Despite CND claims, Trident doesn’t run on Windows XP

Some have claimed that the Vanguard class submarines which carry Trident are vulnerable to cyber-attacks in the same way the recently hit NHS is, that is not the case.

Critics point to the Royal Navy’s decision to install a heavily adapted operating system, based off the same framework as Windows XP, as the operating system on its missile-carrying Vanguard class submarines. While some versions of Windows have long been criticised for unreliability, the variant installed on the submarine fleet is about as robust and reliable as they come, having no real similarity with Windows XP.

So reliable is the system that the operating system and its variants are widely used in commercial operations including manufacturing plants, labs and commercial ships. The Royal Navy has already installed similar systems in other ships and submarines. Some have taken to using the recent attacks on the NHS as part of a campaign against Trident, albeit they’ve used the wrong information.

While we have no position on renewing Trident, we do have a very strong position on facts being important.

Do you know where else Windows XP is used? #CyberAttack pic.twitter.com/Ve2trUYbZM

— CND (@CNDuk) May 13, 2017

The submarines use ‘SMCS NG’, the Submarine Command System New Generation, was created for the Vanguard class submarines as a tactical information system and a weapon control system and is often nicknamed ‘Windows for Submarines’. It does however not control Trident.

The programme undertaken by the Royal Navy and BAE Systems to equip the fleet with a Windows-based command system was completed in just 18 days.

The worry over security, in our view, isn’t really something to be concerned about. The biggest threat is experienced when submarines are in port to recieve software updates as unpatched vulnerabilities in the operating system could in theory be used by attackers to break into their systems if they were connected to the internet. However, they’re not connected to the internet and are in no way vulnerable to the type of attacks that crippled the NHS, as we reported here.

The Ministry of Defence claim it isn’t worried that hackers could exploit any potential vulnerabilities found in the system and in a statement, explain they pay particular attention to keeping submarines protected against this kind of threats.

“Submarines operate in isolation by design, and this contributes to their cyber resilience. We take our responsibility to maintain a credible nuclear deterrent extremely seriously and continually assess the capability of our submarines to ensure their operational effectiveness, including against threats from cyber and unmanned vehicles.”

Peter Roberts, a former Royal Navy officer now at Royal United Services Institute, told the Guardian that British technicians are well aware of the potential software vulnerabilities and have instituted special safeguards.

“None of this anti-submarine technology has been perfected and what you are not able to do with drones is get them to work together, because of the problems of communications underwater.

I can’t see a breakthrough in the next 15 years, and you are never going to see the whole ocean. We are talking about a water space that covers two-thirds of the world’s surface. This is not a needle in haystack. It’s way beyond that.”

It is understood that the Trident missile system itself has also been given increased protection from cyber-security threats.

The Ministry of Defence is planning to spend nearly £2 billion on cyber security over the coming five years, including a scheme to improve the safety of Britain’s nuclear deterrent in partnership with the US Navy. The US military is reported to be poised to award a contract to British defence contractor BAE Systems to develop Trident’s cyber-security protection.

In statements made by Ministry of Defence officials to The Telegraph, both countries have scheduled upgrades to Trident missile software in order to fend off the threat of cyber-attacks. Since Trident missiles aren’t connected to the Internet, the security features planned are likely aimed at making it harder for attackers to leverage techniques used in targeting air-gapped systems.

John Daniels, a spokesman for the US Navy’s Strategic Systems Programme, told the media:

“Now that cyber has become even more important in our national security, there will be even more requirements. In our modern era, cyber-security threats are a legitimate concern.”

US and UK officials have announced future upgrades to their Trident missiles program, and more specifically, to the missile’s software, in order to prevent cyber-attacks.

A Ministry of Defence spokesman said:

“The deterrent remains safe and secure.We take our responsibility to maintain a credible nuclear deterrent extremely seriously and continually assess the security of the whole deterrent programme and its operational effectiveness, including against threats from cyber.”

Currently, the US and UK are using the same type of submarine-launched missiles with their fleets, which is the Trident Class II D5 model. Britain has 58 of these missiles, deployable on four submarines.

All of the UK’s missiles regularly undergo scheduled maintenance work, during which they also receive upgrades. This work is done by BAE Systems, the company contracted by both the US and the UK for this job. BAE company declined to comment on the work.

The UK deterrent is completely operationally independent and UK does not need permission of the US (or anyone else) to launch its Trident missiles.