Windows for Submarines


I acknowledge that the title for this blog posting is an intriguing concept but I thought it would get your attention better than the official project name โ€“ Submarine Command System Next Generation (SMCS NG).


Windows for Submarines is the programme undertaken by the Royal Navy and BAE Systems to equip the nuclear-propelled and nuclear-armed warship fleet with a Windows-based command system.  The transition to the Windows for Submarines command system on HMS Vigilant, a Trident nuclear missile submarine, was completed in just 18 days.


The Windows for Submarines programme is an example of one of the many areas where Microsoft works in partnership with the MOD to ensure that our products have the resilience, security and communications efficiency required to operate effectively in challenging military environments.


Posted by Ian

Comments (47)

  1. Omar Amer says:

    I have to ask in all seriousness – why was windows chosen over unix or linux ?  cost of training people on gnome desktop ?  Honda uses gnome desktop or used to for their Aibo robot project – I’ve never heard of a failure.  granted a nuclear sub is a very mission critical operation – which is exactly why I’m bewildered at the choice of windows operating system.

    please shed some light on this,

    thanks.

    cheers!

    respectfully,

    -Omar

  2. pgt says:

    Well at least it makes any linux penguins scare the hell out, having some microsoft sub-nukes below their polar caps  ๐Ÿ™‚

    I’m not sure if this gives me a safer feeling.

    Altough i wouldnt say linux would be safer, perhaps aple could be.. but win2000 thats quite old, they will loose MS support on their nuclear fleet soon.

    Support always goes 2 versions back.

  3. 18 days? You guys tested this right? :S

    http://tinyurl.com/4xb727

  4. Mjoo says:

    And what about the future when Windows 2000 and XP security is no longer supported? (Which by the look of it is right around the bend)

    How much will it cost to upgrade the system then?

  5. Reno says:

    What about the blue screen of death?  What about fatal boot error due to ntfs corruption?

    Yikes !

  6. RD says:

    I run a software company.  We develop bespoke software for a variety of platforms including Windows, and for government agencies.  (However, we have never been involved with the UK’s Trident program.)

    I’ve seen enough of the world to know that security and quality are not good bedfellows with the concept of profit.  

    It’s beyond me what fallacy of logic caused the UK to spend taxpayer’s money on foreign, proprietary and closed-source software, written by a company with a long history of serious flaws, ostensibly attributable to their continual conflict of quality/security vs. profit.  

    When the application is one of national security then, I believe the leaders of the UK should have a fiduciary duty to ensure that the UK has access to the source code and that the UK does their own vulnerability research on that source.  This is basic best practice and a matter of common sense. It simply is not sufficient to trust the consumer-grade products of a foreign, for-profit organization.  

    The linked article suggests that the migration will save 22M pounds over the next 10 years.  I’ve seen this kind of claim time-and-time again.  In my experience, it is usually the result of Microsoft contributing non-objective bias the ROI analysis.  Such claims are most often nothing but bunk.  

    Nevertheless, even if such savings were realized, then I am compelled to say that 22M pounds over 10 years is a piddling amount in the big picture.  To make such savings by forgoing what should be considered best practice is not, in my opinion, in the best interest of the UK tax payers.  

    Final words: Keep Windows for the home and office;  when it comes to matters of national security, be damn sure to take the path where profit margin takes a back seat to security.  

  7. SBrickey says:

    BSOD? aren’t those usually *driver* related?

     A) I’m guessing the Navy isn’t trying to use some ATI/NVidia for its DirectX 10 support, so a tried and true card would work well

     B) I’m betting that they’re as strict or more so about WHCL than Windows Datacenter Edition (remember that? available to OEM only? requiring more aggressive driver testing/compatibility than the ‘retail’ Windows’?)… going back to point A, I wouldn’t worry as much about drivers

     C) App crashes – let’s hope they wrote some good code… and used recent languages/patterns (bounds checking, type safety, etc)… and let’s hope they trap their errors (nothing like a .Net Exception on your Nuke Launching app :))

     D) Regarding the file system, granted it seems that Win keeps the disk drives "busier" than Linux, but last I checked ext3 sucks as far as recovering (think "power outage" or other interruption)… I’ve not seen that happen w/ BSD’s FS, and I’ve not tried Rieser, so maybe those help (but is the Navy *really* going to use Rieser? doubtful IMHO, just from the publicity).

