Exploited: The Cyber Truth,  a podcast by RunSafe Security. 

[Paul] Welcome back to  Exploited: The Cyber Truth.  I am Paul Ducklin and today we have a fascinating topic which is “From Seafloor to Stratosphere: Protecting Networked Maritime Defense Systems.  Now we’re joined as usual by CEO and founder of RunSafe Security, Joe Saunders. 

[Paul] Hello, Joe.

[Joe] Hello, Paul. 

[Joe] And we have a fascinating second guest this week, namely Sparky Braun from  Ocean Aero. And I think Sparky, the  easiest way for us to learn about you and what your company does is just to point you in the right direction and say right now, tell us all about it. 

[Sparky] Well, thanks, Paul. Thanks, Joe. I’m happy to be here. I’m happy to talk about the topic at hand and Ocean Aero’s piece in that. I will start by saying that I told my wife and my kids, I was going to be on a podcast, you know, ask for a little advice from my wife. And she said, it’s good to kind of warm things up, especially if it’s a topic that’s technical. Maybe you can loosen people up with a joke. 

[Sparky] So, uh, there’s an old farmer who’s sadly a widower who’s raising three teenage daughters.  And as they were growing up and started dating, he always made sure to see them off and they went on dates to meet the young fellows so they knew, you know,  to have the best intentions. So it was a Saturday night and as usual he’s out on the porch cleaning his gun  and in comes a knock on the door and he answers the door and there’s a young chap there and he says, hi, my name’s Joe. I’m here for Flo. We’re going to a show. I hope she’s ready to go. The farmer kind of chuckled. That is a sweet kid. About 20 minutes later, there’s another knock on the door.

[Sparky] There’s a young man standing there and he goes, Hi, my name’s Eddie. I’m here for Betty. I’m taking her out for spaghetti. I hope she’s ready. And the farmer chuckled. He’s like, you know maybe I kids nowadays all wrong. About 30 minutes later, there’s another knock on the door. And there’s a young man standing there and says, Hi, my name’s Chuck. And the farmer shot him. 

[Paul] That just sneaked through the family friendly filter, Sparky. So I think we can keep that in.

[Sparky] Poor Chuck just wanted to go to the movies. 

[Paul] I guess if you understand the joke then… 

[Sparky] Anyway. 

[Paul] Sparky, Ocean Aero is in the business of what I guess you call drones,  but you make a very different kind of drone which in many ways is more spectacular than what we now take as everyday, namely ones that can fly. Because yours are maritime vessels that are both  surface  and submarine vessels kind of at the same time, aren’t they?

[Sparky] Correct. Yeah, Ocean Aero does one thing and we make the world’s only  autonomous subsurface and surface maritime vessel entirely powered by solar  and wind assisted. It’s able to go out months at a time on its own power and navigate autonomously.

[Sparky] It can dive down under the water to a hundred meters and remain there  for about a week before it has to go up and recharge. There’s a variety of uses that are dual use, both civilian maritime and oil and gas industry, fisheries, underwater infrastructure, as well as defense applications, which is getting a lot of traction in anti-submarine warfare, countermine warfare, critical infrastructure, monitoring of protection, think cables, pipelines, other critical infrastructure you have under the water, as well as on the surface, intelligence, surveillance and reconnaissance, maritime domain awareness, and the like. 

[Sparky] Like any autonomous system, which is the future of maritime defense, it doesn’t solve any problem by itself. But as a system of systems with other maritime autonomous drones, be it under the water, on the surface, in the air, or conventional systems, being connected becomes a powerful tool at a much lower expense for navies around the world with much less risk to sailors, less logistics, less chance for incidental contact, if you will, leading to accidental escalation, certainly for environmental considerations, there’s no oil leaks. 

[Sparky] And when you talk of investments that governments are making now, on a scale, they’re one 100th, one 1000th the cost of conventional vehicles. Everybody’s watching Ukraine intently. They’re learning to scale and iterate rapidly to unfortunately fight an effect that is kinetic. But if you take those same ideas and apply them to deterrence, you might avoid the kinetic  interactions  in a place called maybe the Pacific or something else near the Eastern European front. 

