Stories‎ > ‎

A Low Likelihood of Cyber Attack on USS MCCAIN

posted Oct 29, 2017, 3:24 PM by James Caroland   [ updated Oct 29, 2017, 3:27 PM ]
By Ian W. Gray

On August 21, 2017, the USS JOHN S. MCCAIN (DDG-56) collided with the merchant vessel Alnic MC1 while transiting East of the Strait of Malacca, one of the busiest chokepoints in the world.  The collision was the second instance of a U.S. warship colliding with a merchant vessel this year2, and the fourth instance of a Naval incident at sea this year3.  All of these accidents have occurred in close proximity to Asia, leading analysts to believe that this could be part of a cyber operation4.  Their hypothesis is seemingly supported by increasing U.S. tensions with China over Freedom of Navigation Operations in the South China Sea5, and provocations from North Korea amid nuclear tests and U.S. supported war games6 in proximity of the Hermit Kingdom.  Despite increasing geo-political tensions, coincidence (or the absence of it) is believed to be a secondary factor.  However, this logic has likely led to a confirmation bias regarding cyber-operations that should be further analyzed. 

“Cyber” has become convenient justification for the loss of availability on infrastructure and equipment where technology plays a predominant role (which encompasses most things these days).  This reasoning is further validated by the covert nature of cyber-attacks, and the recent increase of publicized state-sponsored cyber-operations from actors including China, North Korea, Iran, and Russia.  However, unlike infrastructure and computer servers, ships are transitory and susceptible to a number of additional environmental factors like weather and natural lighting conditions.  Additionally, ships transiting high traffic density areas are competing with a host of other vessels, the efficient performance of their navigation and propulsion systems, and the maintenance and operation by their crews. 

In June 2017, the Baltic and International Maritime Council (BIMCO) updated their “Guidelines on Cybersecurity Onboard Ships7” to include further recommendations on network and cyber security.  The potential vulnerabilities that BIMCO identified include bridge systems, cargo management, propulsion and power control systems, access control, and ship-to-shore communications.  The potential attack vectors, similar to shore based facilities, include brute force, supply chain compromise, phishing and social engineering.  The increasing connectivity and automation of shipboard control systems makes them susceptible to these vectors.  However, several navigation and communication systems are also vulnerable to a loss of availability and integrity, through attacks like jamming and spoofing. 

United States warships have a suite of technology designed to complete multiple complex mission areas; though navigation and propulsion remain paramount to crew safety and operational success. Guidelines for the construction and operations of navigation and propulsion equipment for both merchants and warships is promulgated by the International Maritime Organization’s (IMO) Safety of Life and Sea (SOLAS) convention.  The convention has been updated to include the mandatory adoption of technology like Global Positioning Systems (GPS), Automatic Identification Systems (AIS), and Electronic Chart Display and Information Systems (ECDIS). 

Both warships and merchant vessels could be targeted by GPS spoofing and jamming.  These types of attacks have been demonstrated by China to counter U.S. drones in the South China Sea8, and North Korea to disrupt maritime and air traffic in South Korea9.  Other recent reports indicated a mass GPS spoofing attack in the Black Sea10 off the coast of Russia, and as a method by Iran to exert dominance and control over the Persian Gulf11.  The manipulation would cause shipboard GPS receivers to display a position that is determined by the attacker through broadcasting counterfeit signals.  Such attacks could be part of an anti-access/area denial (A2/ AD) strategy, though likely not the cause of the MCCAIN collision. 

SOLAS requires all ships to carry AIS in order to provide information to surrounding ships and coastal authorities for safety at sea.  AIS, which uses GPS coordinates and radio transmissions, is also susceptible to cyber-attacks, as Trend Micro demonstrated in 201412.  These attacks could include denial-of-service, the appearance of a spoofed vessel, the omission of information about a vessel, or other false information including shipboard emergencies.  This information, if targeted properly, could cause a ship to alter their course or speed, or take additional actions that could endanger the safety of a ship.  AIS is not used as a means of navigation, and any maneuvering decision that a ship takes would likely be verified with alternate means, like radar.  