     E) Hopefully they built something redundant worth a crap (RAID for disks, hotswap PSU’s, running some sort of cluster / load balancing with another box). I imagine this to be the case, myself.

    I’d get a bigger laugh when someone spills their drink on the console, and all of the redundant systems go out ๐Ÿ™‚ (though I’d guess their system redundancies are spread across the sub, not next to each other)

    just my .02

  8. Online Presence says:

    Regardless of whether it will work for or against the company, this is an extremely bold undertaking.  I honestly hope it works out best for everyone.

  9. Denzilot says:

    I have an insider view on this as when the ‘Vangard’ class of subs were being built in Barrow I was a member of the command System trials team…this was long before Windows and Microsoft and needless to say niche software, produced in very small quantities was much, much more unstable and buggy than any Windows release! I remember one long session where the only way the system would pass a particular tiral was for every one to ‘hands off’ their ‘pucks’ (and upside down mouse) for 15 mins. All went well until 2 minutes to go and some one brushed by the puck. The system went down!!! After a very long day we manged to get past this step!!

    Give me Windows anytime!!!

  10. tippete says:

    Let’s end wars once and for all. Let’s switch all weapons to Windows..

  11. This could have been a better choice. It’s the OS running on the B-2 and F-22, among others.

    http://en.wikipedia.org/wiki/Integrity_(operating_system)

  12. ckd says:

    Windows has a great history in naval use:

    http://www.wired.com/science/discoveries/news/1998/07/13987

    "The source of the problem on the Yorktown was that bad data was fed into an application running on one of the 16 computers on the LAN. The data contained a zero where it shouldn’t have, and when the software attempted to divide by zero, a buffer overrun occurred — crashing the entire network and causing the ship to lose control of its propulsion system."

  13. Sure…. and I hope USB drives are forbidden from being used in the submarines, right?

    http://www.theregister.co.uk/2008/12/01/malware_pentagon_usb_ban/

    Oh, My! Sometimes I just need a higher dose of black humor to enjoy this kind of things.

  14. SoCal Sam says:

    So by the logic that a company shouldn’t make a profit, then maybe the companies that make the electronics shouldn’t make a profit either.  Or the add-ons to the Trident vehicles.  Oh, wait a minute,e the British paid for the Trident vehicle, and it is from the US.

    Ummm, maybe the US should not make any profit.

    No, that wouldn’t be the way the British work historically.  After all, many of the Japanese Naval ships hulls were built by the British for profit during the 1930s.  

    Come on, Linux, Unix, whatever, get over yourselves, you would be bragging about Linux being used when there are large patent infrigements and security holes in the kernel.  

    Microsoft is building a good operation around interoperability with open source, it is time for the Linux religous to get over themselves and start living in a world that doesn’t care that you only use free non-profit software.  Over the next few years the issue is going to be: MAKE MONEY.

    If you haven’t noticed, there is a big hole in the economic atmosphere

  15. nix says:

    RD is right on so many levels.  I couldn’t have said it better myself.

    To reiterate:

    1) Use an OS that was specifically designed for a submarine; not a consumer grade OS.

    2) Profit should take a backseat.

    3) National security and using a closed source OS via another country isn’t a smart move.  Saving 22M pounds over national security isn’t wise.  Is national security only worth 22M pounds?

    DISCLAIMER: For the record; I am a US citizen.

  16. meneame.net says:

    La Marina Real Británica y la empresa BAE Systems están probando un sistema de control de submarinos nucleares basado en Microsoft Windows. Dios nos pille confesados.

  17. DDevine says:

    This is ridiculous.

    Who in their right mind would use a MICROSOFT PRODUCT to power anything as critical as this?

    I though the Australian government was stupid but this is just beyond belief.

    SoCal Sam you are so naive to believe that Microsoft has ANY good intent. I can’t understand why people put so much faith in Microsoft – it consistently fails!

