By Commander Robert Smilie RAN*
Introduction
One of the most dangerous threats to shipping in World War II was the German U-boat armed with torpedos – an enemy that was below the surface, unseen, hard to detect and lethal to ships. Fast forward to today and, yes, submarines are still dangerous, but there is a new threat to shipping that is below the surface, unseen, hard to detect and lethal to ships: cyber attacks.
Advances in technology have significantly improved all aspects of ship safety. This has allowed for minimum-crewed vessels; accurate navigation, communications and tracking of vessels for safety of life at sea (SOLAS); and automation of machinery spaces and ship control. Nearly every system on a modern ship has some form of computer that has made operating ships easier and safer. But what if those same systems provide an unseen danger below the surface that is hard to detect, a new attack vector that can easily cripple a ship, a ‘cyber torpedo’? Unlike a traditional torpedo, a cyber torpedo would not necessarily sink a ship, but it could achieve the same outcomes of sea control or sea denial, by preventing that ship from sailing or executing its mission.
The threat of cyber attacks is pervasive across all industries and sectors, including maritime and military. There are numerous examples of cyber attacks being used by nation-states as a mechanism for achieving strategic objectives, shaping and influencing the battlespace, intelligence gathering, and destruction. Modern technology has enabled all aspects of our lives, providing convenience, automation and safety; unfortunately for far too long security has been an afterthought or non-existent for critical safety systems, leaving them vulnerable to cyberthreats – ships included.
The RAN is undergoing its largest modernisation and capability expansion since World War II, investing over $90 billion in new naval ships and submarines.[1] These new ships and submarines come with complex interlinking systems that are connected not only to each other but also to shore infrastructure and the internet, creating a large cyber attack surface. With such a significant investment, the RAN must consider cybersecurity and defensive cyber measures seriously to ensure these capabilities are able to deploy effectively and not be vulnerable to cyber attacks.
Cyberthreats
Cyberthreat actors come in many forms including nation-state actors, cybercriminals, cyberterrorists, hacktivists, and insider threats that can be both malicious and unintentional. While all of these are creditable threats to RAN ship systems, supply chains and port infrastructure, the nation-state actors are of particular concern.
Nation-state cyber actors are well resourced, professional and highly motivated. They aim to gain intelligence and disrupt other nations via cyber means.[2] They operate covertly and usually do not acknowledge their actions. Nation-state actors can have a ‘cyber army’ or hire hackers to achieve their aims, operating in the grey zone, without fear of legal retribution. There is a rising ‘cyber cold war’[3] occurring as nations strive to gain the upper hand in the information and cyber domain.
There is often a belief that a system needs to be connected to the internet to be vulnerable to cyber attacks; as a result, disconnected systems have older operating systems that are not updated to the latest security standards and do not have antivirus software. This naive view is frequently used as an excuse to save money on often expensive cybersecurity measures.
Stuxnet[4] was a cyber weapon reportedly developed by the United States and Israel[5] to derail Iran’s nuclear program. Stuxnet was successfully used against an Iranian nuclear facility, infiltrating secure systems that were not connected to the internet or outside world in any way. Stuxnet physically destroyed centrifuges in the background whilst the operators and engineers saw normal results on their control screens. It successfully delayed Iran’s nuclear program by years. Stuxnet provides an excellent example of what can be achieved by an actor with enough resources and intent to compromise a non-internet-connected system and achieve a physically destructive result.
Stuxnet targeted programmable logic controllers (PLCs) used to automate machine processes. PLCs are found in most operational technology (OT), which differs from traditional information technology (IT) as it provides the link between the cyber and physical worlds. This includes national critical infrastructure such as electricity networks, water and sewerage systems, and even health devices used in hospitals. These same PLCs are used in engineering and weapons systems in ships. A cyber attack against an OT system can have a physical destructive effect, ships included.
OT systems are far more complex than traditional IT and are often not connected to the internet. A software update to an IT system is easily achieved and, with the system being offline, a mere inconvenience for a user. If there is an issue, the computer can be replaced with ease, reducing system downtime. Legacy OT systems have older operating systems, software and hardware that are not easily updated. Downtime has a physical world effect that is difficult to manage, and if there is a problem with the new hardware or software it is not straightforward to resolve. This costs time and money and results in that asset being unavailable for use. It is often easier to not upgrade the system at all and risk cyberthreats. An upgrade to a ship system would require downtime and testing to provide assurance that it will operate in the correct way when needed in an emergency or warlike situation. The risk of upgrading a system frequently for a cyberthreat is often outweighed by the risk of ensuring the system remains working correctly.
Cyber War Isn’t Coming – Cyber War Is Here!
In June 2020, Prime Minister Scott Morrison announced that Australia was under attack from a sophisticated nation-state cyber actor.[6] The cyber attacks were ongoing, unrelenting and increasing in frequency and scale. Prime Minister Morrison described the attacks as:
… targeting Australian organisations across a range of sectors, including all levels of government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure …
While the government has not publicly attributed the cyber attacks, there are only a handful of nations, outside of the Five Eyes, capable of such sophisticated attacks, including Russia, China, Iran, Israel and North Korea. What can be gleaned is that the cyberthreat is real, is pervasive and must be considered as part of military planning and capability development.
In July 2020, the United States National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) published Alert AA20-205A – ‘NSA and CISA Recommend Immediate Actions to Reduce Exposure Across Operational Technologies and Control Systems’.[7] The alert warns that there is evidence of nation-state cyber actors targeting OT due to the criticality of the systems and the real-world effect it can have. The alert recommends that immediate action be taken to secure OT assets against these threats.
