halt AGV movement in that lane. IACS UR E27 (Cyber Resilience of Ships) establishes the cyber resilience framework for port equipment connected to vessel management systems; port terminal AI anti-collision systems operating under ISO 3691-4 (Industrial trucks — Safety requirements for driverless industrial trucks) and OSHA 29 CFR 1917.45 (Cranes and derricks used in maritime operations) face the same adversarial injection gap as ICS AI — existing cybersecurity standards address network security but not rendered image AI adversarial robustness at the vision classification boundary.

Integration: maritime AI image scanning with Glyphward pre-scan gate

The Glyphward scan gate for maritime autonomous navigation AI belongs at the rendered image ingestion boundary before each AI classification step — before ARPA AI processes the rendered PPI display, before MASS perception AI processes the sensor fusion visualization, before VTS AI processes the ECDIS chart overlay, and before port terminal anti-collision AI processes the camera frame. Threshold 40 across all maritime autonomous navigation AI contexts reflects the commercial shipping consequence environment. The implementation uses JSONL audit logging referencing IMO SOLAS Chapter V, IACS UR E27, and COLREGs.

import asyncio, base64, hashlib, json
from datetime import datetime, timezone
from enum import Enum
from pathlib import Path

import httpx

GLYPHWARD_API_KEY = "YOUR_GLYPHWARD_API_KEY"
GLYPHWARD_SCAN_URL = "https://glyphward.com/v1/scan"

# All maritime autonomous navigation AI contexts: threshold 40
# IMO SOLAS Chapter V and IACS UR E27 apply.
MARITIME_AI_THRESHOLD = 40


class MaritimeAIContext(Enum):
    ARPA_COLLISION_AVOIDANCE  = "arpa_collision_avoidance"  # ARPA AI CPA/TCPA display
    MASS_PERCEPTION           = "mass_perception"           # MASS multi-sensor fusion AI
    VTS_TRAFFIC_MANAGEMENT    = "vts_traffic_management"    # VTS AIS-camera fusion AI
    PORT_CRANE_ANTI_COLLISION = "port_crane_anti_collision" # Terminal crane/AGV safety AI


class AdversarialMaritimeImageError(Exception):
    """Raised when Glyphward detects adversarial pixel content in a
    maritime autonomous navigation AI image above threshold 40.

    Consequence if not raised: COLREGS collision avoidance alert suppressed,
    MASS obstacle misclassified, VTS conflict alert missed, or terminal
    anti-collision zone lockout bypassed.
    """

    def __init__(self, scan_id: str, score: int, context: MaritimeAIContext,
                 vessel_id: str, flagged_region: dict | None = None) -> None:
        self.scan_id = scan_id
        self.score = score
        self.context = context
        self.vessel_id = vessel_id
        self.flagged_region = flagged_region
        super().__init__(
            f"Adversarial maritime AI image: "
            f"context={context.value} score={score} vessel={vessel_id} scan_id={scan_id}"
        )


async def scan_maritime_ai_image(
    image_bytes: bytes,
    context: MaritimeAIContext,
    vessel_id: str,
    position_wgs84: tuple[float, float],
    frame_timestamp: str,
    client: httpx.AsyncClient,
) -> dict:
    """Scan a maritime autonomous navigation AI image for adversarial content.

    Args:
        image_bytes: Rendered ARPA PPI display, MASS perception visualization,
            VTS ECDIS overlay, or terminal camera frame bytes.
        context: MaritimeAIContext identifying the maritime AI pipeline.
        vessel_id: IMO number or MMSI of the vessel or terminal facility.
        position_wgs84: (latitude, longitude) in decimal degrees at time of scan.
        frame_timestamp: ISO 8601 image capture or render timestamp.
        client: Shared httpx.AsyncClient for connection reuse.

    Returns:
        Glyphward scan result dict.

    Raises:
        AdversarialMaritimeImageError: if score exceeds threshold 40.
        httpx.HTTPStatusError: on Glyphward API error (fail-closed).
    """
    image_hash = hashlib.sha256(image_bytes).hexdigest()
    payload = {
        "image": base64.b64encode(image_bytes).decode(),
        "source": f"maritime_ai:{context.value}:{vessel_id}",
        "metadata": {
            "vessel_id": vessel_id,
            "lat": position_wgs84[0],
            "lon": position_wgs84[1],
            "frame_timestamp": frame_timestamp,
            "image_sha256": image_hash,
            "context": context.value,
        },
    }
    resp = await client.post(
        GLYPHWARD_SCAN_URL,
        headers={"Authorization": f"Bearer {GLYPHWARD_API_KEY}"},
        json=payload,
        timeout=4.0,
    )
    resp.raise_for_status()
    result = resp.json()

