A rusty deterrent? Trident to get upgrade from BAE

The Ministry of Defence is to bolster the cyber-security systems of its HMS Vanguard fleet of nuclear submarines otherwise known as Trident.

The final trigger used to launch a nuclear missile launch - Photo: Danny Lawson/PA
The final trigger used to launch a nuclear missile launch - Photo: Danny Lawson/PA

As fears grow of cyber-attacks from other nation states and terrorist forces, the UK's nuclear deterrent programme is set to get an upgrade from BAE Systems. The investment comes as part of George Osborne's £1.9 billion cyber-investment plan announced in November last year which includes a £165 million Defence and Cyber Innovation Fund.

According to The Times, security software which currently defends the HMS Vanguard fleet from hostile actors will be strengthened and brought up-to-date.

The Trident Nuclear Programme, which manages the Royal Navy's Vanguard class submarine fleet, missiles and warheads pre-dates the internet. It was a time when the home computer was still a relatively new concept, cloud computing, iDevices and GPS systems were not yet invented. The government announced it would replace its predecessor, Polaris, in 1980. The release of the first of the Vanguard-class submarines came in 1993.

Around the time George Osborne pledged the aforementioned cyber-fund in November 2015, Lord Browne of Ladyton, the former Labour defence secretary said that Trident is vulnerable to cyber-attacks. Speaking to The Guardian, he encouraged  “end-to-end” assessment of the nuclear programme to ensure the Vanguard-class submarines, which were first brought into action in 1993, were brought up to date with today's threats.

According to CrowdStrike's latest Global Threat Report, January 2015 saw three exploit documents leveraging identical shellcode to that which was identified in the attacks against the networks of Korea Hydro & Nuclear Power Co. Ltd (KHNP) by suspected DPRK actors in late 2014.

The first of the exploit documents dropped a destructive Master Boot Record (MBR) wiping malware that matched the malware found at KHNP. However, the two other exploit documents dropped a Remote Access Tool (RAT) and a keylogger. Analysis of the RAT—known as Milmanbag—revealed notable similarities to an espionage campaign identified in 2013 against RoK entities known publicly as “Kimsuky”.

While the infection vector remains unconfirmed, it is believed to be delivered via spear phishing, as some instances of the malware are known to have been spread through exploit documents targeting the Hangul Word Processor (HWP) software.

It is threats like this which are presumably the reason why BAE Systems is to “conduct reviews and manage processes and policies for safety and cyber security”, according to the contract document.

BAE Systems which helps maintain Britain's nuclear programme on behalf of the US Navy, is going to maintain the missiles onboard the submarine which are built by US defence contractor Lockheed Martin.

Colin Cassidy, security consultant for IOActive spoke to SCMagazineUK.com and said that, "It's a step in the right direction for the UK Government to protect it's nuclear weapons against cyber attacks. However, it shouldn't stop with just this - it needs to be looking at defending its critical infrastructure against cyber-attack as well. 

Back in 2010  the UK government said that cyber security was one of its "top 5", and it got only £650 million spent over 4 years. So that's £2 bn over 5 years vs. £650 million over 4 years."

Cassidy went on to explain that, "more needs to be spent on that too as it does seem as though it is defending its means to deter, rather than defending its means to be. I don't believe that the UK Government should be more Trigger happy, nor should we be dismantling Trident! However, I think it leads to a broader question, does the cost of cyber-securing our military cost more than cyber-securing our nation? If so, why is this the case? We are securing critical infrastructure, but this, perhaps, shows what the UK government is prioritising. The recent Ukraine power plant hack is a great example of how important it is to protect national critical infrastructure." 

John Daniels, spokesperson for the US Navy's nuclear deterrent programme, told Bloomberg this week that, “now that cyber has become even more important in our national security, there will be even more requirements” for anti-hacker defence systems, Daniels said. “In our modern era, cyber-security threats are a legitimate concern.”

A Ministry of Defence spokesman said on Wednesday: "The deterrent remains safe and secure. We take our responsibility to maintain a credible nuclear deterrent extremely seriously and continually assess the security of the whole deterrent programme and its operational effectiveness, including against threats from cyber."

Tony Dyhouse, knowledge transfer director at the Trustworthy Software Initiative spoke with SC and said that, “It's important to realise that the security of any given system degrades with time, due to the discovery of new vulnerabilities and exploits in any given period.”

“Further, where actual 'legacy' software exists as part of any system, support may be discontinued by the vendor. Further, the environment changes - for example, some years ago GPS was almost entirely the preserve of the military, and then there was the infamous deliberate inaccuracy (wobbly factor) introduced to prevent non military organisations from achieving pinpoint accuracy, but the ongoing use of GPS in the civilian world has opened up the system.”

“So it is difficult to claim any system is 'safe and secure' as it's a living environment which can change rapidly. Security a system is a life-cycle challenge - not a fit and forget. It's more important to say that there is an ongoing programme attentive to securing the system against newly-arising threats.”

“Cyber-attack offers a nation (or indeed a terrorist group) an opportunity to 'choose' from a wide range of impacts with a very low risk exposure, hence anyone should the the threats seriously. As anyone who might see to exploit such attacks is already highly aware of the capability, it doesn't really help not to discuss it in my view. The genie (is) out of the bottle!”

Sign up to our newsletters