Defence and industry partners have been targeted by cyber attacks, as shown in the headlines in Figure 3. Nation states are building sophisticated offensive cyber capabilities that can be deployed against all sectors, including government, industry and national critical infrastructure. A successfully offensive cyber attack against a modern ship could result in a nation gaining sea power.
Attacks could target industry partners, port facilities, supply chains or ship systems. Disabling a critical ship safety system could prevent a ship from sailing for weeks while incident response and remediation activities are conducted. A more malicious attack on the ship’s control systems could disable a ship at sea, leaving it unable to manoeuvre effectively for safe navigation or collision avoidance. Commonality of systems provides benefit for maintenance, training and ease of use. However, an entire fleet could be disabled by the same cyber torpedo through a firmware update that is shared across multiple platforms, forming a pseudo naval blockade, with ships unable to leave port.
In 2013 a research team from the University of Texas at Austin conducted several demonstrations and studies of cyber vulnerabilities in different aspects of ships. These included exploits in the electronic chart display and information system (ECDIS) or navigation display, where they were able to offset the ship’s position on the chart and effect a physical ship movement through a cyber attack.[8] The research team were also able to spoof false information into the ship’s automated identification system (AIS) due a flawed design in which AIS data is assumed to be genuine with no security of verification protocols.
Defeating the Cyberthreat
Offensive cyber operations are a real threat, particularly from a nation-state, but they are complex and expensive to conduct. Simple measures can be taken to make it cost-prohibitive and as difficult as possible for them to fire their cyber torpedos, as shown in the ‘Cybersecurity value pyramid’ in Figure 4.
Security by design in ships needs to become the norm. Defence and industry should work together closely to design systems that can be easily upgraded and have sufficient measures in place to reduce vulnerabilities and to respond to and recover from cyber attacks. Processes need to include cybersecurity measures that decrease the risk of cyberthreats infiltrating systems, such as active management of USB devices and maintenance laptops similarly to the way that weapons and ammunition are treated.
Passive defence relies on human factors. A clicked link in an email is all it can take for a successful cyber attack to occur. Humans will always be the weakest link in the cyber chain; however, they can also be the strongest with the correct awareness and training. A technical solution alone will not prevent cyber attacks; the modern sailor needs to be cyberwarfare aware to ensure they do not become the entry point for a cyber torpedo that could sink a ship. Investment in cyber awareness and cybersecurity training is required to defeat cyberthreats. Senior leadership engagement and support is essential for any cyber-awareness program to be successful. Organisations often do not invest time or money into cybersecurity measures until it is too late and they have been victim to a cyber attack.
Conclusion
Cyberthreats are persuasive and continue to grow across all sectors. For the RAN, ships are often designed and delivered without consideration of the ongoing cybersecurity requirements for systems and the need to stay contemporary to reduce risk of cyber incidents. The threats of nation-state actors, outdated systems, lack of cyber awareness and demonstrated maritime vulnerabilities need to be considered and risk mitigated to ensure ships will be survivable from cyber attack.
Viewing cyberthreats in the context of gaining or losing sea power will assist senior decision-makers in understanding the threats and apportioning sufficient resources to mitigate them. Simple and effective measures can be implemented to defend against the growing threat of cyber torpedos.
*Commander Smilie joined the RAN through the Australian Defence Force Academy (ADFA) in 1998 as a Maritime Warfare Officer, graduating in 2000 with a Bachelor of Computer Science.
He has deployed to the Middle East on Operation CATALYST in HMAS Newcastle and has had postings as Executive Officer HMAS Geraldton and Commanding Officer HMAS Wewak. As Commanding Officer of Wewak he deployed to Operation ANODE, with the ship being awarded the Landing Craft Heavy Proficiency Shield under his command in 2010.
[1] Department of Defence, Naval Shipbuilding Plan, Commonwealth of Australia, Canberra, 2017, <http://www.defence.gov.au/NavalShipbuilding/Plan/>.
[2] J Hatch, ‘The nation state actor’, BAE Systems [website], 2021, <https://www.baesystems.com/en/cybersecurity/feature/the-nation-state-actor>.
[3] R Browne, ‘Chess legend Garry Kasparov warns of cyber cold war’, CNBC [website], 20 May 2019, <https://www.cnbc.com/2019/05/20/chess-legend-garry-kasparov-warns-of-a-cyber-cold-war.html>.
[4] McAfee, ‘What is Stuxnet?’, McAfee [website], <https://www.mcafee.com/enterprise/en-au/security-awareness/ransomware/what-is-stuxnet.html>.
[5] The United States and Israel have not acknowledged any involvement in Stuxnet.
[6] A Probyn & S Dziedzic, ‘Scott Morrison’s “urgent” hacking warning shot shows Australia won’t shy away from China’s cyber attacks’, ABC News [website], 20 June 2020, <https://www.abc.net.au/news/2020-06-20/why-australia-acted-on-china-hacking-cyber-attack-scott-morrison/12376700>.
[7] National Security Agency & Cybersecurity Infrastructure Security Agency, ‘Alert AA20-205A’, Cybersecurity Infrastructure Security Agency [website], <https://us-cert.cisa.gov/ncas/alerts/aa20-205a>.
[8] J DiRenzo, DA Goward & FS Roberts, ‘The little-known challenge of maritime cyber security’, 6th International Conference on Information, Intelligence, Systems and Applications (IISA), 2015.
