« Return to Newsletter

Captain Phillips, 2.0

The Officer of the Watch orders right full rudder, as the ship exits the Gulf of Aden onto its southbound track past Somalia.  She crosses 11° 00′ N when the ship goes dark, with the exception of the navigation display. An electronic ransom note, signed “Anonymous” is the ship’s only sign of life.

People often associate the term ‘cybersecurity’ with protection against espionage, identity theft, financial fraud, and sensitive data loss.  There is a rising threat, however, to ‘real-world’ control systems – those systems that are essential to shipboard operations.  Many people are aware of the 2010 “Stuxnet” attack and the infiltration of malware into Iran’s uranium enrichment program. For the first time, attackers created malware to cause material damage to real-world systems. Stuxnet’s creators designed the attack to have three key components: first, the desktop computers of Iran’s enrichment program would be compromised, then the worm would pivot to connected SCADA control software, and compromise a set of Programmable Logic Controllers.  The attackers leveraged control of this environment to manipulate Iran’s centrifuges, resulting in catastrophic failure. In the years since this attack, cyber threat actors have developed Stuxnet-like packages aimed at compromising control systems in thousands of organizations throughout the world – within defense, shipbuilding, energy, aeronautics, and other industrial sectors.

These events have resulted in an increased awareness within the U.S. Navy community of the threat to shipboard control systems, but much work remains within the military and commercial environments to properly secure shipboard architectures. In recent remarks to the U.S. Naval Institute, VADM William Hilarides discussed the Navy’s growing concern with the increasingly interconnected nature of shipboard systems and “…the threat to our control systems.”  The trend in shipbuilding is to take advantage of the capabilities inherent in commercial IT to improve the  crew’s ability to monitor and control traditionally isolated machinery: turbines, generators, HVAC, propulsion, etc.  It is common today to be able to trace a network packet within any oceangoing vessel from the radio room, through shipboard networks, to an automation system, then through a set of control systems directly to propulsion, HVAC, or other HM&E components.  While this capability offers many benefits in terms of efficiency and cost savings, a byproduct of the increased interconnectivity  is the exposure of shipboard control systems to cybersecurity threats not previously contemplated.

It is a misconception to assume that military platforms are the primary targets of the hacking community.  In truth, cyber threat actors will target control of any high value asset they can use for financial or political gain. It is imperative today that shipbuilders, HM&E providers, system integrators, and related organizations exercise increased diligence in developing integrated systems with strong end-to-end cybersecurity postures.

In the scenario above, cyber protection engineering, safeguards, and policies could prevent an attack from its onset.  Increased integration of commercial IT systems with shipboard control systems, and the benefits that go with it, are here to stay – but are you doing enough to ensure you will never receive a system message from “Anonymous” on your control systems?

About the Author

Tracy Gregorio is a member of VSRA and the President/CEO of G2 Ops, an innovative provider of model-based systems engineering, information assurance, cybersecurity and data modeling to the federal government. http://www.g2-ops.com

« Return to Newsletter