UPDATED: MoD squashed concerns that legacy software in the Navy’s latest aircraft carrier leave it open to cyber attacks
The Ministry of Defence (MoD) has refuted claims that the British Navy’s new aircraft carrier the HMS Queen Elizabeth is vulnerable to cyber attacks due to running legacy Windows XP.
The MoD noted that the £3.5 billion aircraft carrier, the most powerful ship ever built by the Navy, will not have Wndows XP systems that could leave it open to cyber attacks that exploit outdated software.
“The MoD can confirm that Windows XP will not be used by any onboard system when the ship becomes operational, this also applies to HMS Prince of Wales,” it said.
“While we don’t comment on the specific systems used by our ships and submarines, we have absolute confidence in the security we have in place to keep the Royal Navy’s largest and most powerful ship safe and secure. We take cyber security extremely seriously and the UK has doubled its cyber investment to £1.9 billion.”
Sinking Windows XP
As such, there was speculation of the potential for some of the ship’s systems to be susceptible to malware given Microsoft has stopped supporting Windows XP. Attacks could be in the similar vein to the WannaCry cyber attacks that have plagues systems across the world; though cyber security experts have told Silicon that the WannaCry ransomware caused more havoc with the more modern Windows 7 as opposed to its predecessor.
However, the discovery of Windows XP systems in the Queen Elizabeth stems from contractors working on the ship using the old operating system for various task but none that involve the direct running of the vessel. As such, when the ship enters operation it will not be reliant on Windows XP systems.
The Guardian reported that Mark Deller, commander air on HMS Queen Elizabeth, is confident in the ship’s ability to resist cyber attacks, particularly in comparison to the NHS which was hit heavily by WannaCry.
“The ship is well designed and there has been a very, very stringent procurement train that has ensured we are less susceptible to cyber than most. With regards to someone wanting to jam my radio frequencies, we will have an escort and destroyers around us that will ward off people who try and impact our output. That’s normal routine business at sea.”
“We are a very sanitised procurement train. I would say compared to the NHS buying computers off the shelf, I would think we are probably better than that. If you think more NASA and less NHS you are probably in the right place.”
Deller noted that the development cycle of ships is lengthy, so systems are bound to have older software in them, even if its is not the venerable Windows XP. However, he highlighted that the Queen Elizabeth has been built with plenty of scope to modify and upgrade its systems.
Dr Malcolm Murphy, technology director at network security firm Infoblox, noted that such situations are to be expected in machines that take years to create.
“This is a good example of a situation where it’s not necessarily feasible or practical to be running the absolute latest software or patches,” he said.
“The lifecycle of something like a warship isn’t going to be in sync with the rapid rate at which the IT industry discovers vulnerabilities and issues patches. We see the same challenges with embedded operating systems in medical devices, industrial plant and critical national infrastructure control systems, ATMs, and so on.
“The security implication is clear: you must have a robust defence-in-depth strategy which provides both protection against compromise, and the ability to indicate unusual or potentially malicious activity not just at a device level, but also at a network level.”
With cyber attacks becoming increasingly weaponised and aimed at diverse targets, time will tell how the HMS Queen Elizabeth will weather future cyber security storms.