The USS Manchester Incident: A Cautionary Tale for Cybersecurity in Defense

In a startling revelation, a recent investigation into the USS Manchester, a littoral combat ship of the United States Navy, uncovered a conspiracy among senior Chiefs to install an unauthorized Starlink Wi-Fi network aboard the vessel. This clandestine operation was an attempt to circumvent the ship’s prolonged internet connectivity issues, a common challenge faced by Navy personnel during deployments. However, this seemingly innocuous act raises significant concerns about cybersecurity and operational integrity within military environments.

The Importance of Air Gapping

Internet access on Navy ships is heavily restricted for several critical reasons, with operational security being paramount. The Navy employs a strategy known as "air gapping," which involves isolating devices from external networks to prevent unauthorized data transfer. This method is designed to safeguard sensitive information from potential cyber threats, particularly in politically volatile regions where adversaries may seek to exploit vulnerabilities.

The USS Manchester was deployed in the West Pacific, an area marked by heightened tensions between the United States and China. In such environments, the risks associated with cyber threats from nation-state actors are amplified. The Navy’s reliance on air gapping is intended to create a secure operational environment; however, the discovery of the unauthorized Wi-Fi network revealed a critical flaw in this strategy.

A False Sense of Security

For months, the Navy operated under the assumption that their networks were securely air-gapped. The presence of a simple Wi-Fi network, installed without authorization, posed a significant risk to the ship’s cybersecurity. This incident serves as a stark reminder that without proper monitoring and visibility into all connected assets, air gapping can provide a false sense of security.

The USS Manchester case illustrates that even minor oversights can have serious repercussions for national security. If an external connection is established, it can compromise the integrity of the entire network, exposing it to various cyber threats. This incident underscores the necessity for robust monitoring systems that can detect unauthorized connections and ensure the integrity of air-gapped networks.

The Need for Improved Visibility

To fortify air-gapped networks, the first step is to enhance visibility into all connected assets. This is particularly challenging in operational technology (OT) environments, where legacy systems and proprietary protocols often complicate security measures. Many defense organizations may not have a comprehensive understanding of the various protocols in use, which can leave critical assets undetected.

A typical defense environment may involve hundreds of proprietary protocols, each requiring specialized security tools to recognize and monitor their activity. To effectively safeguard these networks, organizations must implement security solutions capable of identifying and analyzing the communication patterns of all OT, Building Management Systems (BMS), Internet of Things (IoT), and other cyber-physical assets.

Analyzing Communication Patterns

Beyond merely recognizing proprietary protocols, security tools must also analyze how and when these assets communicate. Understanding the connectivity paths, processes supported, and the role of each asset within the network topology is crucial for identifying unusual or suspicious activity. In the case of the USS Manchester, the unauthorized Wi-Fi network not only violated operational protocols but also highlighted the need for vigilance against negligent practices by internal staff.

Defense and critical infrastructure environments often feature a mix of new and legacy devices that communicate in diverse ways across multiple locations. Unfortunately, not all security tools can provide the necessary visibility for these unique environments while maintaining network integrity. This gap in security can lead to vulnerabilities that adversaries may exploit.

Rethinking Cybersecurity Strategies

Historically, air gapping has been a primary method for protecting OT environments from cyberattacks. While it remains a valid approach in certain scenarios, these networks require consistent monitoring to validate the integrity of the air gap. Without ongoing assurance of critical OT networks, air gaps can devolve into a mere illusion of security.

As technology becomes increasingly interconnected, relying solely on air gapping is becoming less effective. Defense organizations must adopt a multi-faceted cybersecurity strategy that combines air gapping with other protective measures. This holistic approach will enhance the resilience of defense networks against evolving cyber threats.

Conclusion

The USS Manchester incident serves as a cautionary tale for military and defense organizations worldwide. It highlights the critical importance of maintaining visibility and monitoring within air-gapped networks to ensure operational security. As cyber threats continue to evolve, defense organizations must adapt their strategies to safeguard sensitive information and maintain the integrity of their networks. The lessons learned from this incident should prompt a reevaluation of cybersecurity practices, ensuring that air gapping is complemented by robust monitoring and comprehensive security solutions.

Leon Poggioli is the ANZ Regional Director at Claroty, specializing in cybersecurity for operational technology environments.