Hacker attacks against ships on–board infrastructure are no more a bad dream scenario but happen regularly, often even without being detected. Navies and their crews are faced with a new dimension of silent and hybrid threats, which they never realized before.
Prior to the implementation of countermeasures after an incident the crew has to have the means to monitor the vital infrastructure and to detect a potential threat. In general there are a few typical risk environments, which require automated and uninterrupted real-time monitoring to be best prepared for countermeasures. Artificial Intelligence (AI) based data analysis as well as human factors determine the level of risk mitigation against cyber attacks in current and future ship operations.
Risk analysis and typical attack scenarios
An important exercise to be completed is to evaluate and discuss critical and potential attack scenarios. Some of a ships’s systems can be attacked directly, others through the Combat Management System. In times of pervasive digitalisation and networking a particularly prominent aspect of security playing an increasingly important role for ships including submarines is cybersecurity.
With regard to ship platforms it is absolutely critical to prevent intruders from gaining access to the IT and connecting to sensors, effectors, and control systems. Private communication via internet through smartphones or portable memory devices must be completely isolated from the communication infrastructure of the ship in order to avoid attacks such as contaminated mails or manipulated USB keys.
Attacks on warships carried out with comparatively little effort by states or organizations that do not own a single warship or any trained combat forces is becoming an increasingly likely scenario.
Potential attack vectors and risk factors in order of criticality
The associated risk factors that determine the likelihood of an attack or a compromise in the infrastructure can be summarized in four groups:
External Interfaces: Military underwater missions and exercises are conducted in an increasingly multinational communication environment. Manoeuvres presuppose overarching communication between NATO countries. Even previously completely isolated networks must offer interfaces to fulfil these requirements
- Human Beings: Attacks could take place via a person’s social network or by compromising private smartphones. This would allow potential threats to enter the on-board network
Maintenance Interfaces: Such interfaces use off-board communication and may therefore cause an unauthorized use of remote maintenance access for the introduction of malicious codes
IT Organizational Deficiencies: Deficiencies of this sort are caused by not strictly adhering to the rules of ISO 31000: The use of software versions / operating systems that are no longer supported by updates , an uncontrolled patch management, the use of outdated antivirus software, or unauthorized access to systems e.g. due to an insecure BIOS password
Constant monitoring and analysis of the communication link
The key component of this monitoring system is an automatic monitoring device which detects potential incidents (indicators of compromise) in real-time. The system is completely self-sufficient and can be used in conjunction with a CSOC (Cyber Security Operation Center) located on-shore.
The system’s focus is to analyze the detected results in the submarine with the existing staff members and without the need of an onboard team of cyber experts. The reporting of the monitoring system should be easy to analyze and should show impacts of incidents and means to restore capabilities.
The Thales Malware Detection and Analysis System automatically scans the outbound traffic for anomalies, fully non-reactive. Even attacks in the past are detected when the system is activated.
Conventional network security tools mainly monitor inbound traffic only (via sandbox, firewalls, antivirus, etc.). The Thales malicious threat detection solution focuses solely on outbound traffic monitoring and identifies which of the installed classic security devices such as firewalls may not provide adequate protection.
Thales Malware Detection System consists of two components: The 'Probe', which is located in the network segments and the central analysing system, which is connected to the ship's IT network.
The Thales probe extracts metadata from network traffic (mirrored / SPAN data) and transmits it to the analysing platform. The Thales architecture detects malicious content or data constellations that indicate an attack by verifying the network traffic in real-time for all outbound communication with the Internet.
Thales Malicious Threat Detection focuses on the characteristics of outbound communication of malware or bots that has installed itself on devices and networks. This method provides an accurate overview of advanced or targeted attacks (Advanced Persistent Threats = APTs) and malware that has entered the onboard network through firewall systems.
Cybersecurity Services based on Artificial Intelligence (AI)
Artificial Intelligence (AI) is required to support the accurate input of “Threat Intelligence Data Base” information and feeding the onboard cyber monitoring sensors. This is essential to avoid “False Positives”, which could be even more severe than undetected attacks. Cybersecurity Services based on AI machine learning support anomaly detection in systems communication.
AI needs to be provided to the Cybersecurity System on a pan-European basis. As military operations are multinational the development and the usage of AI should also be multinational.
The Human Factor
Trained staff members understand the potential risks and are fully aware of the very strict and careful behaviour necessary to avoid cyber attacks. This covers skills from the correct usage of private smartphones to the restrictive handling of external and removable memories (USB stick).