Maritime Cybersecurity: No Substitute for Testing

Uploaded on 2017-11-08 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Transport & Travel

By Chronis Kapalidis.

When no defence is completely effective against cyberattacks, it is vital to test responses to the inevitable incursions. Concerns were raised about the cyber vulnerability of the new HMS Queen Elizabeth (pictured).

It is not a matter of if you will be attacked, but when. No organization, be those international institutions, government agencies or small businesses can ever be 100 per cent cyberattack proof, as several examples have recently indicated. Therefore preparedness, in the form of testing cybersecurity structure via different tools for any potential attacks, is vital for minimizing cyber risks. This is as true for the maritime sector and any other, since the outcomes of such an attack may vary from loss of revenue to environmental disaster and loss of life.

Testing, as a feedback process, is required for two reasons. Varying from large scale simulation exercises to pen-testing and internal drills, the initial aim is to identify potential deficiencies, vulnerabilities and back doors to the systems under test. In addition, testing helps to define the most effective code of practise when such an attack occurs; in other words, to develop an effective contingency plan.

The effects of the Petya ransomware attack on AP Moller-Maersk in June this year indicate that the dependence of the international maritime community on cyberspace is substantially increasing and, thus, exposed to new and uncalculated vulnerabilities. The Petya attack on Maersk was not a targeted one but nonetheless caused extensive problems in several of its port terminals across the globe. This collateral attack resulted in revenue loss of around $300 million. One can only imagine what the actual scale of the consequences would have been had this been an advanced persistent threat (APT) attack. It seems that no matter how prepared the company claims to have been for such an attack, their feedback process appeared to be inefficient. The shipping giant was unable to resume normal operations within a limited time frame and keep the loss of revenue at a minimum level.

Another apt example that highlights the poor understanding of the problem is the controversy as to whether the Royal Navy’s newly commissioned aircraft carrier is using Windows XP as the main software platform. This is potentially problematic given the recent vulnerability of the software during the WannaCry attack. There is broad speculation about the navy’s planning, since one would expect that newly deployed units are well prepared in terms of software and hardware protection, using state-of-the-art technology which is difficult to infiltrate. However, it should be understood that, as the Ministry of Defence highlighted, it is common practice for newly commissioned, and especially prototype, warships to utilize commercial software while they undergo their Harbour Acceptance and Sea Acceptance Tests (HATs and SATs). Instead, the focus should be on persistent cyber testing of the new software that will be installed in the platform once the carrier is fully operational in 2023.

To that end, considering that it requires high levels of expertise of cybersecurity to plan and perform these tests, companies should assign this task to trustworthy third party IT firms and ensure that it is a completely different and unconnected company from the one that designed and set up the IT infrastructure and cybersecurity framework of the corporation. These considerations are particularly sensitive when applied in the defence sector, due to significant security risks that the corporation may be exposed to when outsourcing its cyber policy.

The testing procedure, in order to mitigate risk regarding cyberattacks, should be comprehensive and focus on three main pillars within each commercial and military organization: the human factor, the infrastructure and the procedures.

Corporations within the maritime sector, including those that work in the defence sector, should educate and train their staff in order to build a cybersecurity culture. The challenge is to maintain this culture, especially at-sea, when a ship may be underway for large periods of time; that is when testing and training comes into play.
They should invest resources in installing the most suitable cybersecurity equipment for the organization’s infrastructure, in terms of software and hardware, while this equipment should constantly be tested by both in-house and third party experts.
Procedures followed within the organization’s everyday routine – be that email exchange, sensor and weapon monitoring or use of online financial transactions – should be periodically evaluated and revised in order to remain cyber-resilient.
The maritime sector, which includes navies, coastguards, commercial shipping and the cruise industry, has built its excellence by investing in equipment and training. Over countless hours of tests, exercises and drills within the sterile environment of the ship or up to large scale multi-coalition deployments, the sector and the companies associated with it are constantly investing time and resources to learn from mistakes. Fortressing an organization against cyberattacks and maintaining a cyber resilient working environment, both on-shore and at-sea, requires the same approach.

Chatham House

Chronis Kapalidis is Academy Fellow, International Security Department Royal Insitute of International Affairs 

You Might Also Read: 

Cybersecurity Can Learn From Maritime Security:

Cyber Security On the High Seas:

 

« UK Must Prepare For The 4th Industrial Revolution
Cyber Defense Is All About Political Decisions »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Nimbusec

Nimbusec

Nimbusec scans your website around the clock and informs immediately if it has been hacked or manipulated

Lares Consulting

Lares Consulting

Lares is a security consulting firm that helps companies secure electronic, physical, intellectual, and financial assets through a unique blend of assessment, testing and coaching.

CybSafe

CybSafe

CybSafe is a cloud-based platform focussed on addressing the human component of cyber security - an intelligent approach to awareness training.

Fedco International

Fedco International

Fedco International is an IT and SCADA ICS Security consultancy firm.

Sapien Cyber

Sapien Cyber

Sapien Cyber is an Australian company bringing leading-edge cyber security and threat intelligence solutions.

Montimage

Montimage

Montimage develops tools for testing and monitoring networks, applications and services; in particular, for the verification of functional, performance (QoS/QoE) and security aspects.

iQuila

iQuila

iQuila is a virtual overlay network which runs on top of an existing network. It creates a secure software enabled layer 2 connection across the internet or any public or private cloud.

ReFirm Labs

ReFirm Labs

ReFirm Labs provides the tools you need for firmware security, vetting, analysis and continuous IoT security monitoring.

SimSpace

SimSpace

SimSpace is the visionary yet practical platform for measuring how your security system responds under actual, sustained attack.

Informer

Informer

Informer provides an Attack Surface Management SaaS platform alongside penetration testing services. We combine machine learning and human intelligence to reduce cyber risk.

ThreatReady Resources

ThreatReady Resources

ThreatReady reduces an organization’s risk by delivering cyber security awareness training based on the latest, state-of-the-art learning science to effectively drive long-term cyber-safe behavior.

Seigur

Seigur

Seigur is an IT consultancy business providing flexible legal and cyber security services for IT and data privacy programmes.

VicOne

VicOne

With a vision to secure the vehicles of tomorrow, VicOne delivers a broad portfolio of cybersecurity software and services for the automotive industry.

Infisign

Infisign

Infisign addresses the challenges of traditional IAM systems and offers a comprehensive solution for modern identity management.

Aim Security

Aim Security

Aim empowers enterprises to unlock the full potential of GenAI technology without compromising security. GenAI makes business better - Aim makes GenAI secure.

Scality

Scality

Scality storage unifies data management from edge to core to cloud. Our market-leading file and object storage software protects data on-premises and in hybrid and multi-cloud environments.

Q-Bird

Q-Bird

Q*Bird's mission is to provide equipment for the current, and future European quantum internet.

Strategic Security Solutions (S3)

Strategic Security Solutions (S3)

S3 is a leading provider of Cybersecurity consulting services for Identity and Access Governance (IAG), Zero Trust, and Enterprise Risk and Compliance.