    await _write_maritime_scan_audit(
        image_hash=image_hash,
        scan_id=result["scan_id"],
        score=result["score"],
        context=context,
        vessel_id=vessel_id,
        position_wgs84=position_wgs84,
        frame_timestamp=frame_timestamp,
        flagged=result["score"] > MARITIME_AI_THRESHOLD,
    )

    if result["score"] > MARITIME_AI_THRESHOLD:
        raise AdversarialMaritimeImageError(
            scan_id=result["scan_id"],
            score=result["score"],
            context=context,
            vessel_id=vessel_id,
            flagged_region=result.get("flagged_region"),
        )
    return result


async def _write_maritime_scan_audit(
    *, image_hash: str, scan_id: str, score: int,
    context: MaritimeAIContext, vessel_id: str,
    position_wgs84: tuple[float, float], frame_timestamp: str, flagged: bool,
) -> None:
    record = {
        "ts": datetime.now(timezone.utc).isoformat(),
        "scan_id": scan_id,
        "image_sha256": image_hash,
        "context": context.value,
        "score": score,
        "threshold": MARITIME_AI_THRESHOLD,
        "flagged": flagged,
        "vessel_id": vessel_id,
        "lat": position_wgs84[0],
        "lon": position_wgs84[1],
        "frame_timestamp": frame_timestamp,
        "regulatory_refs": [
            "IMO SOLAS Chapter V (Safety of Navigation)",
            "COLREGs 1972 Rule 8 (Action to Avoid Collision)",
            "IMO MSC.1/Circ.1604 (MASS Trials Guidelines)",
            "IACS UR E26/E27 (Cyber Resilience of Ships)",
            "IMO Resolution A.857(20) (VTS Guidelines)",
            "IMO Casualty Investigation Code MSC-MEPC.3/Circ.4",
        ],
    }
    audit_path = Path("/var/log/glyphward/maritime_ai_scan_audit.jsonl")
    audit_path.parent.mkdir(parents=True, exist_ok=True)
    with audit_path.open("a") as fh:
        fh.write(json.dumps(record) + "\n")

Deploy scan_maritime_ai_image at each maritime AI image ingestion boundary: before ARPA collision avoidance AI (threshold 40), before MASS perception AI (threshold 40), before VTS traffic management AI (threshold 40), and before port terminal anti-collision AI (threshold 40). On AdversarialMaritimeImageError or any Glyphward API error: fail-closed — suppress the AI alert output and revert to the appropriate safe navigation mode (officer of the watch independent radar plotting; MASS vessel reduced-speed standby mode with remote operator advisory; VTS radio broadcast alert without AI classification; terminal crane emergency stop and zone lockout). Log all events with IMO SOLAS Chapter V and IACS UR E27 references for flag-state incident reporting. Get early access

Related questions

How does adversarial injection in ARPA AI differ from GPS spoofing attacks on maritime navigation?

GPS spoofing attacks — the attack class demonstrated in the 2017 Black Sea GPS spoofing incidents documented by the US Maritime Administration and the Resilient Navigation and Timing Foundation, where AIS position records showed vessels teleporting to Gelendzhik Airport rather than their actual Black Sea positions — target the raw GNSS signal at the receiver, corrupting the position input that feeds ECDIS chart plotting and AIS transponder broadcasts. GPS spoofing operates at the signal layer and corrupts the underlying position data before any visualization or AI processing occurs. Adversarial injection in ARPA AI operates at a different layer: it targets the rendered display visualization of correct radar measurements, after the ARPA system has correctly computed target range, bearing, CPA, and TCPA from raw radar returns. The radar measurements of the converging target vessel are accurate; the adversarial attack corrupts the rendered PPI display image that the ARPA AI processes for collision risk classification. This distinction means that GPS spoofing and ARPA AI adversarial injection require different detection approaches: GPS spoofing is detected by receiver autonomous integrity monitoring (RAIM) and cross-checking with AIS; ARPA AI injection requires runtime scan gates at the image classification boundary.

What IMO framework governs cybersecurity requirements for MASS autonomous vessels?

The IMO’s maritime cyber risk management framework derives from two primary instruments: MSC-FAL.1/Circ.3 (Guidelines on Maritime Cyber Risk Management, 2017), which establishes the functional framework for cyber risk management in ship safety management systems under the ISM Code (International Safety Management Code, SOLAS Chapter IX), and Resolution MSC.428(98) (Maritime Cyber Risk Management in Safety Management Systems, 2017), which made cyber risk management a mandatory flag-state enforcement requirement under ISM Code SMS annual audits from January 2021. For MASS specifically, IMO MSC.1/Circ.1604 (Guidelines for MASS Trials, 2019) and the Regulatory Scoping Exercise outputs from MSC 102 (2020) address cybersecurity in the MASS operational context, including the requirement that MASS autonomous systems demonstrate cyber resilience equivalent to the IACS UR E26 (Cyber Resilience of Ships) and UR E27 (Cyber Resilience of On-board Systems and Equipment) standards adopted by ABS, Bureau Veritas, Lloyd’s Register, DNV, and ClassNK as class rules from January 2024. UR E27 Section 3 covers software update integrity and remote access security but does not address AI adversarial robustness for MASS perception systems — the normative gap that a Glyphward scan gate fills at the MASS perception AI image boundary.

