Analysis: there is both Means and Motive for Cyber Attacks on Navy Vessels

In-brief: could cyber attacks have played a role in recent collisions between US Navy vessels and commercial ships? The short answer is yes. Regardless of what caused the most recent incidents, both the means and the motive exist to launch such attacks in the future.

A collision between a Liberian oil tanker Alnic NC and the USS John McCain over the weekend is the fourth collision involving a vessel in the U.S. Navy’s 7th Fleet since January. This is a tragedy that, according to published reports, resulted in extensive damage to the ship and left five sailors injured and 10 unaccounted for.

Much is still not known about this incident or its causes, but the coincidence of so many collisions in the same geographic area (the Pacific Theater) in such a short period of time has generated speculation that something other than sailor error may be at play. The U.S. Navy has called for a review of the recent incidents, with cyber attacks on the Navy’s ship board navigation and directional systems one possible avenue of investigation. But are such attacks possible and are there adversaries with the motive and means to carry them out? In short: yes. Let’s review the latest incident and some recent history.

Recent, suspicious incidents

According to official statements from the U.S. Navy’s 7th Fleet, the guided-missile destroyer USS John S. McCain collided with the oil tanker Alnic MC east of the Straits of Malacca and Singapore on Aug. 21. at around 6:24 AM Japan Standard Time. The collision caused significant damage to the port side hull, leaving a gash measured at 6 meters (~18 feet) and flooding nearby compartments, including crew berthing, machinery, and communications rooms. Damage control efforts by the crew halted further flooding of the ship, which made its way to Changi Naval Base in Republic of Singapore under its own power. But 10 sailors are unaccounted for and five more are injured following the collision. Four of the five injured sailors were medically evacuated by a Singapore Armed Forces helicopter to a hospital in Singapore for what are described as non-life threatening injuries.

The USS McCain in port in Singapore following its collision. It is the 4th vessel from the US 7th Fleet to experience a collision since January. (Image courtesy of US Navy)

The straight of Malacca is narrow, busy and dangerous making crew error, a systems failure or both the most likely culprit in the incident. However, CNN reports that the McCain may have temporarily lost steering shortly before the incident, quoting an unnamed US Navy official who said that the steering on the vessel had since been restored. And US officials and the Navy are indicating that they aren’t jumping to any conclusions. Defense Secretary James Mattis said that he supports the decision by Adm. John Richardson, chief of naval operations, to do a one day “operational pause” and conduct a “comprehensive review” of recent US Navy collisions. The aim will be “to determine any of the causal factors, to determine what’s going on — both immediate contributors to this incident but also any related factors,” Richardson said in a video statement on Facebook. Operational tempo, trends in personnel, material, and equipment will be part of the review, as well as training.

The McCain-Alnic collision follows another deadly and damaging collision involving the container ship ACX Crystal and the USS Fitzgerald in June. A Navy investigation of that accident found evidence that crew error on the Fitzgerald was the likely cause of the incident. And in February, the USS Antietam, a guided-missile cruiser, damaged its propellers and spilled hydraulic oil into the water after running aground off the coast of Japan as the ship was anchoring in Tokyo Bay near Yokosuka, Japan. That incident did not result in any injuries to US or Japanese personnel, but the discharge of up to 1,100 gallons of hydraulic oil prompted environmental concerns. All three ships operate out of the same base in Yokosuka, Japan.

Attacks in theory and in the wild

So far, the incidents affecting the 7th Fleet appear to be the result of human error. But would it be possible for a cyber attack to confuse seamen on naval or merchant vessels, deny them access to critical systems in a moment of crisis or lull them into a sense of complacency even as disaster looms? There is a long history of research and warnings – anecdotal and otherwise – that suggest that the answer to those question is “yes.”

Security researchers have delved into a wide range software and hardware used in the maritime industry and found evidence of lax security practices. For example, in 2013, a researcher at the University of Texas successfully “spoofed” an $80 million private yacht using a GPS spoofing device to send misleading information to crew about the boat’s position and movements in the water. The purpose of the experiment was to measure the difficulty of carrying out a spoofing attack at sea and to determine how easily sensors in the ship’s command room could identify the threat.

That’s been followed in recent months by what is believed to be the first “in the wild” GPS spoofing attack. The U.S. Maritime Administration has issued a safety alert about an incident in the Black Sea described as “GPS interference” but elsewhere as “an apparent mass and blatant, GPS spoofing attack involving over 20 vessels.” GPS was displaying the vessels as located more than 25 nautical miles from their actual location, but crew could find no problem with the operation of the GPS devices. The US Maritime Administration advised ships to “exercise caution when transiting this area.”

