The Depth of the Threat: Securing the Internet of Underwater Things (IoUT)

SHILPI MONDAL| DATE: FEBRUARY 18, 2026

It is a humbling reality that we currently possess more detailed topographical maps of the lunar surface and Mars than we do of our own ocean floors. Yet, the race to digitize the deep is well underway. The Internet of Underwater Things (IoUT) extends our terrestrial connectivity into the 71% of the Earth’s surface covered by water, creating a complex network of intelligent sensors, Autonomous Underwater Vehicles (AUVs), and surface gateways.

What keeps enterprise IT leaders up at night isn't some abstract thought experiment it's the infrastructure that entire operations live or die by. Think about what's actually at stake: an oil rig sitting alone miles offshore, a tsunami warning system racing against the clock, a military border that can never go dark. When any of these fail, people notice and not in a boardroom. Slapping old cybersecurity solutions onto these environments and calling it a day isn't a strategy. It's wishful thinking.

The thing is, water changes everything. The physics down here operate by a completely different set of rules than anything we deal with on land. If our security thinking doesn't account for that, we're already behind.

The Physics Gap: Why Terrestrial Protocols Fail

On land, we barely think twice about connectivity. Wi-Fi and 5G are just there fast, reliable, invisible. They work because electromagnetic waves, radio frequency signals, travel through air with ease. Put those same signals underwater, though, and seawater's high conductivity kills them almost instantly. We're talking less than 10 meters before they're gone. That's why the Internet of Underwater Things runs on acoustic waves  sound  for anything needing to travel a real distance.

This shift introduces a massive security vulnerability: latency.

While light travels at 3 times 10^8 m/s, sound in water crawls at roughly 1,500 m/s. According to a 2025 analysis on underwater security, this propagation delay is five orders of magnitude slower than what we deal with on land.

For a CISO, this is a nightmare. Traditional challenge-response authentication mechanisms the "handshakes" that verify identity often time out or become susceptible to replay attacks. This creates problems that don't have easy answers. An attacker can intercept a verification request, sit on it, and replay it later and the system may well accept it, because long delays are just part of the environment. Nobody raises an eyebrow at lag down here. And then there's the bandwidth problem. Research on underwater communication paints a pretty bleak picture: data rates falling below 500 bps at long range. When your entire pipeline is that thin, you simply cannot afford the overhead that comes with heavy encryption certificates. The math doesn't work.

Mapping the Submerged Threat Landscape

The IoUT architecture typically follows a hierarchical structure: a Perception Layer (sensors/AUVs), a Network Layer (acoustic modems/routers), and an Application Layer (cloud analytics). Each level offers a distinct entry point for adversaries.

1) The Jamming and Battery Drain

At the physical layer, the threat is often blunt force. Acoustic jamming is a primitive but effective Denial of Service (DoS) attack. Because underwater nodes run on battery power and cannot be easily recharged, attackers can exploit the Medium Access Control (MAC) layer. By repeatedly triggering "collisions" during data transmission, they force the legitimate node to retransmit data over and over. At the physical layer, acoustic jamming creates a nasty chain reaction. Deliberate interference triggers repeated collisions, nodes keep retransmitting packets, and all of that burns energy that simply cannot be replaced. These aren't devices you can just plug in or swap out  they run on batteries sitting at the bottom of the ocean. Research confirms that retransmissions and protocol overhead eat through that energy at a meaningful rate, even if the exact numbers vary. The end result is the same: a shorter lifespan, and a node that goes dark long before it should.

2) The Wormhole and Sinkhole The network layer is where things get genuinely clever and genuinely dangerous. Take the Wormhole Attack. Two malicious nodes establish a fast, out-of-band link between them think a wired connection running between two submerged adversaries and use it to tunnel packets across the acoustic network. The result is that distant nodes start believing they're neighbors. The topology of the entire network gets quietly, invisibly redrawn.

Similarly, a "Sinkhole Attack" involves a compromised node advertising itself as the fastest route to the surface gateway. As described in comprehensive routing vulnerability studies, once the traffic is lured into this black hole, the data can be altered or discarded.

3) Data Spoofing: The Industrial Risk

The most dangerous threats may lie in the Application Layer. Consider an offshore drilling operation. If an attacker successfully executes a man-in-the-middle attack, they could inject false pressure readings. As noted in reviews of IoUT systematic risks, this could mislead operators into shutting down production unnecessarily or worse, masking a catastrophic leak until it’s too late.