Can adversarial ARPA display injection be detected by cross-checking with AIS or radar raw data?

AIS cross-checking provides a partial mitigation for ARPA display adversarial injection only when the target vessel is AIS-equipped and transmitting. IMO SOLAS Chapter V Regulation 19.2.4 mandates AIS Class A transponders on all ships of 300 gross tonnage and above in international voyages; recreational vessels, small commercial craft below 300 GT, and fishing vessels below 300 GT do not carry AIS Class A and may carry only optional Class B transponders or no AIS at all. A converging small fishing vessel or recreational motorboat — the vessel categories most likely to appear as collision risk in coastal and port approach traffic — may not generate an AIS track to cross-check against the adversarially perturbed ARPA display. Additionally, AIS cross-checking is an additional cognitive load on the bridge officer that requires manually correlating the ARPA display with the AIS overlay — a process that the ARPA AI decision support was specifically designed to automate so that the officer can manage multiple simultaneous targets. The adversarial injection that suppresses the AI’s collision risk flag for a specific target also removes the automation that would trigger the officer to initiate AIS cross-checking for that specific target. Raw radar data cross-checking requires the officer to re-run the ARPA target acquisition and CPA/TCPA computation manually — a 3–5 minute process per target that is impractical in a high-traffic coastal transit with 15–25 simultaneous ARPA targets.

How do IACS UR E26 and UR E27 cyber resilience requirements apply to port terminal AI anti-collision systems?

IACS UR E26 (Cyber Resilience of Ships) and UR E27 (Cyber Resilience of On-board Systems and Equipment) were adopted as mandatory class rules by IACS member societies (ABS, Bureau Veritas, Lloyd’s Register, DNV, ClassNK, RINA, NK, CCS) for ships contracted for construction on or after 1 January 2024. UR E26 covers the ship-level cyber resilience management framework (equivalent to IEC 62443-2-1 for the maritime domain), while UR E27 covers the system-level security requirements for specific onboard systems including navigation, propulsion, and safety systems. Port terminal AI anti-collision systems — deployed on automated stacking cranes, ship-to-shore cranes, and AGV fleets — are shore-side infrastructure rather than onboard ship systems, and therefore fall outside the UR E26/E27 scope, which is vessel-centric. Port terminal AI anti-collision systems are governed by the port terminal operator’s own cybersecurity management system under the NIS2 Directive (Directive 2022/2555) for EU port operators designated as critical infrastructure entities, ISO/IEC 27001 information security management, and OSHA/national occupational safety regulations for machinery safety (ISO 3691-4). The adversarial ML robustness gap — the absence of normative requirements for AI classification image integrity — exists in both the vessel (UR E27) and terminal (NIS2/ISO 27001) frameworks equally.

What is the adversarial injection surface for VTS AIS-camera fusion AI compared to standalone ARPA?

VTS AIS-camera fusion AI operates on a composite sensor fusion visualization that combines AIS track data (vessel identity, position, COG/SOG from Class A transponders), radar tracks from VTS shore-based radar (X-band and S-band radar arrays covering the port approach fairway), and CCTV/IR camera imagery of the port approach channel and fairway. The adversarial injection surface for VTS AI is the rendered ECDIS-style chart overlay that fuses these three data sources — a more complex rendered visualization than the standalone ARPA PPI display, because VTS AI processes a multi-source overlay where the same vessel may appear as three overlapping symbols (AIS position, radar track centroid, camera-detected vessel bounding box). An adversarial perturbation that suppresses the camera-detected vessel bounding box for a specific target while leaving the AIS and radar symbols intact may still allow the VTS AI to detect the vessel via the remaining two data sources — providing a partial multi-source redundancy that standalone ARPA lacks. However, a more sophisticated adversarial perturbation that targets the rendered fusion display’s track correlation output — the composite fused track symbol rather than any individual source symbol — can suppress the fused track for a vessel whose AIS transponder is off (non-cooperative vessel) and whose radar track is ambiguous due to sea clutter in the port approach channel. This non-cooperative vessel scenario is precisely the traffic management challenge that VTS AI was deployed to address, and the adversarial injection surface is largest for exactly these non-AIS-cooperative targets.