This story has been updated from a previous post to amend comments made by Naval Sea Systems commander, Vice Adm. William Hilarides, based on new information provided to USNI News in an interview subsequent to this posting. The revised information can be found in brackets behind the original text.
The head of Naval Sea Systems Command (NAVSEA) warned that the U.S. Navy will have to
ramp up its cyber-security efforts to secure the controls systems of its submarines.
“It is the threat to our control systems,” Vice Adm. William Hilarides, commander of NAVSEA, told an audience at the Naval Submarine League Symposium in Falls Church, Va. on Wednesday.
“We’re just now starting to hear the inklings of it.”
There are little noticed cyber vulnerabilities on nuclear attack submarines like the Virginia-class boats that are slowly becoming the mainstay of the Navy’s undersea fleet, Hilarides said. One example of that is the Virginia-class boat’s backup Caterpillar-built diesel engine, he said.
Specifically, the problem is a computer chip that helps control that engine—a chip that runs on Microsoft Windows XP, Hilarides said.
That chip is connected into the rest of the vessel so that the data can be displayed in other parts of the submarine, he said. That means that chip is connected to the submarines machinery control system.
[In a November interview, Hilarides said he was wrong in his understanding of the security threat to Caterpillar’s backup diesel control systems.
“I should not have used that company’s name and pointed that there was a specific weakness in our system. As it turns out, Caterpillar has some of the most secure control systems on the planet,” he told USNI News].
But it goes beyond that, Hilarides said, the data from the chip sent off board the submarine to maintenance crews at a warfare center. The problem is that the data is automatically shared via an unclassified network, Hilarides said, which renders that chip on the diesel engine as a point of vulnerability for the multi-billion dollar warship. A hacker could attack that network and gain access to the submarine’s systems and cause chaos.
Hilarides pointed out that while crashing a submarine or warship’s information technology systems can be a nuisance, attacking critical systems like a ship’s gas turbines or a nuclear reactor could have catastrophic results.
The Navy can do a few things quickly to provide “reasonable security” to those sorts of systems, but ultimately ships and submarines need to be built with cyber-security in mind right from the outset, Hilarides said. “We’ve opened a new era of warfare and it ain’t going back in the tube,” he said. “We’re got some work to do.”