In 2005, the US Navy began a fleet-wide implementation of ECDIS on surface ships and submarines13, a system that integrates with several navigation sensors and GPS receivers to provide an operational picture for voyage planning and ship movement.  The electronic system has the added benefit of downloadable charts and corrections, which eliminates the need for manual pen-and-ink changes on paper charts.  Though a cyber-induced error could occur from ECDIS, any error that could cause a collision would likely have to compromise a number of other inputs, including civilian and military radars, and GPS. 

While the Navy has developed additional countermeasures to protect their systems from cyber-attacks, the merchant fleet has not uniformly employed similar protections.  Though SOLAS has mandated the implementation of GPS, AIS, and ECDIS, merchant ships have been given a timeline of 2021 to integrate their own cyber risk frameworks14.  Though the likelihood of a cyber-attack against U.S. warships is relatively low, the incident investigation should take into account the cyber risk frameworks of the over 51,000 other merchant vessels transiting the high seas. 

The traffic density of the Strait of Malacca lends credence to a more likely scenario, involving the avoidance of multiple merchant vessels through a heavily trafficked area, while possibly also managing an engineering casualty.  Current reports indicate that MCCAIN possibly suffered a loss of steering prior to the collision, and there is currently no indication of a cyber-attack.  Though there are backup control measures to shift steering from the pilot house to the aft steering control room, this may have not been possible to steer clear of incoming merchant traffic.  Though cyber is becoming an increasing attack vector from state actors, we should be careful of prematurely labeling this incident as a cyber-attack.  

Though two collisions of similar shipboard platforms (Arleigh Burke Destroyers/Flight 1A), along with other accidents in Asia, may appear to be a coincidence, we need to examine the factors leading up to and contributing to the incident.  Most incidents at sea are the culmination of a number of factors, including environmental, situational and material.  Though current events dictate that cyber could possibly be a factor, we should not let the possibility of a cyber outcome guide the analysis of an investigation. While the two Destroyers that were recently damaged this past summer can be repaired, the loss of the sailors cannot.  

About the Author

Ian W. Gray is a senior intelligence analyst at Flashpoint, where he focuses on producing strategic and business risk intelligence reports on emerging cybercrime. Ian is also a military reservist with extensive knowledge of the maritime domain and regional expertise of the Middle East, Europe, and South America.

1H. Beech and M. Haag, “10 Missing After U.S. Navy Ship and Oil Tanker Collide Off Singapore,” Aug. 2017;
2J. Borger, M. Farrer and O. Holmes. “Pentagon Orders Temporary Halt to US Navy Operations After Second Collision,” Aug. 2017;
3S. Ferrechio. “John McCain Supports Navy Operations Pause After Fourth Accident,” Aug. 2017;
4C. Chang. “Hacking Link To USS McCain Warship Collision? Expert Says ‘I Don’t Believe in Coincidence’,” Aug. 2017;
5A. Panda. “China Reacts Angrily To Latest US South China Sea Freedom of Navigation Operation,” Jul. 2017;
6J. McCurry, E. Graham-Harrison, S. Siddiqui. “US Increases Pressure On North Korea After Missile Test,” Jul. 2017;
7The Guidelines On Cyber Security Onboard Ships, white paper. BIMCO. Jul. 2017
8D. Goward. “GPS Spoofing Incident Points to Fragility of Navigation Satellites,” Aug. 2017;
9K. Mizokami. “North Korea Is Jamming GPS Signals,” Apr. 2016;
10S. Goff. “Reports Of Mass GPS Spoofing Attack In The Black Sea Strengthen Calls For PNT Backup,” Jul. 2017.
11I. Gray. “Cyber Threats To Navy And Merchant Shipping In The Persian Gulf,” May 2016;
12Threats at Sea: A Security Evaluation of AIS, white paper. Trend Micro. Dec. 2014
13J.Rhodes and M. Abshire. “U.S. Navy Announces Plans To Convert Fleet to ‘Paperless’ Navigation,” Jul. 2005;
14I. Gray. “Petya Attack Shows The Need For Cybersecurity Rules,” Jun. 2017;

Photo credits (in order of appearance): DoD Live, Wikimedia

James Caroland,
Oct 29, 2017, 3:26 PM