Spotlight Series Article
By Patrick Donegan, Founder and Principal Analyst at HardenStance
I recently attended Total Telecom’s outstanding ‘Submarine Networks EMEA 2024’ to learn about this industry’s cybersecurity challenges. Cybersecurity has tended to have a fairly low profile in the sector, largely because nearly all incidents arise from physical world disruption. Moreover incidents nearly all arise from benign causes – trawlers casting their nets and other vessels dragging anchors, or natural world events like seismic activity on the ocean floor.
Some speakers and exhibitors showed a weary, eyerolling, frustration at the media’s preference for reporting the 1% of Bond film-themed incidents of nation state-directed vessels carrying out nefarious attacks on cables at sea. For them, the 99% of benign incidents impose a much bigger total cost on the industry so that’s where the reporting should focus.
A clear majority at the event nevertheless recognised that malicious incidents pose a substantially greater risk now than they did even just a year or two ago. One such incident occurred in the Baltic Sea last October when Finland and Estonia attributed cuts to not one but four fibre optic cables and a gas pipeline to a Chinese container ship and Russian-flagged vessel that were in the area. Several people also referred to at least three major incidents in Africa in the last year – each one impacting three or more cables at a time. The majority of opinion I heard pointed to the severity of incidents growing, the risk from malicious activity by nation states growing, and a significant or even strong correlation between the two trends.
Not surprisingly, there is now a relentless focus on taking already well-advanced global and regional route diversity to still more advanced levels. Several speakers shared new build plans, with route diversity to the fore in all their talks. Google’s recent announcement of ‘Umoja’, the world’s first subsea cable directly linking South Africa and Australia, appears to have taken even some seasoned industry leaders by surprise with its ambition.
This is the world of physical risk that cyber threats to the submarine cable ecosystem fit into. From what I was able to ascertain, the cyberattacks that the sector’s cyber defenders are focused on are grouped into three areas.
The first is corruption of the systems that monitor cable activity on the ocean floor, either by an insider or a remote hacker. These systems are housed in modern, fit-for-purpose, Network Operations Centre (NOC) and Security Operations Centre (SOC) facilities or in less well-equipped variants built at lower cost. The consensus I heard is that both models are well represented across the world’s more than 500 submarine cable systems and more than 1,500 landing stations. Malicious manipulation of these critical monitoring systems could allow adversaries to configure alerts so that they mislead the cable’s owners and stakeholders that everything is fine when it isn’t. It could also mislead them as to the location of a fault when rapid repair times are crucial to the millions of customers that depend on these cables being available.
The second area is a physical breach of a landing station. Depending on how it’s configured, this could yield access to monitoring systems or even the cable’s user traffic. The location of most landing stations isn’t a secret. Some of them are surprisingly open to passers-by stumbling across them on an afternoon walk along the shore. The physical security surrounding them, what they house and how it’s configured, all vary considerably. In developed countries they may be heavily reinforced and staffed with stringent access management. In less developed countries they may be unmanned with not much more than a padlock for physical security. According to multiple individuals I spoke with, most traffic running on submarine cables is unencrypted today. Hence, in cases where cables terminate at a landing site (rather than further in-land at a data centre), there is a theoretical opportunity for an exceptionally skilled, heavily funded, hacker to cut and splice the cable and access the traffic. Even where traffic is encrypted, there’s still the risk of Store Now Decrypt Later (SNDL) attacks, whereby traffic is copied and stored until a powerful enough quantum computer can break contemporary crypto standards.
The third type is the stuff of a Bond film. It consists of a submarine operating at depths low enough to reach the ocean floor (as it happens, Russian Akula class subs can dive to below 1,000 metres). Once it’s guided to the right position above a target cable, a hatch is opened, and the cable is somehow hoisted inside. Some extravagantly talented individual then proceeds to cut and splice the cable – without the 15,000 volts running through the cable to power the transponders blowing the vessel and its crew to smithereens. They then proceed to access the user traffic.Bear with me, here. Several knowledgeable people at Submarine Networks EMEA 2024 assured me that this is a scenario which, while almost certainly not feasible today, is nevertheless one that national security agencies take very seriously. In the case of most cables deployed in the last 10 years or so, encryption is there to be switched on when needed, although US export controls get in the way of universal, frictionless implementations. Encryption wouldn’t mitigate the problem completely, either. It wouldn’t protect against the hypothetical hacker in the submarine copying the encrypted data according to an underwater SNDL attack – a USNDL attack perhaps? With one single fibre pair on a transatlantic cable carrying as much as 25 terabit/s, that submarine is also going to need one hell of a lot of data storage for this cyber-attack. On the defender side, there is also ongoing research into extending the use of seismic sensing technology to apply it to detect physical tampering with the cables.
Nation state threats of all kinds to are clearly growing in the submarine cable business. Throughout the two days, speakers repeatedly referred to a marked uptick in government agencies engaging much more deeply in submarine cable security now. This will make its way into demands for higher standards of cybersecurity – and higher investment to fund it.