With the failure of computer-controlled steering systems attributed to the collision of the U.S.S. John McCain with a merchant tanker, there is speculation of hacking as a potential culprit.
The U.S. Navy at first said they would consider the idea, but then said that the possibility was eliminated.
Likewise, the retired admirals serving as talking heads for cable news stations have said such systems are closed and thus can’t be hacked into.
As someone hired by some of the largest companies in the world to infiltrate the companies, both physically and technically, I can tell you that they can be hacked into.
To be clear, I have no direct knowledge of the security or configurations of the systems involved.
However, what follows is not a secret to U.S. hackers or adversaries. I would be shocked if those such as Russia, China, Iran and North Korea are not actively weaponizing the attacks that I describe.
It is the ignorance of such vulnerabilities that makes these attacks possible. The fact that retired admirals do not see these attacks as not just possibilities, but inevitabilities, is the greatest vulnerability to U.S. naval vessels. Most of these attacks have already been launched in other venues as I describe below.
First, it is important to understand that what potentially happened to the U.S.S. McCain was a denial of service attack. Such an attack renders a system unavailable. In the case of the U.S.S. McCain, the steering system became unavailable.
It was clearly tragic with 10 lives likely lost, and it happened during peacetime. Consider if it happened during a battle.
In such attacks, a hacker does not need to be connected directly to a network. It can be accomplished with malware, such as a computer virus.
Stuxnet, which crippled the Iranian nuclear development capabilities, is an example of how a virus, once having infected a network, can run autonomously.
Here are just a few ways I imagine our adversaries are actively trying to hack a U.S. naval vessel:
USB drives loaded with malicious software were used to spread the Stuxnet virus into an underground Iranian nuclear research facility. According to the documentary, Zero Days, Israeli operatives placed infected USB drives in areas that Iranian nuclear scientists would find them. Clearly, they were then carried into the facility, where curious scientists placed the drives into computers, causing the entire network to be infected. There is no reason that this cannot be accomplished by placing similar drives near U.S. naval vessels.
Infecting Diagnostic and Maintenance Equipment
Diagnostic equipment frequently has to be plugged into computers and complex systems to ensure they are working properly. This equipment can be infected and transfer malicious software onto operational systems. Clearly, ships must travel with equipment, but it is also likely that such equipment is maintained at naval bases throughout the world. It is unlikely that these maintenance and diagnostic devices are handled as securely as they should be in all places around the world.
Edward Snowden and Chelsea Manning are synonymous with the damage caused by malicious insiders. There were plenty of others before them, including the Walker spy ring, whose espionage efforts completely compromised U.S. naval operations. All of these people stole information, but they could have just as easily sabotaged systems by planting malware onto ship or intelligence networks, or actual computer hacking. It is also important to consider that we are not just talking about the hundreds or thousands of sailors permanently assigned to ships, but the tens of thousands of contractors and sailors who are stationed at ports throughout the world with potential access to ships and/or the equipment that maintains them.
Installing Networking Equipment to Provide Direct Access
Having been in hundreds of operations centers, it is rare that people know what every piece of equipment does or would detect a rogue device. In performing penetration tests, I have installed malicious networking equipment that provides access to supposedly closed networks. I either attach cellphones to the equipment so I can access the networks remotely, or I connect the closed network to a network with internet access.
Many naval vessels have internet access to help morale and for logistical purposes. It is theoretically possible to find junction points on ships where a cable can attach a closed network to an Internet connected network. Admittedly, it is technologically difficult to surreptitiously connect a network tap with transmitters that allow for remote access, but it is possible.
Infecting Equipment Before Delivery
It is widely reported that China and Russia hacked U.S. defense contractors. It is possible that they infected steering and other systems before they were installed. Likewise, naval vessels are updated and renovated, so there are regular opportunities to infect software, before it is loaded onto ship systems. Supply chain security is a major concern that involves the potential for equipment to be infected before delivery. A large portion of computer components and equipment is manufactured in southeast Asia and China, and there is the potential for infection by foreign adversaries.
The Equation Group, assumed to be the National Security Agency, reportedly intercepted equipment before delivery and installed malware on that equipment, before being received by foreign entities. This provided the Equation Group with the ability to steal information and potentially sabotage foreign systems remotely. The malware went undetected for more than a decade. It is likely that other nations have similar programs.
Methods to hack any computer system are only limited by the imagination of the attacker. I know of at least one case where female foreign operatives hung out at naval bases and tried to get sailors to sneak them on the ships with promises of sex. I am purposefully limiting my discussion to attack vectors that have been previously publicly disclosed, but there are many ways to attack closed systems on naval vessels. However, what is most important to understand is that just because a system is on a theoretically closed network, it does not mean that it is impossible to compromise. It is just harder to compromise.
All of the attacks described can be prevented or detected. However, this first requires acceptance that the attacks are possible. To make blanket statements that such attacks are not possible, is not just ignorant, it is outright dangerous.
In the end the greatest security vulnerability is a false sense of confidence.
Ira Winkler is president of Secure Mentem and can be contacted through the company’s website at http://www.securementem.com. He was previously with the National Security Agency. His latest book is Advanced Persistent Security (Syngress, 2017)