Two industry authorities in correspondence with ESD have argued that government, naval, and industry eyes must be open to the cyber risks to what is known as operational technology.
To generate its operational effects, a high-end naval warship will carry a range of state-of-the-art, automation-focused and information technology (IT)-based weapons and sensors.
A modern aircraft carrier, for example – such as a US Navy Ford-class or UK Royal Navy (RN) Queen Elizabeth-class ship – embarks the ‘fifth generation’ Lightning II joint strike fighter, which brings its own state-of-the-art weapon and sensor capabilities. The carrier itself will be armed with close-in weapons systems or self-defence torpedoes that are cued to targets by remote sensors, including electro-optical/infra-red (EO/IR) systems. The ship’s own sensors will include radars to provide air-search, surface-search, ship navigation, and aircraft landing capability; EO capabilities; and a data-focused combat management system (CMS) designed to integrate data from sensors and distribute information to users.
The IT underpinning such systems is crucial to their operation, and to their operational effectiveness. It also presents risks to their operational security.
Such IT-based weapons and sensor systems are so critical to a ship’s activities and effectiveness – and thus to a navy’s operational outputs and its consequent contribution to national security – that significant attention is paid to ensuring the security of such weapons and sensors in the face of growing cybersecurity threats from a growing range of potential adversaries.
However, equally important – but perhaps not so uniformly recognised and understood – is the cybersecurity threat to other IT-based systems, both onboard ship and ashore, that are essential to the operational use and output of the platform and its weapons and sensors. Collectively, such systems form what is effectively a second IT-based layer enabling and underpinning the use of ships and their weapons and sensors, a layer that is central to their effective operational output. This layer is known as operational technology (OT).
OT is another layer that is vulnerable to cyber threats – but the risk here may not be at the forefront of concern to the same extent it is with high-end weapons and sensors, and their host platform.
Credit: US Navy
Onboard an aircraft carrier – and, indeed, within its carrier strike group (CSG) – are several core OT systems that could be targeted in cyber attacks, including against their infrastructures. These might include: satellite communications-based navigation systems; the ship’s power and propulsion set-up; the integrated platform management system; internal and external communications systems; ship safety and recovery systems, such as firefighting or flooding control capabilities; and refuelling/resupply systems including those based on auxiliary ships within the CSG.
Ashore, infrastructure elements in a naval base provide another OT layer that offers an example of how potential cyber attacks could threaten a ship’s operation. Such elements could include dry dock gates, port cranes, or re-supply facilities, for example.
The primary point to bear in mind is that an adversary does not necessarily need to damage or sink a ship to stop it delivering its effect. The adversary simply needs to stop the ship operating in the first place.
Defining the threat
The UK Government’s National Cyber Security Centre (NCSC) defines OT as “Technology that interfaces with the physical world and includes Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA), and Distributed Control Systems (DCS).” It adds that, in the civilian world for example, OT can include the operation of traffic lights or the provision of energy at the touch of a button. OT, it continued, includes “automatically monitoring and controlling processes and equipment that are too dangerous, too demanding, or too monotonous for manual operation”.
Demonstrating the range of OT risks that exist, ‘dangerous’ systems could include radars or underwater sensors; ‘demanding’ systems could include ship or port cranes or lifts; and ‘monotonous’ systems could include onboard heating control systems.
The NCSC added that traditional cyber security has focused on information security, integrity, and availability, whereas OT focuses more on physical factors relating to safety, reliability, and availability. “Many OT environments form part of the UK’s critical national infrastructure, so disruption to services that they control is potentially of concern,” the NCSC notes.
The NCSC’s own work on the issue is designed to help architects and designers procure secure, resilient systems, it continued.
In the military world, navies themselves are focused on improving operational resilience across the board, assessing a range of factors including ship availability, logistics sustainability, personnel capacity, and IT security. Industry experts are thus asking the question of whether securing OT should feature more centrally in discussion and development of ship design and operation concepts, hand-in-hand with increased consideration of securing OT at the infrastructure level.
Credit: BMT and Fortinet
Tackling the threat
In correspondence with Maritime Defence Monitor, representatives from naval design, engineering and management consultancy, BMT offers specialised solutions across the maritime sector, all with a strong focus on security and OT cybersecurity (BMT is renowned for its expert delivery of high-end technical consulting in both defence and commercial domains) and global leading cybersecurity company Fortinet (securing OT with best-of-breed enterprise threat protection across the network perimeter, datacenter, and the cloud) argued that losing access to OT system outputs can impact capacity to deliver a mission.
