Nuclear weapons systems are vulnerable to cyber-attacks which could at worst lead to compromise and inadvertent launches, a leading thinktank has warned.
These risks have been outlined in the new Chatham House report, Cybersecurity of Nuclear Weapons Systems: Threats, Vulnerabilities and Consequences.
It claimed that nuclear weapons systems were designed in a pre-digital age with little consideration given to the possible impact of cyber-threats.
It added:
“There are a number of vulnerabilities and pathways through which a malicious actor may infiltrate a nuclear weapons system without a state’s knowledge. Human error, system failures, design vulnerabilities, and susceptibilities within the supply chain all represent common security issues in nuclear weapons systems. Cyber-attack methods such as data manipulation, digital jamming [DoS] and cyber spoofing could jeopardize the integrity of communication, leading to increased uncertainty in decision-making.”
This uncertainty could even cause an escalation resulting in the use of nukes.
“Inadvertent nuclear launches could stem from an unwitting reliance on false information and data,” the report warned.
US Minutemen silos were highlighted as particularly susceptible to cyber-attack, while it has been reported in the past that the US has been able to infiltrate the supply chain of North Korean systems to scupper test launches.
Chatham House identified 13 key areas in such systems vulnerable to cyber-attack.
These included: communications between C&C centers and from command stations to missile platforms, missile telemetry data, technology in transport, labs and assembly facilities, real-time targeting, weather and positioning data and autonomous robotic systems.
As with many other areas of critical infrastructure (CNI), the private sector is heavily involved, but under constant attack.
“Presently, this is a relatively ungoverned space and these vulnerabilities could serve to undermine the overall integrity of national nuclear weapons systems,” the report continued. “For example, the backdoors in software that companies often maintain to fix bugs and patch systems are targets for cyber-attacks once they are discovered and become known.”
The report argued that defense contractors should be forced to disclose and share any info about cyber-attacks with their governments.
The authors recommended governments incorporate rigorous cyber-risk reduction into their nuclear command, control and comms systems.
AlienVault security advocate, Javvad Malik, argued that legacy systems in particular represent a major weakness in CNI.
“Going after connected weaponry is the next step, be it for espionage purposes, or something more sinister,” he added.
“Owing to the legacy infrastructure, rapid patches, or constant monitoring is not always feasible, therefore, it is in the best interests to keep such systems as segregated as possible to minimize the risk of external actors being able to access.”