Cyber security at sea: a brand new naval cyber framework
Cyber-attacks are an everyday thing in 2022 – it’s no longer hard to find yet another news article about another industry data leak, or even an affected government program. State actors in particular are clearly stepping up their game: cyber warfare brings less risk to their own people, and is often a lot cheaper than ‘conventional’ warfare. Unfortunately, this has gradually seeped into the naval domain as well. A small software bug infecting your radar or guns, or the loss of confidential data can have a devastating effect during a mission. A brand-new Naval Security Framework, based on extensive risk analysis in the naval field, is now ready to assist navies worldwide in more easily and cost efficiently implementing cyber defence measures on their navy ships!
Naval Security Framework
Herein lies the crux. Most generic security requirements frameworks that help organisations set up their cyber defences, such as ISO standards, have a strong, broad organizational scope. They are great one-size-fits-all frameworks that work great in most circumstances, as they define a specific set of requirements that will lead to better quality and security. However, generic frameworks can be hard to implement in very specialised situations. Occasionally, the military context of a combat system can be such a specialised case. Cyber warfare at sea is still fairly new. This can make it difficult when you want to implement certain generic security standards in a way that best fits your naval and accreditation needs. That’s where we come in.
Determined to stay ahead of the pack, we tasked a specialized team with further strengthening our naval cyber security approach and helping our customers with more effectively implementing their preferred cyber security frameworks on board of naval vessels – by making them more naval! Naval warfare experts, product experts, cyber security specialists and network and software engineers combined their skillsets for more detailed results.
Based on a combination of our knowledge of naval specific threats, our naval mission systems, plus software and hardware knowledge, the team translated their findings into a new set of naval specific cyber security (engineering) requirements – with the strengths and limitations of other existing, accredited generic security frameworks in mind. The end result is our Naval Security Framework, or NSF!
Architectural principles of the NSF
The architecture of the NSF is built on three layers of security. The first layer is called Defence in-depth: this means your security is not based on one specific type of protection, but employs different kinds of protection at different levels of a system. In other words, if one type of protection fails, others that work against the same threat are still active, giving you valuable extra time to prevent further complications. For instance, security measures that complement each other to form a Defence in-depth software architecture are user access control, file encryption, and security events logging.
The second layer focuses on minimizing the attack surface of your system. An example of cyber security measures focused on achieving a minimal attack surface, is restricting user access rights based on specific roles. If you give your operators the minimum amount of software access they need to do their jobs well, it minimizes the chances of malicious or non-malicious misuse of the systems. Likewise, segmenting your network into different domains helps to ensure that relevant information is available only to those users that need it, helping you to build a multitenant environment.
The third layer is all about Self defence, and being self-reliable. In cyber security, this means that you don’t rely on the protection of external systems or partners you might work with, but always install your own protection measures. For instance, a ship system must also install a firewall on the data connection between the ship and the shore systems. We should note that this is important to keep in mind throughout your entire military and commercial supply chain. The greatest risks often lie with the parts and equipment of outside suppliers. Malware is ever prevalent. Any weak links might give an opening into your own safe chain.
Help generic frameworks become naval specific
These architectural layers might seem like straightforward cyber security measures. And they can be! At their core, they are not that different from what you might want to do for an office, or from what your preferred generic framework will suggest. What sets our NSF apart, however, is how we’ve embedded these layers and their requirements in existing naval software procedures and hardware setups.
We looked at the software processes on board of navy vessels that generic requirements will affect, and what this means for the crew. We looked at the available space on board that is affected by generic hardware requirements, and how this affects existing safety protocols. We looked at the training of operators, and how generic requirements will affect their work or their skillsets. We took everything into account, and turned generic into naval-specific!
Let’s look at two-factor authentication, for instance, by means of a biometric fingerprint and password authentication. This is a secure approach, which many of us will have implemented on our smartphones, or on our social media profiles. It might seem like a secure approach for your naval framework as well. However, most two factor authentication set-ups don’t consider possible combat conditions, where every second counts. You might not have time to spare to go through the two-factor authentication. You might be wearing a fireproof suit including gloves, unable to use your fingerprints. Although part of generic security frameworks, it doesn’t fit a naval environment.
Or consider the general governmental requirement that a gateway has to be placed between domains with a different classification level. (A Gateway is a networking device or hardware node that is used to join two different networks with different protocols and network characteristics together.) It’s definitely a good security requirement for most offices on land. However, placing a gateway in the functional chain of a combat systems means the throughput, latency and jitter of such a gateway have to meet very strict requirements. When making life or death decisions, you can’t have massive delay between clicking or pressing a button and its desired effect because of a gateway. Time is of the essence.
There are many more navy specific safety, system, performance and operational requirements that require a tailored application and implementation of security best practices and controls. Our brand-new Naval Security Framework has layered these over existing security frameworks to help you to more easily follow compliance with national regulations and international standards, while still meeting your naval needs. More than its generic counterparts, it sets out to help you obtain accreditation and security while steering clear of implementing requirements that don’t fit the context (avoiding cost overshoots and project delays). In the end, it is about achieving the desired security effects, through the right balance between protection, performance, residual risks, and costs. You decide what works for you!
The road to your naval cyber security success
Our team of naval cyber security experts can assure you: with the right support, obtaining optimal cyber security on board is always within reach. Risk and threat-based thinking is the way to go: focus on your goals, opportunities to grasp, risks to avoid, and share these with your supplier. We offer several different packages, based on your operational requirements and risk appetite. Whatever your needs, we can implement security measures that protect the functionality and performance of the systems you have in place. We believe safety and mission objectives come first. In the end, similar as when finding your way to Rome: there are many different roads to success. We’re here to help you find the best one.