[Paul] And if you compare these vessels to aircraft carriers, it’s almost as though it’s turned maritime operations inside out, isn’t it? Whereas an aircraft carrier had massive power, nuclear powered, usually basically a city in its own right with thousands of people on it, concentrating everything in one place. This kind of turns that on its head and sends out lots of vessels that can operate independently, but they all need to communicate in near real time in order to achieve that result. Almost like a hive mind of the sea, if you like. 

[Sparky] You know, it’s funny you mentioned aircraft carrier. I just landed last night coming back from Korea, where I was at a show called MADEX, M-A-D-E-X in Busan, Korea. And it is the Maritime Defense Exposition, the largest in the Pacific area, one of the largest. And I walked away from that with just  eyes wide open because one is that the future of maritime defense is autonomy, without a doubt. South Korea is leading the charge. They canceled their aircraft carrier program to redirect all that money into autonomous maritime defense. That’s the big deal. And they’re moving, they’re moving very fast.

[Sparky] Two, the future of  autonomous maritime defense is international and interoperable, meaning no one allied country that’s aligned is going to go to battle alone. And especially if they’re doing with drones, they’ve got to be interconnected, which brings about a whole host of other complications. You can get the same effects without dumping billions of dollars in systems that by the time they’re fielded, may be obsolete.

[Sparky] You now have a risk aversion because you have sailors in harm’s way. Nobody wants to lose a billion dollar aircraft. If you can have a bunch of drones that could have the same effect, which is deterrence, then maybe you don’t have to fight that sea battle. And if you do get into kinetic warfare, can you fight that remotely? Because the  one thing that’ll turn a population against a conflict is to lose a bunch of their sons and daughters out to sea.

[Sparky] So if you think of it as an effects-based approach to operations or defence planning, then it just leads to the natural conclusion given the technology we have today, that autonomy is the best way to go. But the only way it’s going to work is if it’s interoperable amongst itself and amongst allies and partners. 

[Paul] Is it fair to say that  some of these vessels,  once they’re launched for the first time, may spend their entire working life at sea. It’s not like they might spend a few weeks between ports and then come in for a refit, which kind of makes things like security updates, particularly for vessels that are underwater, sound like the most difficult thing you could possibly deal with. So how do you bring cybersecurity into the mix in a field like this? 

[Sparky] Well, I’m going to kick it to Joe in a second here because look, I’m an Old Naval Aviator. So I spell cyber with an S.  But I do know that you’re right. The magic to autonomous systems is persistence. They don’t have to come in and refuel. They don’t have to bring the sailors home to their families. It is out there and they’re interconnected. But interconnected can also be a danger spots, a liability in that if somebody can penetrate one node, they can shut down the whole system. 

[Paul] Exactly. 

[Sparky] So that cybersecurity piece, given these autonomous systems are the charges being led by private industry, usually backed by venture capital and not necessarily built for purpose by governments. It is often the last thing that’s thought about as a, now the government wants to use it. Oh, let’s figure out what their cybersecurity requirements are and layer it on top.

[Paul] Joe, it does sound like you could have a situation where one rotten apple really could spoil the barrel, which I think is a naval metaphor, so I hope I can get away with it. 

[Joe] I do think that we can take lessons from other segments as well. I think about low orbit satellites, the idea there, you want to send them out for as long as possible, and the idea of having secure systems on board so they can’t be tampered with I think is essential.

[Joe] And certainly that’s true in this case. And I want to give a shout out because at this year’s DEFCON, which is the Super Bowl for hacking competitions, there is the Maritime Hacking Village. 

[Paul] They don’t call it a village, do they? They could at least call it a port.  

[Joe] Yeah, it should be upgraded, but you know, there’s the ICS village and other villages. And so you just extend so everyone knows what to expect. But in the maritime hacking one, MHV, a lot of these autonomous vessels are going to be put to the test. And I think what we’ll find is there are many avenues to access. And if you think about a system of systems that are interdependent, that are interconnected, that need to communicate like other systems, those onboard communications start to set up where vulnerabilities could be. And the other vulnerability could come from the supply chain, whether that’s open source software that’s on board or third party components or proprietary software. So under the hood, if you will, under the sea, there are very similar looking architectures on board that can be compromised. So we want to increase resilience so those vessels maintain persistence, as Sparky said. 