    I’m sorry to break it to some people but Windows really is crap when compared to Linux/Any number of Unixes or proprietary kernels. (For both the Desktop and the Submarine)

  18. Thiago Araujo says:

    In any case, I would not take "18 days" as a good result, but as an uncertain outcome. Military projects , should receive a more appropriate advice. If I were consulted on such an issue, I examine two solutions:

    1) use the Minix, for its stable architecture for embedded systems and a paradigm of microkernel, reducing the gaps and doing a fast reboot of components that failed [to learn more about Minix, please use your favorite search engine]

    2) Plan9, on his idea "everything is a file", the fast allocation of resources through an network for heavy calculations or navigation systems more accurate, and that also applies a semi-microkernel. You can imagine a scenario like this: the submarine have an network [connected or not] of

    of different processors [arm, intel, etc] and the calculation of a target is taking too long, using plan9 you can "open" the idle proccessors creating

    and instant cluster and making your calculation a lot faster. [to learn more about Plan9, use your favorite search engine ]

  19. christ says:

    I thought this was a Microsoft blog? How on earth do they allow such news to get out? I would think they would be hiding such news to avoid the negative publicity. I guess any publicity is good publicity where Microsoft is concerned. If this was done to make a dollar I would have thought they would try to hide it so they could continue to do it elsewhere that security is a concern.

  20. Garth says:

    "Microsoft is building a good operation around interoperability with open source…"

    This is not the issue.  It is an issue of guaranteed uptime with a minimum of system crashes.  You could use all of the open source (or proprietary) code you want, but if the operating system is suspect, then you are sunk (no pun intended)

    Windows crashes.  Linux/UNIX does too, occasionally — but much, MUCH less.

  21. Jan says:

    Sailor pushes the button to fire upon a enemy, he gets the question "are you sure". After entering "yes" he gets de message "you have insufficient rights for this program" Meanwhile the enemy has already fired upon his ship en he gets the bleu screen of dead.

  22. Tim Matthews says:

    To offer my answers:

    Omar – Windows has a known, audited codebase. Linux is freely contributed by anybody. You can’t deploy code into this situation that’s not verified. Why pay to verify a linux kernel & tree when you already have Windows code that has passed the Rainbow Books.

    pgt – for a private engineering endeavour such as this, I feel that support cycles may be extended. This is almost certainly going to be based on semi-customised Windows XX Embedded, so we’re not talking a couple of £450 machines from PC World/Best Buy.

    Russell – Perhaps 18 days was the length of time taken for the final onsite install and validation? I’m pretty sure that HMG didn’t come to MS 18 days ago and mumble "So, how’s about some windows in our subs, dude?"

    RD – some good points. But I am certain that the CESG, GCHQ et al have all been involved with this from the start to validate both the platform and the design. The MOD doesn’t let just anybody get into nuclear work spaces. And as for source code – I would argue the value (or lack thereof) of having a UK gov team go over it, but I would be very surprised if we don’t have source code escrow at a minimum. If an MVP can get the source, I’m sure HMG can too. But that leads on – what value is there in dumping the entire Windows Embedded source tree onto a group of CESG techs? Not only are you asking them to "check for holes", but you need them to read and understand a tree which has been authored over many tens of man years! It doesn’t seem likely to be practical to me.

    And finally, I would be very surprised if this actually controls the missiles. Seperation of duties in fault intolerant environments? The general purpose ship system will be waaay disconnected from the red button.

    thanks,

    tim

  23. UggaBugga says:

    > Well at least it makes any linux penguins scare the

    > hell out, having some microsoft sub-nukes below

    > their polar caps  ๐Ÿ™‚

    The polar ice cap is on the north pole.  The south pole, where the penguins live, is solid rock. No floating icecap for subs to glide below.

  24. gudday2balive says:

    given that a lot of mission critical systems e.g. nuclear power plants are running Windows NT ๐Ÿ™‚ … this is a step in right direction ๐Ÿ™‚

  25. Charles says:

    There is at least one case of a user-initiated flaw in a Windows system rendering an entire warship inoperative:

    http://en.wikipedia.org/wiki/USS_Yorktown_(CG-48)#Smart_ship_testbed

    "In 21 September 1997 while on maneuvers off the coast of Cape Charles, Virginia, a crew member entered a zero into a database field causing a divide by zero error in the ship’s Remote Data Base Manager which brought down all the machines on the network, causing the ship’s propulsion system to fail."

