Cyber defence – How vulnerable is the Canadian Navy?

CNR Fan, 12 December 2020.

Cyber-attacks are all over the news [1][2]. Besides individuals and enterprises [3][4], hackers are now probing security of government servers and the industry [5][6]. Over 10 years ago the notorious STUXNET malware targeted supervisory control and data acquisition (SCADA) system and is believed to be responsible for causing substantial damage to the nuclear program of Iran [7]. The modern state-sponsored cyber threat actors are even more dangerous [8].

Is the Canadian Navy vulnerable, and to what extent?

For example, each Halifax class frigate is equipped with the Combat Management System (CMS 330) from Lockheed Martin Canada [9], and the Integrated Platform Management System (IPMS) from L-3 MAPPS [10]. These highly computerized systems were delivered as a part of Halifax Class Modernization (HCM/FELEX) program [11][12].

I found an interesting publication which describes cybersecurity issues experienced by the USN. Considering the choice of Combat Systems integrator for CSC and widely advertised cyber defence onboard JSS, the topic seems very relevant.

Senate Armed Services Committee on Cybersecurity Cyber Posture. Extracts from Vice Admiral Michael M. Gilday's speech on 13 March 2018. Link https://www.armed-services.senate.gov/hearings/18-03-13-cyber-posture-of-the-services

[...] the United States is threatened by cyber-attacks every day; the threat to U.S. Navy is certainly no different. Our ability to control our forces relies upon cyberspace. Virtually every operation aboard a Navy ship - navigation, engineering, communications and weapons employment - rests on the secure and reliable transfer of and confidence in our data. Operating in the maritime environment does not shield us from the threats inside of the cyberspace domain, and our competitors know about this. [...]

We are in an unprecedented age of exponentially accelerating technology and a convergence of technologies that bring dynamic and innovative capabilities. The technological race is on for Artificial Intelligence, Machine Learning and Quantum Computing as the world's most powerful militaries strive to become the leader in these areas. [...]

[...] U.S. Fleet Cyber Command / U.S. TENTH Fleet [...] is responsible for operating and securing Navy Enterprise networks, defending all Navy networks, operating our global telecommunications architecture, and providing cryptology, signals intelligence (SIGINT), cyberspace, and space warfighting capabilities [...].

[...] The Navy, like other DoD and government entities, faces enormous challenges in cyberspace. Foreign governments and non-state actors use cyberspace operations as an integral part of their national and military strategies. Adversaries take advantage of publicly available cyber tools so nefarious actors can quickly identify vulnerabilities in software and hardware to exploit high priority targets. [...] [For example,] in June 2017, numerous commercial ships transiting coastal waters in the Black Sea reported having their GPS system "spoofed", so that their locations were reported inside Russian territorial waters, as opposed to being in international waters. [...]

[...] we operate in an increasingly contested cyber environment where information is the fuel of decision making and protecting that information [...] is critical to successful maritime operations. Loss of this information, or lack of confidence in the veracity of the information we see [...] degrades our confidence and effectiveness of our C2 [Command and Control]. [...] Simply put, any system with embedded information technology or networking capability is a target for an adversary. [...] Designing, developing testing and fielding systems resilient to cyber exploitations is a key [to adequately protect and assure our Fleet networks].

[...] The attack surface grows larger with aging operating systems and when security patches to known vulnerabilities cannot be rapidly deployed across our networks, systems, and applications. [...] the Navy is reducing the attack surface with significant investments and consolidation of our ashore and afloat networks with modernization upgrades. [...] Most importantly, we are integrating ways to better understand operational cybersecurity risk and defensive posture throughout an information system's life cycle.

[...] Often times, people are viewed as the largest vulnerability [...] - by the same logic, our people, each and every person touching a keyboard, can make the network stronger. We believe a Navy cyber defense is an all hands effort like damage control on a ship. Our entire Navy needs [cyber awareness] training [...] [Also] systems and operational commands identified enhanced users who require specialized cybersecurity training based on the roles they perform. [...] An example of an operational enhanced user would be selected shipboard technicians trained to recognize cyber threats to their operational technology / industrial control systems [OT / ICS - SCADA] and recover them from attacks [...]

[...] many of our challenges are not unique to .mil domain and are shared by commercial industry. We fend off the same cast of adversaries, who are using the same tactics, techniques and procedures [TTPs] within .edu, .gov and .com domains. [...] In the future, we see industry advances in the fields of Artificial Intelligence (AI) and machine learning will allow us to continually improve the tools we employ on our networks to enable a more predictive and automated cyber defense [...] 

[...] The opening rounds of the next conflict will likely be in cyberspace - the Navy must be ready to prevent wars as well as to win them. Therefore, we will conduct operations in and through cyberspace, the electromagnetic spectrum and space to ensure Navy and Joint / Coalition freedom of action and decision superiority while denying the same to our adversaries. […]

Read the full report at https://www.armed-services.senate.gov/imo/media/doc/Gilday_03-13-18.pdf

References:

1. CBC News https://www.cbc.ca/news/canada/british-columbia/sfu-ransomware-attack-1.5732027
2. Imprudence led to alleged intelligence center security breach https://www.theglobeandmail.com/news/national/military-investigating-alleged-security-breach-at-intelligence-centre/article28017495/
3. CSEC https://cyber.gc.ca/en/information-guidance
4. RCMP https://www.rcmp-grc.gc.ca/en/cybercrime-an-overview-incidents-and-issues-canada
5. CRA https://www.welivesecurity.com/2020/08/24/cyber-attacks-canada-revenue-agency-government/
6. Media reports https://www.trendmicro.com/vinfo/fr/security/news/cyber-attacks/german-steel-plant-suffers-significant-damage-from-targeted-attack
7. https://en.wikipedia.org/wiki/Stuxnet ; "W32.Stuxnet Dossier" (PDF). Symantec. November 2010. https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf
8. In its 2020 National Cyber Threat Assessment, the Canadian Centre for Cyber Security within CSEC warns that state-sponsored cyber activity is the most sophisticated and [threat] actors are “very likely” attempting to develop capabilities to disrupt Canadian critical infrastructure. https://cyber.gc.ca/sites/default/files/publications/ncta-2020-e-web.pdf
9. LMC https://www.lockheedmartin.com/en-ca
10. L3 https://www.naval-technology.com/contractors/consoles/l-3-mapps2/
11. CMS 330 https://www.lockheedmartin.com/content/dam/lockheed-martin/canada/documents/CMS330_Handout.pdf
12. IPMS https://ottawacitizen.com/news/national/defence-watch/l-3-to-supply-platform-management-system-to-halifax-class-frigates