[Sparky] The term Internet of Things, you had the internet, but now everything is using the internet, all connected. Adversaries have learned to use that to hack into things that normally you wouldn’t think are vulnerabilities. Think a smart fridge or the electric robot vacuum cleaner or medical devices, right?

[Paul] Sparky, we talking about that in the last podcast with a medical devices expert who was told a story of a blood bank in New York that was unable to deliver or use any of its blood products because the sample labeling machine broke due to a cyber attack.

[Paul] All of this fantastic equipment to deliver blood for emergency surgery stymied by the fact they couldn’t print the labels to identify what the blood types were. Wow. 

[Sparky] And that’s exactly the point. If you think of the Internet of Things, and now we’re moving towards what will be an Ocean of Things.  

[Paul] We’ve spoken in previous podcasts about, oh, well, that pump room takes some real getting to. But it’s still on land, you can probably drive close to it and then walk the last 50 metres. But here we’re talking about devices that could be thousands of kilometres from the nearest land, and even if they were nearby you wouldn’t want them putting in, you’d want them staying out there anyway. 

[Sparky] And if the point is to have a deterrent effect or the ability to react, you know, at the first signs of aggression as the first wave of a conflict, you want to have confidence that they’re going to be able to do that.

[Sparky] And so the idea of cybersecurity, know, Joe, that we talked about this in passing when we first met. That needs to be some things in the design and stage and in the forefront.

[Joe]  And I think if you think about environments like the South China Sea or Taiwan Straits, having good situational awareness, obviously very, very important. And looking for any changes in activity, I guess, in the Taiwan Straits would be essential. And what that means, though, is certainly a well funded adversary of  some sort is going to want to also be at the forefront. And so to the extent that we need to lock down these systems, there are other folks looking to analyze these systems, identify the vulnerabilities, and figure out how they can get on board or get into the supply chain in some fashion. And we see that in the US in critical infrastructure. We see that in communications in general with Salt Typhoon and Volt Typhoon in the South China Sea, in Taiwan Straits, and certainly other areas. You’ve mentioned Ukraine with good reason because there’s a lot of delivery of wheat and other products coming in and out of ports there. And so you can imagine the extent to which if you look at ports, you look at ships, you look at underwater vessels, all of this is kind of a new frontier, if you will, from a cyber perspective. But the threat maps what we’ve seen in previous areas of autonomy. 

[Paul] In the maritime domain, Sparky, do you think that excitement of the technology alone, the fact that you can build vessels as amazing as the one that I see in the picture behind you. Do you think that the technology tends to blind some of the people in the industry to, hey, let’s just work out what we can do with this? Do think that question, what do we need to do about this getting hacked or leaking data gets asked too late? And if it does, how do we bring it up the agenda? 

[Sparky] I think you’re right in that I mean, remember where this, where this comes from. This comes from technologists.

[Paul]  Yes. 

[Sparky] They’re coming up with great tech and then looking for a market, right? Cause they want to build a business and technologists and founders of all these startup companies are moving quickly. And they’re not necessarily thinking of cybersecurity beyond, okay, we’ve got our internet and we’ll teach you about phishing emails and all that.

[Paul] Brings a whole new take to the word fishing, doesn’t it? 

[Sparky] Yeah, right. I believe that in a lot of these companies, ours included, have got to grapple with at one point or another, okay, if we’re going to use these things to either deter malicious actors or to help destroy, for lack of a better term, malicious actors, that has a significance beyond, you know, an iPad or a cool tool.

[Sparky] Right? So it’s going to have to have a cyber component of it that is just as robust as the cyber component you have on a B2 bomber or an F35. They should put dollars towards the cyber hardening of these things early because you’re not going to get a company that’s scraping to get by just to get their thing to a defense show to invest a whole lot of the investment they have from  venture capital into cyber layers. If they don’t even know they’re going to be the thing that’s adopted for the long-term and at scale that makes it a viable business. So if cyber is the, is the thing that could be a threat to the thing that’s supposed to be your defense. I think it’s up to the folks that end up funding this initially to be putting those dollars or making those requirements known early. So they can be adopted as part of the development process and not as a bolt on afterthought. 

