Maritime Cybersecurity: No Substitute for Testing

By Chronis Kapalidis.

When no defence is completely effective against cyberattacks, it is vital to test responses to the inevitable incursions. Concerns were raised about the cyber vulnerability of the new HMS Queen Elizabeth (pictured).

It is not a matter of if you will be attacked, but when. No organization, be those international institutions, government agencies or small businesses can ever be 100 per cent cyberattack proof, as several examples have recently indicated. Therefore preparedness, in the form of testing cybersecurity structure via different tools for any potential attacks, is vital for minimizing cyber risks. This is as true for the maritime sector and any other, since the outcomes of such an attack may vary from loss of revenue to environmental disaster and loss of life.

Testing, as a feedback process, is required for two reasons. Varying from large scale simulation exercises to pen-testing and internal drills, the initial aim is to identify potential deficiencies, vulnerabilities and back doors to the systems under test. In addition, testing helps to define the most effective code of practise when such an attack occurs; in other words, to develop an effective contingency plan.

The effects of the Petya ransomware attack on AP Moller-Maersk in June this year indicate that the dependence of the international maritime community on cyberspace is substantially increasing and, thus, exposed to new and uncalculated vulnerabilities. The Petya attack on Maersk was not a targeted one but nonetheless caused extensive problems in several of its port terminals across the globe. This collateral attack resulted in revenue loss of around $300 million. One can only imagine what the actual scale of the consequences would have been had this been an advanced persistent threat (APT) attack. It seems that no matter how prepared the company claims to have been for such an attack, their feedback process appeared to be inefficient. The shipping giant was unable to resume normal operations within a limited time frame and keep the loss of revenue at a minimum level.

Another apt example that highlights the poor understanding of the problem is the controversy as to whether the Royal Navy’s newly commissioned aircraft carrier is using Windows XP as the main software platform. This is potentially problematic given the recent vulnerability of the software during the WannaCry attack. There is broad speculation about the navy’s planning, since one would expect that newly deployed units are well prepared in terms of software and hardware protection, using state-of-the-art technology which is difficult to infiltrate. However, it should be understood that, as the Ministry of Defence highlighted, it is common practice for newly commissioned, and especially prototype, warships to utilize commercial software while they undergo their Harbour Acceptance and Sea Acceptance Tests (HATs and SATs). Instead, the focus should be on persistent cyber testing of the new software that will be installed in the platform once the carrier is fully operational in 2023.

To that end, considering that it requires high levels of expertise of cybersecurity to plan and perform these tests, companies should assign this task to trustworthy third party IT firms and ensure that it is a completely different and unconnected company from the one that designed and set up the IT infrastructure and cybersecurity framework of the corporation. These considerations are particularly sensitive when applied in the defence sector, due to significant security risks that the corporation may be exposed to when outsourcing its cyber policy.

The testing procedure, in order to mitigate risk regarding cyberattacks, should be comprehensive and focus on three main pillars within each commercial and military organization: the human factor, the infrastructure and the procedures.

Corporations within the maritime sector, including those that work in the defence sector, should educate and train their staff in order to build a cybersecurity culture. The challenge is to maintain this culture, especially at-sea, when a ship may be underway for large periods of time; that is when testing and training comes into play.
They should invest resources in installing the most suitable cybersecurity equipment for the organization’s infrastructure, in terms of software and hardware, while this equipment should constantly be tested by both in-house and third party experts.
Procedures followed within the organization’s everyday routine – be that email exchange, sensor and weapon monitoring or use of online financial transactions – should be periodically evaluated and revised in order to remain cyber-resilient.
The maritime sector, which includes navies, coastguards, commercial shipping and the cruise industry, has built its excellence by investing in equipment and training. Over countless hours of tests, exercises and drills within the sterile environment of the ship or up to large scale multi-coalition deployments, the sector and the companies associated with it are constantly investing time and resources to learn from mistakes. Fortressing an organization against cyberattacks and maintaining a cyber resilient working environment, both on-shore and at-sea, requires the same approach.

Chatham House

Chronis Kapalidis is Academy Fellow, International Security Department Royal Insitute of International Affairs 

You Might Also Read: 

Cybersecurity Can Learn From Maritime Security:

Cyber Security On the High Seas:

 

« UK Must Prepare For The 4th Industrial Revolution
Cyber Defense Is All About Political Decisions »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

eSentire

eSentire

eSentire is the authority in Managed Detection and Response Services, protecting the critical data and applications of organizations from known and unknown cyber threats.

Cyber Defense Media Group (CDMG)

Cyber Defense Media Group (CDMG)

CDMG is the leading global media group for all things cyber defense.

IPVanish

IPVanish

IPVanish has its roots in over 15 years of network management, IP services, and content delivery services. Now we're bringing these finely honed skills to VPN.

Malware Patrol

Malware Patrol

Malware Patrol provides intelligent threat data that protects against cyber attacks.

The ai Corporation

The ai Corporation

The ai Enterprise Fraud Solution is an on-prem or cloud-based self-service, machine learning fraud detection and prevention tool set.

Cyber Security Courses

Cyber Security Courses

Cyber Security Courses was formed to help students in the UK find cyber security courses online.

Cybersecure Policy Exchange (CPX)

Cybersecure Policy Exchange (CPX)

Cybersecure Policy Exchange is a new initiative dedicated to advancing effective and innovative public policy in cybersecurity and digital privacy.

Comparitech

Comparitech

Comparitech strives to promote cyber security and privacy for all. We are committed to providing detailed information to help our readers become more cyber secure and cyber aware.

Cyber Chasse

Cyber Chasse

Cyber Chasse is an IT consulting and staffing company offering a full range of cybersecurity solutions, contract staffing services and online training courses.

BrainStorm

BrainStorm

BrainStorm Threat Defense takes a new human-focused approach to security awareness that traditional training lacks. It’s a cutting-edge platform to make your users more security savvy.

Clearvision

Clearvision

As an Atlassian Platinum Solution Partner, Clearvision works with teams in the UK and US, providing solutions for the Atlassian stack, Git and open source tooling.

Armolon

Armolon

Armolon provides comprehensive data breach and cybersecurity, as well cybersecurity audits and certifications, and disaster recovery/business continuity services to clients.

Entro Security

Entro Security

Entro is the first holistic secrets security platform that detects, safeguards, and enriches with context your secrets across code, vaults, chats, and platforms.

Alpha Echo

Alpha Echo

Specialising in security advice and enterprise-wide Cyberworthiness, Alpha Echo helps Australia deliver on cyber outcomes at a military grade level.

Fraud.net

Fraud.net

Fraud.net operates the first end-to-end fraud management and revenue enhancement ecosystem specifically built for digital enterprises and fintechs globally.

Airbus Protect

Airbus Protect

Airbus Protect is an Airbus subsidiary bringing together the Company’s expertise in cybersecurity, safety and sustainability-related services.