Engineering Trust in the Deep

So what's the move? You can't trust the medium, you can't easily reach the hardware when things go sideways, and the clock on every node's battery is always ticking. It's a genuinely hard problem and the industry knows it. The answer that's been taking shape points to three pillars: lightweight cryptography, hardware-rooted trust, and AI-driven adaptability.

Lightweight and Post-Quantum Cryptography

Take encryption. Standard RSA is simply too heavy for a battery-constrained hydrophone the computational cost alone makes it a non-starter. What's gaining ground instead is Elliptic Curve Cryptography, and increasingly, lattice-based approaches like NTRU. Same protection, far less overhead.

NTRU is particularly promising because it offers post-quantum security a necessity for infrastructure meant to last decades. Recent findings on securityauthentication suggest that protocols combining lattice-based encryption with location awareness (like NTRU-GOPA) can achieve mutual authentication without draining the device’s battery.

Hardware as the Root of Trust

Then there's the physical threat. A node captured by a diver or a remote vehicle is a node whose cryptographic keys are suddenly up for grabs. The answer engineers have landed on is Physical Unclonable Functions PUFs. The easiest way to think about it is a silicon fingerprint. Every chip comes out of manufacturing with microscopic variations that are entirely its own. You can't copy them. You can't replicate them. The hardware itself becomes the credential.

According to surveys on hardware security, these functions generate keys on demand rather than storing them in memory. If the device is powered down or tampered with, the key effectively ceases to exist. Prototypes like the FORTRESS security enclosure even utilize capacitive mesh wraps that detect drilling or penetration, triggering an immediate "zeroization" of sensitive data.

Verifying Location: The "Where" Matters

In the ocean, knowing where data comes from is as important as the data itself. However, attackers can use "Time of Arrival" (TOA) spoofing to make a malicious node appear closer or further away than it actually is.

To fight this, we are seeing the adoption of algorithms like LC-MAP (Locus-Conditioned Maximum A-Posteriori). Research into adversarial acoustic sources shows that by prioritizing geometric consistency, these systems can achieve sub-meter localization accuracy, spotting the mathematical impossibilities in a spoofed signal.

The Future: AI and Federated Learning

The final piece of the puzzle is autonomy. Because bandwidth is too scarce to send all logs to the cloud for analysis, IoUT nodes must be smart enough to defend themselves.

This is where Federated Learning (FL) comes in. Rather than sending raw data to a central server, underwater drones train intrusion detection models locally and share only the model updates. IEEE studies on distributed underwater networks highlight that this approach preserves privacy and saves bandwidth while allowing the network to "learn" from attacks in real-time. Deep Learning models are already achieving over 97% accuracy in classifying underwater targets based on noise signatures, distinguishing between a pod of dolphins, a submarine, and a jamming signal.

Conclusion

Securing the Internet of Underwater Things means letting go of everything we've assumed to be true on land. These are networks built inside an environment that actively fights against communication, where every watt of power is finite and no one is coming to fix things anytime soon.

What works is a hybrid approach  protocols that are built with acoustic latency in mind rather than designed around it, trust baked directly into the silicon through PUFs, and AI that can respond to threats at the edge without waiting for a human to weigh in.

As your enterprise looks toward the Blue Economy, the real question isn't just whether you can pull data up from the deep. It's whether that data still belongs to you by the time it arrives.Through our advanced AI security division, IronQlad AI, we design lightweight cryptographic systems, hardware-rooted trust models, and adaptive federated learning defenses purpose-built for extreme operational environments.

KEY TAKEAWAYS

Physics Changes Security:

Terrestrial RF protocols fail underwater; security must account for the slow speed of sound (latency) and low bandwidth of acoustic channels.

Energy is the Vector:

Many cyberattacks in IoUT, such as collision induction, are designed specifically to drain the battery life of inaccessible underwater nodes.

Hardware Trust is Critical: 

Because physical access to nodes is difficult for defenders but possible for attackers, Physical Unclonable Functions (PUFs) are essential for key management.

AI at the Edge:

Federated Learning allows underwater nodes to detect threats locally without saturating the limited communication bandwidth.