[Paul] Joe, we’ve talked about the complexity of retrofitting security to things like small devices that control one valve in a pump room. How much more important is it that we’re able to control things that might be 1200 nautical miles away and 76 meters under the sea?

[Joe]  Well, I think part of the key here is with the push to COTS systems on board, we do need to look very carefully at the supply chain itself. That’s one angle, but I think Sparky’s right.

[Joe] Integrating security into the build process early in the process and having that funded by those folks who care about that persistence and care about that resilience so that the missions are successful. We need to pull those dollars forward into investing in these companies so that these interoperable, interdependent systems endure even if there is some kind of malicious payload on device. And let’s face it, you may not want to just shut down one of these vehicles. You may want to collect your own data on them and find ways to get data off those. If you think about the onboard communications with Wi-Fi and 900 megahertz and radio mesh networks, there are vulnerabilities in there. So we have to think about the full attack vectors and the motivations, and we need to pull those dollars forward into the build process or when those purchases are being made, they need to be part of the requirements to be built in. 

[Joe] So Sparky’s correct. These systems are vitally important in the future of defense, in the future of other use cases. But the cyber aspects of them are just as important in order to maintain that persistence. 

[Sparky] As far as the funding, you know, and accelerating technology that can be used for defense purposes. In a previous role, I was working closely with the NATO defense innovation accelerator for the North Atlantic. It’s called NATO Diana. And the idea was, NATO was funding this program where dual use innovators could come bring their tech and they’d be down selected to be supported by this program, help them ramp up, learn how to scale, learn how to run a business, learn about the defense industry and how their tech could be aligned to that. And then ultimately be funded through the NATO innovation fund, which is the first sovereign wealth fund to support dual use tech. So we can rapidly feel things, but kind of in a controlled manner. And one of the things that they do is they teach these accelerators about the importance of things such as cybersecurity and the like that you need to be setting aside some of your R&D and your focus to make sure that when you’re ready to launch, it is already addressed. 

[Sparky] The idea with things like DIU and the replicator initiative and everything else, when you start funding demonstrations part of it should be, and it should be cyber secure to X level, whatever X level is, including A, B or C. And that is part of what we’re funding you to have. So then when goes to the next stage, someone’s not way behind and someone’s way ahead. 

[Paul] Exactly.

[Sparky]  Governments can insist on it and they should fund it upfront and not as a bolt on. Joe will tell why that is a much more difficult proposition. 

[Joe] Yeah. And I think the push for certain requirements from a cybersecurity perspective are important. And part of that is if folks like DIU and whoever the ultimate buyers are of the systems need to be pretty clear what those requirements are and pay for it, because they are the ones that want this mission to succeed in the end. There needs to be money focused on it. That’s one part of it. But to your point on interoperability and then regulation, we have interconnected systems that want to focus on very specific missions, whatever they are, and they need to be able to communicate with each other and avoid some kind of grave consequence or destruction. 

[Joe] And so if you are driving down the overall price, if you will, or the cost to maintain these systems by investing in COTS-oriented vehicles through competitive processes, there still has to be another step, which is commit to those commercial entities that are bringing this capability and ensure that the government,  in this case in a dual use sense, the government and these commercial entities have the necessary funding to ensure that the cyber standards are met. And so there are expectations of what cybersecurity might be on systems like this, but those are really thought about after the contract award.

[Paul] Yes, because everyone does need to be on the same page, don’t they? As Sparky said, it’s no good having seven different sorts of vessel that you’re going to integrate into some greater whole. And then you find that most of them are actually pretty good about security. But the last vendor figured, well, I’d leave it until I saw whether I’d get the contract and now I’ll have to rush to catch up. 

[Sparky] Joe’s the expert on this, but I don’t necessarily think that the solution, especially when you talk about iteration, needs to be overly exquisite or tech- or expensive. You can just start with a baseline and then build on that baseline if you have an ultimate standard in the end. 