Beyond the obvious attacks like spoofing GPS, researchers have shown how to spoof AIS – the Automatic Identification System- technology that is installed on hundreds of thousands of ships globally and that is used for everything from ship-to-ship and ship to port communication to collision avoidance. Researchers at the 2014 Black Hat Briefings demonstrated how AIS spoofing and hijacking could be used to generate false alarms, or delay actual alerting. The technology, which was designed with pre-Internet security in mind, is insecure both in how it is implemented and in the design of the underlying protocol, researchers concluded. Beyond that, the firm IOActive in 2015 published research that revealed a wide range of flaws in ship Voyage Data Recorders (or VDRs), which are critical to recreating the circumstances that led to accidents.

Even without spoofing, the software used on board could be attacked directly using malicious software. War ships – even brand new ones – commonly run applications on top of old and unsupported operating systems like Microsoft Windows NT and XP. There have been reports about serious security flaws in the software used to operate naval vessels. Notably: this 2013 report notes the findings of a red team assessment of the US Navy’s USS Freedom, one of a new line of Littoral Combat Ships that found “major deficiencies” last year in the computer security on the Lockheed Martin Corp.-built vessel.

Again: the incidents so far have been chalked up to sailor error. That’s the most likely explanation and that may be the case here again with the McCain. However, it is certainly possible to imagine a scenario in which sailors “err” by believing what their navigation tools like GPS and AIS are telling them on the bridge about where they are in three dimensional space and what is around them. In the case of the proof of concept GPS attack, the UT researchers were able to steer the ship in a circle while the GPS told those on the bridge that the vessel was travelling in a straight line. The sailors bodies and the wake of the ship directly contradicted that data, proving the point, but more subtle manipulations of a ship’s course could likely go unnoticed until it was too late. And that might explain the strange lack of “situational awareness” that was blamed for the Fitzgerald crash.

Motives? You betcha!

Of course, as we’ve noted before: the means to conduct cyber attacks is all well and good. But to know whether a particular cyber attack might happen (or whether a particular incident might indeed have been the result of a cyber attack) you also have to consider a motive. In other words: who or what would have an interest in conducting such an attack and do they have the ability to pull it off, using one of the methods we’ve identified? We talked about this in our interview with industrial control system expert Joe Weiss, who has observed of the US electric grid that the means to shut down large parts of the grid via cyber attack surely exist, and would-be attackers are easy to identify. What’s lacking (at least for now) Weiss said, is a motive to turn out the lights.

So is there a motive to use cyber attacks to disable or sink US naval vessels operating in and around the South China Sea? The answer to both those questions is undoubtedly “yes.” Let’s consider a couple of scenarios.

North Korea wants to degrade the US Navy’s ability to shoot down ballistic missiles

It’s worth noting that all of the ships involved in collisions or other unusual events since January have been equipped with the U.S. Aegis Anti Ballistic Missile system. These are ship-based weapons that can be used to intercept short and medium range ballistic missiles. With tensions on the Korean Peninsula at an all time high, and the DPRK conducting tests of both short and long-range missiles, a stealth effort to degrade the ability to shoot down a North Korean missile test makes a lot of sense. So far, collisions have disabled 2 of 8 destroyers in the Destroyer Squadron that the McCain and Fitzgerald belong to.

China wants to send a message

China is of course the 10,000 pound elephant in the South China Sea. It has a growing military, growing aspirations to be a global power and an intense interest in its territorial claims to the South China Sea. In fact, China earlier this month complained specifically about the USS McCain’s patrol near Mischief Reef — an artificial island built by China. Using cyber attacks to strike out at the U.S.’s continued incursions into what China considers its sovereign territory could be one way of sending a message that Beijing isn’t to be trifled with.

An invisible hand

Of course, this could all come down to a lack of training or military discipline, or an over reliance on technology and the softening of traditional sailoring skills that rely on “eyes, ears and tongue.” Many of the blogs followed by those in the maritime industry think that’s likely the cause behind this spate of incidents: a breakdown in order, rather than something more nefarious. But given the intimate role that technology plays in sailoring both in the military and on merchant vessels, it is critical that investigations consider whether bad information or other technology failure (i.e. denials of service) contributed to these incidents. Blaming sailors for a lack of situational awareness only goes so far if the instruments that provide them with that situational awareness are lying to them.

Consequences?

The biggest consideration of all is what the consequences of such an action would be. Clearly, if the US Military is able to find evidence that cyber attacks played a part in either incident, such lethal, cyber-kinetic attacks would be acts of war. That’s more than enough to scare away rational actors – but perhaps not enough to dissuade irrational actors looking for a way to gain an upper hand. In my opinion, the likelihood of severe consequences for whomever gets caught launching such an attack. Still, as with all cyber attacks, plausible deniability is part of the package: the difficulty of proving beyond a doubt who or what was behind an attack makes retaliation more challenging.

One Comment

  1. Pingback: Félrevezetnek? | Kerékfy Pál

Security Ledger wants to hear your thoughts! Leave a reply.