Cyber-attacks happen every day. Large commercial organizations are often targeted, but governments have also faced attacks. The mentioned targets have one thing in common: they are targets on land. Are ships invulnerable? No, and fortunately more and more attention is being paid to cyber security at sea.
By Jaime Karremann - Naviesworldwide.com
René van Buuren is cybersecurity authority Naval at Thales Netherlands. Marineschepen.nl spoke to him about digital defence at sea: “Information security has been around for a long time. But with the advent of the internet it has exploded and we call it cybersecurity. Partly thanks to office automation, everything in companies was suddenly connected to the internet and therefore vulnerable. And in my world, a naval ship is similar to a land based organization, with potential vulnerabilities, which are often interconnected. “
Cybersecurity is not limited to the digital domain. “A cyber-attack can also have effects on things that we can see and feel in the physical world. That is important for naval and commercial ships. The cyber-physical consequences of an attack can be enormous. Stuxnet [a computer worm believed to have damaged a nuclear power plant in Iran, JK] is one of the best-known examples, but imagine if a potential next blockade in the Suez Canal were the result of a cyber-attack on the steering gear, which is not inconceivable. “
Ships are often far from home and the internet connection is not always that fast, is a cyber threat realistic? “That is the most frequently asked question,” answers Van Buuren. “Nuclear power plants are hacked and they are not connected to the Internet. Cybersecurity goes much further than the Internet. A ship is an enormously complex system consisting of all kinds of military and commercial systems that are linked together. That automatically implies that there are a lot of potential vulnerabilities and a large attack surface [many possibilities for attacks, JK]. In addition, ships are in service for 30 years, during which time a lot of people and equipment come on board. “
“You can get supply chain attacks such as Solarwinds”, Van Buuren continues. “This kind of attacks are common more and more. A supply chain attack is an attack on a supplier of your company. The infected software enters your company via that supplier.”
“Cyber threats at sea are also realistic because cyber-attacks have become part of hybrid warfare, in addition to military, economic, political and propaganda means. This means that opponents will use cyber-attacks to disrupt your operations. This does not have to be via the Internet and can be done via various attack paths. For example, it is widely known that some state actors equip maritime vessels with 4G masts and sail in the vicinity of naval ships in order to hack the phones of crew members.“
Future: cyber positions in the command center?
Navies are increasingly interested in adding protection against cyber-attacks. Cyber security is an intrinsic part of the total solution for many new naval ships. According to Van Buuren, the German F126 frigates (MKS180) are an example where cybersecurity is a large and important part of the contract.
“That’s the design side,” says Van Buuren. “You try to deliver it as well as possible, with all lines of defence. And that applies not only to the software in the CIC, but to the entire ship. All software, the sensors and the weapon systems must meet high cyber requirements.”
Thoughts are now moving towards the next step. Van Buuren: “The modern side of cyber is about detection and response. The design must be in order; a fence around your house. But you also have to actively monitor and intervene. Naval ships have all kinds of resources on board to combat damage and fire. There will also be a cyber variant of this in the future. “
That is not easy at sea, says Van Buuren: “On shore you have all the means at your disposal. How do you translate the ordinary cyber defence on land in a civilian company to a naval vessel in conflict? Then it becomes difficult. It depends on, for example, the available knowledge on board, the permitted connectivity and the mission conditions. Do you want to fix something quickly in order to keep fighting? That is something completely different from doing a recovery and update your systems when you’re in your homeport. “
There is no one solution; it is a continuous process. according to Van Buuren. “We are talking about that at Thales and with our clients.”
Thales focuses on cyber defence. “Cyber-offensive capabilities are capabilities for governments and not necessarily for the industry,” says Van Buuren when asked. “Besides, if you have ten missiles on board, you can achieve the same impact ten times. But a cyber weapon can generally only be deployed once. The moment that it is noticed, you cannot use it the second time.”
Conversely, this also means that the threat posed to naval ships comes almost exclusively from a government; a state actor, and to a lesser extent from criminals. And not from someone who is bored and hacks a navy ship in a few hours. The major threats come from maritime cyber-attacks at the highest level by attackers with almost unlimited resources, i.e. state actors.
Van Buuren: “The Solar Wind attack was preceded by many months of preparation by a huge team of experts. You have to have that kind of capacities in mind: the attacker must have to be eager, a lot of money and time.”
For the defenders it is important to keep up with the developments. “It’s a cyber race,” says Van Buuren. “You are always one step behind and developments are going very fast.”
“Cyber security on ships is also difficult because a complex system of all kinds of information systems and operational systems are linked together, all of which have a completely different history and background.”
And such a complex system must remain protected for thirty years. “That’s another trend in cybersecurity thinking,” says Van Buuren. “We need to discuss this. Agreements must be made about updates: who is responsible for the updates? Do you also have to qualify again or do sea acceptance trials?”
“Mid-life modernization of a naval ship is now the standard. But that is a different way of thinking than a regular cyber update. Many navies are also geared towards purchasing equipment and not the maintenance and releases that follows and often they have different organizations for purchase and maintenance.”
These agreements about cybersecurity during its entire lifespan are important, because when the cyber security part of a ship is not properly maintained, means that the ship is a risk for friendly warships. “In the future it cannot be ruled out that certain warships will no longer have access to certain information during a combined mission because they do not have their security in order,” says Van Buuren.