[Paul] I agree. It’s pretty much like the must be at least this tall to go on ride sign, because if you can’t get the basics right, then you’re not likely to get the more difficult stuff right either. In the same way, Sparky, that you said before you got into flying helicopters, you train on fixed wing aircraft first until you’ve got the aviation aspects and the navigational aspects down pat. Then you go and do the difficult stuff. 

[Sparky] Right. And so if there’s, if there’s a program to crawl, walk, run in cybersecurity that, you know, again, is ultimately funded by the end users because they’re the ones that’ll mandate what that readiness level is.  And then I think there’s a way to kind of do that at a scale where it’s not capital intensive and certainly not capital intensive such that it scares away founders and innovators. 

[Joe] And I think some of those  aspects, they start with having a  really good foundation understanding of what software, what components are on these vehicles. And with that, what the vulnerabilities are in those components. That’s an easy thing to do. That’s a Software Bill of Materials where you link to vulnerabilities. 

[Joe] And what that does give is those ultimate asset owners or those operating the missions, the ability to understand sort of the risk profile of  some of these systems. And with that, then there can be very prescriptive steps that need to happen. But I think another aspect of this is there’s really two others. Another one is having the right mindset or balance for runtime defense of these systems, because you can imagine with all these components coming from open source and third parties, you need to look for those vulnerabilities, but you have to assume there is a compromise and they will be attacked. And so you need to have the proper runtime defense. So I think having a good baseline of all the components that are on there, what are the operating systems? What are the applications built on? What are their packages? What are their libraries? What are their communications? 

[Joe] And assess the risk and the vulnerabilities associated with them, and then have the runtime defense. And those are pretty easy things to deploy naturally. And that’s kind of the baseline. And then from there, you can start to focus in and zero in on individual components that put these systems most at risk. There is then a next step of elevating folks’ software development processes to be more mature and to include secure by design-like principles in that development process. 

[Sparky] For a maritime company, whatever that is,  or any  autonomous vehicle company, whether it’s land, sea, air, they’re bringing engineers and experts in that domain. How do you go underwater? How do you climb hills? How do you make something fly aerodynamically and efficiently? To bring out a whole software and engineering team at that stage, just is not feasible for startups just trying to make it into the game, not to necessarily win the game.

[Sparky] And so if the government provided as a service, right, they outsource because it’s what they would do something like RunSafe or some other security company or a list and they can come in and certify you to, you know, basic level intermediate level, whatever it is to kind of give you that clearance. Like you’re good to go. You’re level one. So you can do demos. Okay. You’re level two. So now you can go do exercises rather than expect these companies to do it themselves and have to go outsource that because then it’s not necessarily standardized. 

[Paul] Gentlemen, I’m conscious of time. So I’d like to conclude, I may, by following on something that you said earlier, Sparky, that this doesn’t have to be made super complicated. And it sounds as though from a cybersecurity point of view, particularly in the maritime arena, a sense of, as you say, crawl, walk, run, fly, or perhaps in this case, swim really is the way to go. So if you’re in this industry and you haven’t started thinking about cybersecurity yet, today is a very good day to get started. I’m sure you’d agree with that, Joe.

[Joe] 100%. And I do think, although we can come up with standard programs, I do think there’s an element of competition.  And when there are many providers, ones who incorporate security into it from the start and get started today, I do think they also have an advantage. So I would encourage not strictly security by compliance, but also thinking through the threats and thinking through differentiation of product as well. So I do think that security can be a differentiator. 

[Paul] Absolutely. You can be good, but it’s better to be better.  Gentlemen, thank you so much. Sparky, it’s just fascinating hearing everything you’ve got to say about these vessels.

[Paul] I know that even though I’m an expert in cyber security who’s been focused on cyber security for decades, that would fly out of my head if you took me somewhere like Gulfport and said, hey, come and look at one of these. I would not say how secure is it. I would want to say, show me what it can do.  But life means we have to balance both of those sides. So that’s a wrap for this episode of Exploited: The Cyber Truth.

[Paul] If you found this podcast informative, don’t forget to subscribe so you can keep up to date every week and please share it with everyone in your team. Don’t forget, stay ahead of the threat, see you next time!