The Royal Navy has four submarines capable of launching the UK’s Nuclear Deterrent. It's believed some of them run Windows XP. Yeah... nuclear submarines... on XP.
First Published 2nd June 2017
Having difficulties with your sub? Just Control+Alt+Delete.
4 min read | Reflare Research Team
In recent weeks, focus in European media - both serious and sensationalistic - has repeatedly turned to whether the UK’s Trident class nuclear submarines might be vulnerable to a cyber attack. This focus was intense enough to warrant an official denial of the claims and reassurance of the submarines’ safety by UK defence secretary Michael Fallon.
Yesterday saw the release of a 38-page report by London-based think tank BASIC (British American Security Information Council) presenting their take on a summary of the security situation.
In this briefing, we will have a look at both the report and other related pieces of information in an attempt to provide you with a more comprehensive picture and forecast.
Windows XP
The crux of the matter appears to be that Trident class nuclear submarines are rumoured to use the now out-of-support Windows XP operating system. We have discussed the difficulties faced by hardware-based organizations when trying to upgrade operating systems in a previous briefing.
Windows XP was notoriously initially not patched against the EternalBlue vulnerability, leading to the rapid spread of the WannaCry ransomware last month.
The defence secretary has stated that the submarines are not vulnerable to cyber attacks but has stopped short of denying that Windows XP is being used.
The report
The report published by BASIC yesterday lists a number of scenarios which could lead to Trident ships becoming inoperable or even end with them being taken over. It is important to note that while all of the attacks listed in the report are real, some of the listed steps will present significant challenges to even sophisticated attackers. For example, scenario 2 lists “Establish remote access to Northwood’s [The UK’s submarine command base] network” as a prerequisite.
While no network is immune to cyber attacks, establishing remote access to a high-priority military network is by itself a major breach worthy of a governmental panic.
Such a feat would make possible countless attacks, one against Trident nuclear submarines being among them.
Similar patterns can be found throughout the entire report. It is thus advisable to read it more as a “worst case scenario” than a likely prediction.
This content is expected however as it is extremely unlikely that the authors have access to exact data or confidential information.
Summary
The actual strength of the UK’s submarines against cyber attacks is at this point unclear.
While lots of allegations and rumours exist, we currently see no hard evidence that Trident submarines are more or less vulnerable to cyber attacks than nuclear submarines of any other nation.
While the information in the reports appears to be factually accurate, some of the prerequisite steps require successful attacks against extremely well-hardened targets. This difficulty may be lost on casual readers.
Lastly, as with any source of information, understanding the motivation of the party publishing it can add context to an analysis. While the motivations of the various parties involved in the recent pressure on UK submarines are diverse, BASIC for example is an organization committed to nuclear disarmament rather than to cyber security.
We will monitor developments in this case and publish an update if hard data should become available.