The representatives opened by asking the question of whether navies faced the risk of a multi-billion pound aircraft carrier being put out of action because of a cyber attack on a one-pound sensor. “The example, simple £1 sensor may be controlling the ship’s engines, port cranes or lock gates, or simply keeping the lights on and the environment at the correct temperature,” they stated.
In setting out the operational context around this question, the representatives noted “OT most commonly encompasses the hardware and machines responsible for the physical processes of a business.” They added that OT systems often use proprietary software, have longer technology lifecycles, and are required to operate autonomously.
Western navies are increasingly focused on digital technologies at sea and digital transformation both at sea and ashore, in order to maintain competitive advantage. For a navy like the RN, the representatives said that digital transformation can encompass key developments relating to OT, including:
- Increased use of OT to support system maintenance, engine monitoring, munitions handling, and environmental controls;
- Increased networking and connectivity, such as ship-to-shore communications, remote control of offshore and onboard operations, increased use of cloud-based data applications, and greater integration between IT and OT;
- Increased use of automation and autonomy at a fleet, ship, and shore infrastructure operational level;
- Greater numbers of autonomous vehicles, ranging from very small, single-use ships to very large ships.
The representatives noted that the increased use of digitisation, plus the accelerating convergence of OT and IT, have expanded the scope of cyber attack risk to OT, along with the likelihood of attack success. For organisations like defence ministries, they added that “Delivering secure OT solutions within these business realities will be key to maintaining … cyber-physical competitive advantage.”
“A big risk to digital transformation exists within OT and the ability to exploit and protect these systems and sensors at a speed of relevance to modern mission needs,” they continued. “To realise the benefits of digital transformation will require security transformation to protect against the evolving cyber threat landscape.” Noting that the defence world can learn much about OT cyber security from IT cyber security – by following the same approach of identifying and managing vulnerabilities and risks in the context of business outcomes, but while tailoring the mix of people, process, and technology to manage the different attack possibilities and risks – the representatives stated that defence departments and ministries must broaden cybersecurity postures to embrace the need to secure OT.
Reducing OT risk
The two representatives warned that time is tight in addressing the OT risk.
“To address today’s security risks requires targeted and focused interventions, delivered at pace and scale, and informed and prioritised against critical mission outcomes,” they stated. Such interventions should be underpinned by continuous development and improvement of OT security capabilities de-risked through experimentation.
In OT security terms, experimentation allows commercial-off-the-shelf (COTS) technology to be rapidly tested, inserted, and focused in the form of an intervention targeted at critical vulnerabilities, but also to provide objective evidence of the technology and organisational changes required to reduce the risk to OT.
The scale and scope of the OT risk is large, they argued. Reflecting the NCSC’s position, they noted that part of the approach to take in reducing OT risk is to promote secure design principles and seamless integration of security products at the point of platform, system, and infrastructure design. “This is as much a cultural as it is a technical problem,” the representatives said.
Alongside promoting cultural change to feed into longer-term thinking about design priorities, they added that focused interventions are required too, to manage risks present today. The representatives detailed the focus for interventions across both timeframes, as well as from the strategic-control to more tactical-control levels:
- Gaining understanding of the risks and attack surfaces based on asset criticality. This should include the holistic IT/OT convergence and interfaces. (Fortinet defines an attack surface as the number of possible points where an unauthorised user can access a system, adding that a smaller attack surface is easier to protect);
- Segmenting (where possible) and hardening networks to minimise attack surfaces and impact on system useability, and to manage the severity and duration of successful attacks;
- Building visibility and knowledge of the proprietary, OT-specific protocols allowing system control even down to an individual sensor;
- Reducing risk through access control, and adopting tailored OT signature monitoring and more advanced predictive, proactive, User and Entity Behavioural Analytics (UEBA) detection techniques.
In sum, the representatives concluded, defence departments and ministries need to: understand the OT attack surfaces, by identifying and understanding what OT is deployed and applicable; analyse vulnerabilities and threats; and develop mitigation approaches. This can be achieved by following two paths, they said. First, COTS products should be exploited through experimentation to enable rapid test and deployment of OT interventions, to provide evidence to underpin the technological and cultural changes required. Second, integrating secure design principles into everyday business processes will assist in reducing risk at source, while also accelerating the benefits of digital transformation in a converging IT/OT landscape.
While the OT cyber security risk is real today and into the future, there are ways to meet this challenge if the risk is recognised, the representatives said.
Credit: Crown Copyright 2013
Maritime impact
The cyber risks in the maritime domain are already evident, in both theory and reality.