    It’s not clear, and probably never will be, if the flaw was the Windows NT OS or a problem with other non-Windows component, but should at least serve as a serious cautionary tale.

  26. TheOne says:

    <q>D) Regarding the file system, granted it seems that Win keeps the disk drives "busier" than Linux, but last I checked ext3 sucks as far as recovering (think "power outage" or other interruption)… I’ve not seen that happen w/ BSD’s FS, and I’ve not tried Rieser, so maybe those help (but is the Navy *really* going to use Rieser? doubtful IMHO, just from the publicity).</q>

    xfs works well for this, and ext3 is fine for small partitions (such as /).

  27. John Keels says:

    I hope they are not using windows for any MISSION CRITICAL or SAFETY CRITICAL systems.  That would scare the S&*& out of me!  LOL  Actually, this sounds more like something the US government would do.

    Dumb de dumb dumb dumb

  28. Bhaskar says:

    I guess it is a few years since http://www.wired.com/science/discoveries/news/1998/07/13987 – is Windows more secure now?

  29. zztop says:

    "MAKE MONEY" … that’s the reason why the world economy is collapsing. It’s all about "getting more profit margin, mmmoooorrrreeeee". Sooner or latter it will have to come down … maybe now is that time.

  30. Saif says:

    Alright Guys, who is up for an open source defence syste?  Would we be allowed access to the source code under GPL rules? The system should be closed source.  But it should be home brewed.  Having the architecture and associated vulnerabilities widely published is clearly giving away information that should be secret.

    MS is of course out to make money; it is what they do.  And with things like defence and health a good marketing strategy will always defeat common sense. Both these are are run by IT ignorant people who listen to hype and FUD, and  have access to a bottomless pit of funds.  Both services will be easy to convince that this is a great deal.  Other systems providers just wouldn’t be able to compete no matter how good their architecture.

  31. ZB says:

    The thought of any OS that is used on everyday computers in a nuclear sub is frightening. It doesn’t matter if it’s Linux, Windows, or Mac. They all have problems with crashing, security holes, and not to mention, are all for profit. (yes even Linux) You may not pay for the software but imagine what the bill would be for support on a nuclear sub when it’s under 800ft of water and it decides to crash.

  32. Thiago Araujo says:

    In any case, I would not take "18 days" as a good result, but as an uncertain outcome. Military projects , should receive a more appropriate advice. If I were consulted on such an issue, I examine two solutions:

    1) use the Minix, for its stable architecture for embedded systems and a paradigm of microkernel, reducing the gaps and doing a fast reboot of components that failed [to learn more about Minix, please use your favorite search engine]

    2) Plan9, on his idea "everything is a file", the fast allocation of resources through an network for heavy calculations or navigation systems more accurate, and that also applies a semi-microkernel. You can imagine a scenario like this: the submarine have an network [connected or not] of

    of different processors [arm, intel, etc] and the calculation of a target is taking too long, using plan9 you can "open" the idle proccessors creating

    and instant cluster and making your calculation a lot faster. [to learn more about Plan9, use your favorite search engine ]

  33. Kirk Black says:

    LOL watch the nuclear reactor blow up when they get a Blue Screen of Death and end the world

  34. valisk says:

    Oh – my – god. The world better be prepared to duck & cover. Often.

  35. Anonymous says:

    Sorry, but security holes in the Linux kernel? I’m sure that’s true on SOME planet.

    The point for MICROSOFT is to make money. The point of the Royal Navy is to defend the country. Unix’s/Linux’s security and reliability has been tried, tested and proven time and time again: Microsoft may have 90% of the market share, but Linux runs 90% of the internet, including Google, MySpace, FaceBook and other very popular websites.

    Not only does Linux run a lot of the internet, but some Linux distributions have been specifically designed to:

    Turn a computer into a dedicated firewall (which is *obviously* proof of its insecurity. </sarc>);

    Run hospital life support systems;

    (more recently) aid communications between the police on handheld devices in England;

    Run, calculate and display results of the LHC;

    etc. etc. etc.

    If you haven’t noticed, Linux isn’t affected by the Economy: Microsoft is. That’s because Microsoft is driven by profit: profit stops, the company rolls over and chokes to death. Linux is a not-for-profit project; it is added to and improved by volunteers. MILLIONS of volunteers. More volunteers then Microsoft has employees. Bugs in the Linux source code are fixed in weeks, or even days; Bugs in Windows source code is fixed in months, by comparison.

