UK and US nuclear weapons systems - along with the rest of our critical infrastructure - suffer from dependency on legacy systems, leaving them at risk of cyber attack according to a report, Cybersecurity of Nuclear Weapons Systems: Threats, Vulnerabilities and Consequences, by Beyza Unal, a research fellow at London-based Chatham House who also conducted strategic analysis at Nato, and Patricia Lewis, research director of the international security department at Chatham House.
The key issues identified were failure to keep up with fast-moving advances, lack of skilled staff and the slowness of institutional change. It also identified the need to use the private sector while increasing risk as a result, with this supply chain described as “relatively ungoverned space”.
Azeem Aleem, director Advanced Cyber Defence Practice EMEA & APJ Region at RSA Security contacted SC Media UK to comment: “Our critical infrastructure is just that, critical. Protecting it is a matter of national security. Yet critical infrastructure companies are often dependent on legacy infrastructures with complex dependencies, and little visibility. Take the recent wave of WannaCry and Petya attacks; the industry was quick to cry ‘patch', but actually that isn't always possible, as patching systems without proper testing could actually cause more damage.
“My advice would be to face these challenges head on and the only way to do this is by having visibility and context. This means conducting a thorough risk assessment, understanding the dependencies between systems, using threat detection to monitor and alert on attacks, and contextualising results with business context in order to prioritise events.”
Javvad Malik, security advocate at AlienVault, adds, “There are many risks with connecting legacy systems, we've seen in the past years an increase in the attempts to attack critical national infrastructure such as electricity. Going after connected weaponry is the next step, be it for espionage purposes, or something more sinister. Owing to the legacy infrastructure, rapid patches, or constant monitoring is not always feasible, therefore, it is in the best interests to keep such systems as segregated as possible to minimise the risk of external actors being able to access.”
In an email to SC Media UK, Tim Erlin, VP at Tripwire, explained: “One of the most difficult concepts for people outside of cyber-security to understand is that deployed systems can become vulnerable even if they were securely deployed and you've made zero changes to them. The threat environment evolves regardless of how you manage your environment. The reality of the evolving threat environment is that change is required to maintain security, and this can be a difficult concept for organisations built around protecting themselves from change.
“Military nuclear facilities should ensure they're performing regular threat assessments that include the potential for cyberattacks. Defense is a continuous process, not a point in time configuration.
This report is another piece of evidence that these concerns are real, and it follows years of very real activity in the energy sector and a documented rise in nation-state attackers.”