Firewalling the Fleet
Navy calls for all hands on deck to battle cyber threats
For the U.S. Navy, cyber defense used to be the domain of experts who were rarely heard from, hidden away in the bowels of a ship or the basement of an office building.
“Not anymore,” Vice Adm. Ted N. Branch, deputy chief of Naval Operations for Information Dominance said in a Navy live blog. “If you log on to any Navy network, via desktop, laptop, smartphone, tablet, etc., you are in the cyber battlespace and are directly vulnerable to attack.”
“All hands” are needed to combat the cyber threat, Branch said, with the Navy on a new course, a program called CYBERSAFE. It's part of the Navy’s Task Force Cyber Awakening, an effort to bolster the branch’s defense against cyber threats.
“CYBERSAFE is just like damage control onboard your ship,” Branch wrote to sailors. “You must be prepared to do your part to make the ship more secure.”
Raytheon offers a number of cyber resiliency and hardening technologies, including its anti-hacking system Electronic Armor .
“No longer does the Navy just have to worry about traditional computer networks being attacked,. More importantly, it must protect machinery control, weapons and navigation systems,” said Brian Stites, Raytheon cyber hardening campaign program manager. “The challenge the Navy faces is that an attacker only needs a single vector—a single entry point—while the defenders have to protect everything.”
Batten down the cyber hatches
Stites cited a four-prong, end-to-end process for cyber hardening. The first step is a system assessment, in which a "red team" conducts a deliberate and holistic security assessment. The idea is to find all vulnerabilities; physical, hardware, software, system- or network-related.
The next step is to identify and prioritize risks. If a system has more than 100 vulnerabilities, for example, cyber defenders create a two-axis chart with the probability of exploitation and the severity of impact, ranking and prioritizing the risks as critical, severe or serious.
The third step is to apply system hardening and vulnerability mitigation techniques and tools, making the system more resilient to attack. At Raytheon, mitigation application is a highly collaborative process, where customized solutions for critical vulnerabilities are chosen as new technologies emerge. And to ensure the system is secure, they assess it again, putting it through its paces after hardening is complete.
"There are so many systems and attack vectors on a ship that a potential adversary could exploit," Stites said. "The consequences could be catastrophic. Just compromising the system has a devastating impact, because if the Navy can't trust the integrity of the data, they won't get under way, taking weeks and months to correct and validate the systems."
An attack doesn't even have to be sophisticated to keep sailors ashore, according to Stites. "“In the Internet of Things, stopping an aircraft carrier from shipping out may be as simple as hacking the company that delivers the food to the ship, or making sure the toilet paper isn’t delivered,” he said.
The same technology that can protect critical ship systems can also be applied to the Navy's fleet of unmanned, remotely piloted vehicles. At trade shows, Stites demonstrated Raytheon's cyber-hardening technology using a pair of commercially available quadcopters infected with malware. The one protected by Raytheon stayed aloft while the other crashed.
"When we're on watch," Stites said, "nothing gets by us."