    And lets not forget, because Linux is a not-for-profit project, whether its successful or not doesn’t depend on the number of people that use it: it depends on whether it does the job for the person/organisation using it. Seeing as the person/organisation using it is often the person/organisation changing the source to suite their specific needs, it very often is successful. Whether Windows is successful or not isn’t determined by whether it works, whether it does a specific task or whether it runs on specific hardware, it’s determined by whether it makes Microsoft money, therefore it isn’t specifically built, there aren’t thousands of different distributions designed to do a specific task each, and the company paying Microsoft to use its operating system isn’t allowed to change it: in this case, if they want Windows to do a specific task such as fire missiles or take data from radar scanners and translate it into digital output, the Navy would have to fork out more of the tax payer’s money to pay Microsoft (or some other company) to do that.

  36. Ben says:

    there are large patent infrigements and security holes in the kernel.  

    In Russia, someone has just obtained a patent for Smileys

    ๐Ÿ™‚ Sue me ๐Ÿ˜›

    Microsoft gives out tons of FUD about this, and only very stupid people give support. They could no longer succeed pursuing this avenue than they have done many times before – the truth is that Patent law needs revising.

    I am fairly unaware of security holes in my computer – I have no signs of intrusion, and not a single byte of software running that I didn’t intentionally install myself.

    Microsoft are using a ‘dock-like’ method of launching software in ‘cloud’ – isn’t that patented by Apple? Microsoft patented ‘super user login for admin tasks’ – hasn’t that been going on from the first days of Unix?

    Stop talking crap and behaving like an idiot. Grow up.

  37. My original blog posting on Windows for Submarines seems to have caused a bit of a stramash in the blogosphere.

  38. Anonymous says:

    Can you provide a link to an article highlighting the security holes in the latest Linux kernel? I’m curious.

  39. Beholder says:

    I’ve once worked on a military project (not in the UK though), which required reliable realtime systems. At some point some ministry "IT people" appeared and reviewed the equipment and asked some questions. One of them was "Why don’t you just use Windows 95?" Really, they asked that stupid question. Ideal customer for a greedy seller is a stupid one. It’s a shame though when idiots can decide what means are to be used for the national security. I’m all for home-brewed or customized OSS solution (no, that does not necessarily mean that you have to give away your source code to the whole world).

  40. Rich says:

    One thing that really irritates me about this sort of thing is the amount of Public Money poured into this project, with no benefit to the average user.

    The submarines will be running Windows 2000, and due to the nature of the project, and the fact that the UK will be paying Microsoft top-dollar for the software and support, Microsoft will be obliged to provide security updates for this Operating System until it is retired.

    However, these security fixes will NOT be released to the public past Microsoft’s published deadline of mid-2010, due to stubborn marketing concerns.

    I’ve never been in love with any Microsoft Operating system; they just don’t really have that kind of fan support. But i don’t mind Windows 2000; I legally own several machines which have a Windows 2000 COA label, so i don’t need to pay the Windows Tax (TM) on these. However, the lack of support from Microsoft and other vendors is already starting to irritate me.

    Microsoft could do the decent thing and issue rollup patches to the public from time-to-time after the 2010 deadline, but since when have they acted in the interests of their users in this way?

  41. RD says:

    I posted a reply earlier, in which I noted the conflict between code quality and profit, plus indicated my disdain for the UK government relying upon foreign, closed source software.  Reading the subsequent replies, I think some people have taken the wrong focus from my comments.  So, let me clarify some points.

    First of all, I never advocated the use of Linux.  I deliberately didn’t even use the term, โ€œopen sourceโ€.  Instead, what I did say is that the UK government should have access to the source, which is a very different statement.  The use of open source software is one way of achieving access; as such Linux  or any other open source OS might fit the bill, provided it meets other engineering objectives.  An alternative to open-source would be the special licensing of otherwise closed-source code.  Yet another approach  might be to develop the code in house.  There are many alternatives, thus it is naive to take my comments as being pro-Linux. The reader should have instead understood that I am in favor of due diligence, good engineering and sensible, cost effective and secure solutions.   This neither specifically includes nor precludes Linux.   However, the tenet of my argument should preclude the use of Windows, which was my original point.  

