Proposing innovative solutions to a problem which will require even more solutions is not a good way to go

– After the ship has sunk, everyone knows how she might have been saved. – Italian proverb

In an earlier blog I wrote about the importance of answering the key questions in developing a strategy to secure a critical asset (1). I could see the consequences of not taking the time to fully comprehend these questions during “The Innovative Energy Solutions for Military Application” (IESMA 2016) conference in Vilnius this past week. (2) This was a unique event for policy makers and industry to discuss ways to apply new technologies to support the energy requirements for the military. Much was demonstrated and said about the innovative ways technology is now being applied to improve energy efficiency, environmental safety, and provision of alternative clean and green energy for military operations. However missing from the agenda and in most of the panel (3)/audience discussions was an awareness of the need to address the new, perhaps not immediately visible, vulnerabilities being introduced together with the application of the new technology. The IT world has long been aware of the dark side that coexists with all the wonderful things the advances in information and communications technologies have provided. The hijacking of innocent “Internet of Things” (IOT) video devices for example has recently been used to great effect in highly effective DDOS attacks on the Internet (4).

This conference which showcased the application of these same technologies seemed to be unaware of this dark side. As the conference progressed I was finally provoked into standing up and contributing to the Q & A after the presentations made by the panel on “Innovative Energy Solutions for the Military: NAVY Domain”. During the panel session I was impressed by the slides of warships presented by speakers representing the U.S. DoD, Italian Navy, Greek Navy, Portuguese Navy, BAE Systems Corp. and US Navy. What impressed me was how much the pictures of the warships differed from the outside and the inside. From the outside the ships looked like flat panels connected together, exhibited very little detail and were kind of boring to look at. However the pictures of the interiors of these ships showed that they were full of all kinds of control equipment monitored by sailors sitting in front of a workstation and viewing data about ship operations as they appeared on a viewing screen.

Wonder what the sailor working at the control station would do if his screen went dark.  Would he find the valve he was monitoring the minute before below deck if he had to operate it manually?
Wonder what the sailor working at the control station would do if his screen went dark. Would he find the valve he was monitoring the minute before below deck if he had to operate it manually?

In short these ships were crammed full of IT equipment being used to remotely monitor and control critical functions of a warship that included environmental, fueling, propulsion, navigation and weapons control systems. Sailors were manning the control screens rather than hauling in lines and swabbing decks. Impressive application of new technology yet nowhere was there any mention of possible threats to the operation of these critical systems. (Wonder what the sailors would do and where they would go if those screens were suddenly to go dark. Could they find the valves down below which they were remotely monitoring and controlling the moment before?)

 All this naval fighting power can be stopped dead in the water if the propulsion software has a but.  "If there is a weakness in the boat, the sea will find it eventually"

All this naval fighting power can be stopped dead in the water if the propulsion software has a bug. “If there is a weakness in the boat, the sea will find it eventually”

I raised my hand in the Q and A and asked the panel if they had heard of the newly commissioned USS Milwaukee that had to be towed back to home port after a software glitch led to severe damage in the ships propulsion system (5). Did they also hear that its sister ship was also in home port unable to go out to sea until a software upgrade was installed to correct the problem that occurred on the USS Milwaukee? In terms of applying new hi-tech innovations what’s the good of building a state of the art ship that meets all the standards for fuel efficiency, environmental safety and quality if it risks being towed in for a software update by a diesel boat burning high sulphur diesel fuel? For that matter when standards were mentioned why was it that only ISO 9000 (6)/14000(7) were mentioned and not ISA/IEC 62443(8) which specifically addresses the security of the control systems on these new ships? Members of the panel were quick to reply that that they were aware of these things but there were also many safeguards and redundant systems on the ships. I was allowed to respond to this and pointed out that it does not matter how many redundant systems ships may have. If a well-resourced and capable cyber intruder has penetrated your heavily IT dependent engineering systems he can do whatever he wants on your ships systems. Should this not be a concern for ship’s captains and should this not be an issue that merits discussion at a conference where policy makers and industry meet? It seems the point was well taken and I hope in the next IESMA conference a separate panel will be added that will specifically cover the cybersecurity of control systems used by the military.

