HMS Queen Elizabeth, the Navy’s latest aircraft carrier, has launched with systems running Windows XP, potentially opening up the vessel to cyber attacks aimed at legacy software.

According to The Guardian, during a tour of the ship systems running Windows XP were spotted on the £3.5 billion aircraft carrier, the most powerful ship ever built by the British Navy.

As such, there is potential for some of the ship’s systems to be potentially susceptible to malware given Microsoft has stopped supporting Windows XP. Attacks could be in the similar vein to the WannaCry cyber attacks that have plagues systems across the world; though cyber security experts have told Silicon that the WannaCry ransomware caused more havoc with the more modern Windows 7 as opposed to its predecessor.

Shipping hell

The Guardian reported that Mark Deller, commander air on HMS Queen Elizabeth, is confident in the ship’s ability to resist cyber attacks, particularly in comparison to the NHS which was hit heavily by WannaCry.

“The ship is well designed and there has been a very, very stringent procurement train that has ensured we are less susceptible to cyber than most. With regards to someone wanting to jam my radio frequencies, we will have an escort and destroyers around us that will ward off people who try and impact our output. That’s normal routine business at sea.”

“We are a very sanitised procurement train. I would say compared to the NHS buying computers off the shelf, I would think we are probably better than that. If you think more NASA and less NHS you are probably in the right place.”

Deller noted that the development cycle of ships is lengthy, so systems are bound to have older software in them. However, he highlighted that the Queen Elizabeth has been built with plenty of scope to modify and upgrade its systems.

Dr Malcolm Murphy, technology director at network security firm Infoblox, noted that such situations are to be expected in machines that take years to create.

“This is a good example of a situation where it’s not necessarily feasible or practical to be running the absolute latest software or patches,” he said.

“The lifecycle of something like a warship isn’t going to be in sync with the rapid rate at which the IT industry discovers vulnerabilities and issues patches. We see the same challenges with embedded operating systems in medical devices, industrial plant and critical national infrastructure control systems, ATMs, and so on.

“The security implication is clear: you must have a robust defence-in-depth strategy which provides both protection against compromise, and the ability to indicate unusual or potentially malicious activity not just at a device level, but also at a network level.”

With cyber attacks becoming increasingly weaponised and aimed at diverse targets, time will tell how the HMS Queen Elizabeth will weather future cyber security storms.