    Secondly, although I never advocated the use of Linux specifically, I will redress what I feel is a common misconception and one that is repeated often above.  Neither Windows nor Linux, nor any other operating system are without fault.  Engaging in a flame-war about the relative security of the various alternatives is largely futile unless an objective measurement of each can be made.   It is this point that leads us to an important difference between Windows and those alternatives for which the source is available; whereas the latter can actually be analyzed by the UK Government for security vulnerabilities, the former (Windows) cannot.  

    Lastly, I think some people have a very narrow view of what is or is not capitalistic.  My company is very definitely a for-profit organization.  As a frequent government contractor, we take on plenty of work that is either โ€œfirm-fixed priceโ€ or โ€œcost plusโ€ in nature.   In both cases, we will always have specific deliverables in terms of functionality, for a given price.  Moreover, the Government has oversight on what we can reasonably charge as direct labour rates and overhead.  These types of contract are exactly what I expect are applied to hardware vendors on government programs too.   Contrary to an earlier comment, which drew inference of not-for-profit hardware vendors, these mechanisms are entirely consistent with capitalistic ideals โ€“ no-body is working for potatoes here.  The important point is that both mechanisms allow us to pay our staff and overhead and perhaps make a little extra for disbursement to shareholders, whilst the government gets control over the technical road map of future features and the quality thereof.   By contrast, when you buy into a large, proprietary, closed-source consumer system, and especially foreign ones, you pay a fixed fee that includes substantial and infinitely variable profit, with no forward guarantees or other control on the technical road map or quality.    

    As a final comment, and as an analogy to the problem of infinitely inflatable profit margins, I would ask the US readers amongst us to comment on whether they perceive that the current nature of their health system is at odds with the goal of providing affordable health care for all.  At the same I would ask the UK readers to comment, (whilst carefully remembering that all such systems must be marginally underfunded by design as a supply-demand control mechanism), whether doctors and nurses in the UK receive salaries or potatoes?  

  42. RD says:

    …and a directed reply to Denzilot…

    Sounds like you guys had a tough time of it.  You have my sympathy.  However, without intending to offend, a software that is so error prone cannot be considered as a high quality product by any measure.  

    A modern Windows installation might be preferable to your difficult experience on the Vangard class of submarines, many years ago.  Nevertheless, when looking forward to the future, the yardstick that we use to ensure quality standards are met cannot be that of previous failure.  As much as experience is essential, it is also often true that yesterday’s answers have nothing to do with today’s questions.

  43. nixer says:

    So much for Windows security..

    http://www.theregister.co.uk/2009/01/15/royal_navy_email_virus_outage/

    Seems like the article mentions the Fujitsu hardware, but mysteriously fails to mention Windows OS

  44. RD says:

    Read this, about the viral infection of NavyStar system: http://www.itpro.co.uk/609550/royal-navy-systems-hit-by-computer-virus

    Now go look at at the diagram shown on page 10 of http://www.cesg.gov.uk/products_services/iacs/cc_and_itsec/media/certreps/CRP230.pdf.  Note in particular the box in the lower bottom of the diagram, with the words "NavyStar PC’s with Windows XP".

    Go figure.  

  45. Durex Girl says:

    There certainly needs to be a high level of trust between the government (MOD) and their supplier to adopt a closed source system. In although I’m very much a *nix fan and have used Solaris, Irix and Linux, I’m constantly amazed at the MS bashing that goes on with *unix fans.

    In general I think a far more important factor are the individuals implementing and configuring a system and their skills and not the choice of operating system that matters. Of course this is a generalization – sometimes *unix is demonstrably better and on other occasions MS Windows.

  46. Alex says:

    Navigator: captain, we just hit an iceburg!!!!!

    captain: looks like windows

    *puts on sunglasses

    has crashed

    YEEEEEEEEEEEEEEEEEEEAAAAAAAAAAAAAAAAAAAAAAAAAHHHHHHHHHHHHHHH!!!!!!!!!

  47. Ash says:

    Whats a better nuclear deterrent. A nuclear submarine, or a nuclear submarine controlled by a Windows OS.

    Think about it ๐Ÿ™‚