The conference also featured an exhibition by manufacturers offering their particular energy innovation solutions for the military. I did an unofficial survey in my head and made a point of asking these manufacturer representatives whether any of their customers ever asked them about the security of their products? Most answered no but would be prepared to respond if the customer asked. I also asked them whether they gave the customer some guidance on security when they delivered their product. For example do they say something about the use of Blue-Tooth or Wi-Fi connectivity? That is advising the customer that if there are no plans to use the Bluetooth capability on the device the customer should consider disabling it. Answer to this question was also generally no. I also tried to survey the policy makers from the opposite end. I asked whether they spoke to their manufacturers about cybersecurity of the products being sold to them. The responses were vague. Basically saying cybersecurity was a concern and that this was a difficult area to discuss because it is a relatively new issue and somewhat technical. What I was reading was a serious awareness gap and good excuse to do nothing. Each side could say that no issue regarding cybersecurity has come up to act as a basis for any design or implementation changes.

Don't think many at this conference took the time to consider how much vulnerable technology exists behind the faceplates of the devices they use to control critical systems.  The user manuals have warnings about physical threats but it is hard to find a mention of any cyber threats to this device that offers "remote connectivity".
Don’t think many at this conference took the time to consider how much vulnerable technology exists behind the faceplates of the devices they use to control critical systems. The user manuals have warnings about physical threats but it is hard to find a mention of any cyber threats to this device that offers “remote connectivity”.

Implementation of innovations that contribute to growing system complexity and lack of security awareness can be a bad combination. It is even worse when the manufacturers of new products place more emphasis on providing new and increasingly more attractive technological features in terms of increased capabilities and cost savings than on addressing the vulnerabilities that are also introduced. Who is responsible for dealing with the security issues? This lack of awareness and communication about security issues by both manufacturer and customer may allow for significant vulnerabilities to go unnoticed and only bolted on later after being exposed during an incident or failure. Not a good thing if neither the manufacturer nor the buyer feel any responsibility for insuring the security of the products and services being supplied to troops being put in harm’s way. If such a “if we really need it, we will patch or bolt it [security] on later” mentality is allowed to dominate without a challenge this can lead to grave consequences.

Over 400 participants attended IESMA 2016 Conference representing NATO and the militaries of member states, academia, and industry. It is perplexing to consider that many of the militaries represented consider cyberspace to be a domain for military operations. Why then is it so hard to make the connection between cyber threats and the security of the control systems found in the equipment they use? Why is it hard to think of them as a legitimate military target for a cyber-attack? A method of attack that is far cheaper than sending over a bomber to bomb a military target, can be just as effective in neutralizing it (turning a flag ship into a sitting duck with an inoperative propulsion system), and deniable. Let us hope that such “cognitive dissonance” on the part of some policy makers and industry representatives will soon be replaced by realistic answers to the questions on what needs to be protected, from what cyber threats and how.

References:

1. See elsewhere in this blog: http://scadamag.infracritical.com/index.php/2016/11/11/towards-a-cyber-safe-critical-infrastructure-importance-of-answering-the-3-questions/

2. Program and speaker-topic list can be found here: https://www.iesma.info/conference

3. With one notable exception. The presentation made by US Pacific Command did have one slide with one text box with the words „cybersecurity“ and „industrial control systems“ in it.

4. Bruce Schneir, Lessons From the Dyn DDoS Attack, November 1, 2016 https://securityintelligence.com/lessons-from-the-dyn-ddos-attack/

5. https://news.usni.org/2016/03/22/lockheed-martin-software-fix-for-uss-milwaukee-control-system-weeks-away

6. ISO 9000 http://www.iso.org/iso/iso_9000 . Interesting to note that ISO 9000 was often mentioned but an even more specific quality standard ( ISO/TS 29001:2010 ) Standard for oil and gas was not.

7. ISO 14000 http://www.iso.org/iso/iso14000

8. https://www.isa.org/isa99/

http://scadamag.infracritical.com/index.php/author/vytautas/

NOTE: The views expressed within this blog entry are the authors’ and do not represent the official view of any institution or organization affiliated thereof. Vytautas Butrimas has been working in cybersecurity and security policy for over 30 years. Mr. Butrimas has participated in several NATO cybersecurity exercises, contributed to various international reports and trade journals, published numerous articles and has been a speaker at conferences and trainings on industrial cybersecurity and policy issues. Has also conducted cyber risk studies of the control systems used in industrial operations. He also collaborates with the International Society of Automation (ISA) on the ISA 62443 Industrial Automation and Control System Security Standard and is Co-chair of ISA 99 Workgroup 16 on Incident Management and member of ISA 99 Workgroup 14 on security profiles for substations.