In March 2021, the container ship MV Ever Given ran aground in the Suez Canal, blocking the canal for six days and impacting the flow of – and costs associated with – maritime trade for some while longer. The causes of the incident have not been revealed. However, the example demonstrated the risk to and impact on maritime trade and global economies if a key maritime choke point like Suez was closed off for a while should a ship’s propulsion, navigation, or steering systems be subject to an OT-related cyber attack.
In June 2021, the RN Type 45 Daring-class destroyer HMS Defender and the Royal Netherlands Navy De Zeven Provincien-class frigate HNLMS Evertsen – both deployed with the RN’s HMS Queen Elizabeth CSG on its CSG21 deployment – were operating in the Black Sea when a cyber attack saw the electronic ‘locations’ of the two ships ‘spoofed’ and re-positioned to be just off the Russian naval base at Sevastopol, Crimea. The two ships were in fact moored at Odesa, Ukraine at the time. According to US Naval Institute News, the automatic identification system (AIS) tracking data of the two ships was the subject of a cyber attack. Of course, re-positioning two NATO warships to a position just outside Sevastopol could be viewed as provocative – hence the strategic benefit to a NATO adversary of adjusting such AIS tracks.
In correspondence with Maritime Defence Monitor, BMT and Fortinet representatives discussed the potential impact of this type of risk for naval and wider maritime operations.
Looking at the RN’s situation in particular, the Fortinet representative said “At a navy level, the risk is that already-stretched resources will not be able to protect the UK’s interest and commitments around the globe.”
In turn, the BMT representative underlined the wider implications, noting that while the ‘fight’ systems in the ‘float, move, fight’ concept of operations for a warship are probably the least vulnerable as the attack surface is more difficult to exploit, the OT-related failure of a small component onboard could lead to an engine or steering failure that would impact the safe operation of the ship. “This is something affecting all maritime domains [commercial and military] as they all share the need to be able to ‘float’ and ‘move’ and will often use very similar systems,” BMT added.
Regarding particular points of naval operational vulnerability to OT attack, BMT said “The highest vulnerabilities are normally when the platform is most connected (physically and electronically), which normally occurs when the ship is in port.” Here, the BMT representative highlighted two areas of focus: first, poorly segmented/partitioned networks, which would increase the number of vulnerabilities an attacker could exploit and would mean the impact of a successful attack could be greater; second, the need to control access to systems, reducing the risk of attack from inside the system itself.
The Fortinet representative noted that the highest vulnerability can occur when a legacy system is incorporated into a wider network. Legacy systems are a particular challenge in the OT space. “OT systems can be 25 years old and therefore harder to manager,” said the representative. “This means you lose the layers of security you would have with newer IT and OT systems.”
Next steps
Incidents like the Black Sea cyber attack on the UK CSG ships demonstrate that the risk is real, and that attacks are underway. Navies are thus having to determine how to counter the risk both today and tomorrow.
Credit: US Navy
To the BMT representative, the ways will be different even if the end is the same, managing today’s risks by prioritising critical system vulnerabilities that impact critical business and operational outcomes, while embedding security through design approaches (encompassing people, process, and culture) to manage tomorrow’s.
“Once you move from ‘if it happens’ to ‘it is already happening’, you can build your cyber security posture to address this,” the Fortinet representative added. In practical terms, they underlined the need for navies to secure cyber security tools in every OT network, starting from the centre and moving outwards. “It is not viable to safeguard all the OT systems in a navy, but you can mitigate the risk they pose,” the Fortinet representative said.
The BMT representative painted a picture of the nearer- and longer-term vision for how an OT security environment should look as navies get to grips with the problem. The overall picture, it explained, is one where “security is embedded in the culture to help manage risks associated with the legacy technology.”
The culture point is critical, the BMT representative explained. “In the immediate future, the ideal OT security environment within navies would be deeply rooted in a culture of security, where every individual understands and contributes to the safeguarding of OT.” “This cultural shift is critical to managing risks associated with legacy systems that are often vulnerable yet integral to naval operations,” they added.
While the near-term focus is on critical vulnerabilities in critical systems, the longer-term goal of integrating a security approach into every facet of naval operations will help develop an holistic approach that ensures security considerations are not afterthoughts but fundamental components of every operational decision and technological advancement, BMT’s representative explained. “In essence, a future-proof OT security environment in navies will be characterised by a pervasive security-conscious culture, continuous prioritisation of critical system vulnerabilities, and a foundational commitment to secure-by-design principles, creating a resilient and adaptive defence against evolving cybersecurity threats,” they added.
Dr Lee Willett
