Maritime Cybersecurity: No Substitute for Testing

By Chronis Kapalidis.

When no defence is completely effective against cyberattacks, it is vital to test responses to the inevitable incursions. Concerns were raised about the cyber vulnerability of the new HMS Queen Elizabeth (pictured).

It is not a matter of if you will be attacked, but when. No organization, be those international institutions, government agencies or small businesses can ever be 100 per cent cyberattack proof, as several examples have recently indicated. Therefore preparedness, in the form of testing cybersecurity structure via different tools for any potential attacks, is vital for minimizing cyber risks. This is as true for the maritime sector and any other, since the outcomes of such an attack may vary from loss of revenue to environmental disaster and loss of life.

Testing, as a feedback process, is required for two reasons. Varying from large scale simulation exercises to pen-testing and internal drills, the initial aim is to identify potential deficiencies, vulnerabilities and back doors to the systems under test. In addition, testing helps to define the most effective code of practise when such an attack occurs; in other words, to develop an effective contingency plan.

The effects of the Petya ransomware attack on AP Moller-Maersk in June this year indicate that the dependence of the international maritime community on cyberspace is substantially increasing and, thus, exposed to new and uncalculated vulnerabilities. The Petya attack on Maersk was not a targeted one but nonetheless caused extensive problems in several of its port terminals across the globe. This collateral attack resulted in revenue loss of around $300 million. One can only imagine what the actual scale of the consequences would have been had this been an advanced persistent threat (APT) attack. It seems that no matter how prepared the company claims to have been for such an attack, their feedback process appeared to be inefficient. The shipping giant was unable to resume normal operations within a limited time frame and keep the loss of revenue at a minimum level.

Another apt example that highlights the poor understanding of the problem is the controversy as to whether the Royal Navy’s newly commissioned aircraft carrier is using Windows XP as the main software platform. This is potentially problematic given the recent vulnerability of the software during the WannaCry attack. There is broad speculation about the navy’s planning, since one would expect that newly deployed units are well prepared in terms of software and hardware protection, using state-of-the-art technology which is difficult to infiltrate. However, it should be understood that, as the Ministry of Defence highlighted, it is common practice for newly commissioned, and especially prototype, warships to utilize commercial software while they undergo their Harbour Acceptance and Sea Acceptance Tests (HATs and SATs). Instead, the focus should be on persistent cyber testing of the new software that will be installed in the platform once the carrier is fully operational in 2023.

To that end, considering that it requires high levels of expertise of cybersecurity to plan and perform these tests, companies should assign this task to trustworthy third party IT firms and ensure that it is a completely different and unconnected company from the one that designed and set up the IT infrastructure and cybersecurity framework of the corporation. These considerations are particularly sensitive when applied in the defence sector, due to significant security risks that the corporation may be exposed to when outsourcing its cyber policy.

The testing procedure, in order to mitigate risk regarding cyberattacks, should be comprehensive and focus on three main pillars within each commercial and military organization: the human factor, the infrastructure and the procedures.

Corporations within the maritime sector, including those that work in the defence sector, should educate and train their staff in order to build a cybersecurity culture. The challenge is to maintain this culture, especially at-sea, when a ship may be underway for large periods of time; that is when testing and training comes into play.
They should invest resources in installing the most suitable cybersecurity equipment for the organization’s infrastructure, in terms of software and hardware, while this equipment should constantly be tested by both in-house and third party experts.
Procedures followed within the organization’s everyday routine – be that email exchange, sensor and weapon monitoring or use of online financial transactions – should be periodically evaluated and revised in order to remain cyber-resilient.
The maritime sector, which includes navies, coastguards, commercial shipping and the cruise industry, has built its excellence by investing in equipment and training. Over countless hours of tests, exercises and drills within the sterile environment of the ship or up to large scale multi-coalition deployments, the sector and the companies associated with it are constantly investing time and resources to learn from mistakes. Fortressing an organization against cyberattacks and maintaining a cyber resilient working environment, both on-shore and at-sea, requires the same approach.

Chatham House

Chronis Kapalidis is Academy Fellow, International Security Department Royal Insitute of International Affairs 

You Might Also Read: 

Cybersecurity Can Learn From Maritime Security:

Cyber Security On the High Seas:

 

« UK Must Prepare For The 4th Industrial Revolution
Cyber Defense Is All About Political Decisions »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Prewen

Prewen

Prewen provide solutions to protect sensitive data across the organisation.

Uniken

Uniken

Uniken REL-ID is a safe, simple, and scalable security platform that tightly integrates your identity, authentication, and channel security.

SHIELD

SHIELD

SHIELD is an established end-to-end fraud management solution that blocks fraudulent activities such as account takeovers, fake accounts creation, fraudulent payments, loyalty fraud and more.

Liquid Technology

Liquid Technology

Liquid Technology provide DOD- and NIST-compliant data destruction and EPA-compliant e-waste disposal and recycling services throughout North America, Europe and Asia.

HacWare

HacWare

HacWare is a data driven cybersecurity awareness product that leverages machine learning and behavior analytics help IT professionals combat phishing.

Cyberwatch Finland

Cyberwatch Finland

Cyberwatch Finland's services improve decision-makers’ strategic situational picture and enable successful holistic cyber risk management.

LogicGate

LogicGate

The LogicGate Risk Cloud™ is an agile GRC cloud solution that combines powerful functionality with intuitive design to enhance enterprise GRC programs.

Blackrock Cyber

Blackrock Cyber

Blackrock Cyber consults on critical security decisions, oversees compliance for your payment initiatives, and details cyber security training for your entire organization and board reporting.

watchTowr

watchTowr

Continuous Attack Surface Testing, with the watchTowr Platform. The future of Attack Surface Management.

Protexxa

Protexxa

Protexxa is a B2B SaaS cybersecurity platform that leverages Artificial Intelligence to rapidly identify, evaluate, predict, and resolve cyber issues for employees.

Normalyze

Normalyze

Normalyze are solving some of the most painful problems enterprise IT security teams face in the cloud and data security space. We help enterprises protect all the data they run in the cloud.

SecurityStudio

SecurityStudio

SecurityStudio is a continuous cybersecurity risk management platform that allows decision-makers to quickly identify the most immediate threats and make confident risk informed decisions.

Cyber & Data Protection

Cyber & Data Protection

Cyber & Data Protection Limited supports Charities, Educational Trusts and Private Schools, Hospitality and Legal organisations by keeping their data secure and usable.

DuckDuckGoose

DuckDuckGoose

DuckDuckGoose offer advanced solutions to protect against manipulated videos, images, voices and texts.

SecZone

SecZone

SecZone is a Chinese enterprise with a mission to "Make It Secure." We are dedicated to driving software security innovation globally.

BCX

BCX

BCX, a subsidiary within Telkom Group, is one of Africa’s largest systems integrator and digital transformation partners for enterprises and public sector organisations.