Maritime Cybersecurity: No Substitute for Testing

Uploaded on 2017-11-08 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Transport & Travel

By Chronis Kapalidis.

When no defence is completely effective against cyberattacks, it is vital to test responses to the inevitable incursions. Concerns were raised about the cyber vulnerability of the new HMS Queen Elizabeth (pictured).

It is not a matter of if you will be attacked, but when. No organization, be those international institutions, government agencies or small businesses can ever be 100 per cent cyberattack proof, as several examples have recently indicated. Therefore preparedness, in the form of testing cybersecurity structure via different tools for any potential attacks, is vital for minimizing cyber risks. This is as true for the maritime sector and any other, since the outcomes of such an attack may vary from loss of revenue to environmental disaster and loss of life.

Testing, as a feedback process, is required for two reasons. Varying from large scale simulation exercises to pen-testing and internal drills, the initial aim is to identify potential deficiencies, vulnerabilities and back doors to the systems under test. In addition, testing helps to define the most effective code of practise when such an attack occurs; in other words, to develop an effective contingency plan.

The effects of the Petya ransomware attack on AP Moller-Maersk in June this year indicate that the dependence of the international maritime community on cyberspace is substantially increasing and, thus, exposed to new and uncalculated vulnerabilities. The Petya attack on Maersk was not a targeted one but nonetheless caused extensive problems in several of its port terminals across the globe. This collateral attack resulted in revenue loss of around $300 million. One can only imagine what the actual scale of the consequences would have been had this been an advanced persistent threat (APT) attack. It seems that no matter how prepared the company claims to have been for such an attack, their feedback process appeared to be inefficient. The shipping giant was unable to resume normal operations within a limited time frame and keep the loss of revenue at a minimum level.

Another apt example that highlights the poor understanding of the problem is the controversy as to whether the Royal Navy’s newly commissioned aircraft carrier is using Windows XP as the main software platform. This is potentially problematic given the recent vulnerability of the software during the WannaCry attack. There is broad speculation about the navy’s planning, since one would expect that newly deployed units are well prepared in terms of software and hardware protection, using state-of-the-art technology which is difficult to infiltrate. However, it should be understood that, as the Ministry of Defence highlighted, it is common practice for newly commissioned, and especially prototype, warships to utilize commercial software while they undergo their Harbour Acceptance and Sea Acceptance Tests (HATs and SATs). Instead, the focus should be on persistent cyber testing of the new software that will be installed in the platform once the carrier is fully operational in 2023.

To that end, considering that it requires high levels of expertise of cybersecurity to plan and perform these tests, companies should assign this task to trustworthy third party IT firms and ensure that it is a completely different and unconnected company from the one that designed and set up the IT infrastructure and cybersecurity framework of the corporation. These considerations are particularly sensitive when applied in the defence sector, due to significant security risks that the corporation may be exposed to when outsourcing its cyber policy.

The testing procedure, in order to mitigate risk regarding cyberattacks, should be comprehensive and focus on three main pillars within each commercial and military organization: the human factor, the infrastructure and the procedures.

Corporations within the maritime sector, including those that work in the defence sector, should educate and train their staff in order to build a cybersecurity culture. The challenge is to maintain this culture, especially at-sea, when a ship may be underway for large periods of time; that is when testing and training comes into play.
They should invest resources in installing the most suitable cybersecurity equipment for the organization’s infrastructure, in terms of software and hardware, while this equipment should constantly be tested by both in-house and third party experts.
Procedures followed within the organization’s everyday routine – be that email exchange, sensor and weapon monitoring or use of online financial transactions – should be periodically evaluated and revised in order to remain cyber-resilient.
The maritime sector, which includes navies, coastguards, commercial shipping and the cruise industry, has built its excellence by investing in equipment and training. Over countless hours of tests, exercises and drills within the sterile environment of the ship or up to large scale multi-coalition deployments, the sector and the companies associated with it are constantly investing time and resources to learn from mistakes. Fortressing an organization against cyberattacks and maintaining a cyber resilient working environment, both on-shore and at-sea, requires the same approach.

Chatham House

Chronis Kapalidis is Academy Fellow, International Security Department Royal Insitute of International Affairs 

You Might Also Read: 

Cybersecurity Can Learn From Maritime Security:

Cyber Security On the High Seas:

 

« UK Must Prepare For The 4th Industrial Revolution
Cyber Defense Is All About Political Decisions »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Exodus Intelligence

Exodus Intelligence

Exodus Intelligence are an industry leading provider of exclusive zero-day vulnerability intelligence, exploits, defensive guidance, and vulnerability research trends.

Bastille

Bastille

Bastille’s patented software and security sensors bring visibility to devices emitting radio signals (Wi-Fi, cellular, IoT) in your organization.

Allegro Software

Allegro Software

Allegro provide secure software for the Internet of Things.

Cavirin

Cavirin

Cavirin’s Automated Risk Analysis Platform reduces risk and automates security and compliance.

VNCERT

VNCERT

VNCERT is the national Computer Emergency Response Team for Vietnam.

IoT European Research Cluster (IERC)

IoT European Research Cluster (IERC)

IERC brings together EU-funded projects with the aim of defining a common vision for IoT technology and development research challenges.

Corvid

Corvid

Corvid is an experienced team of cyber security experts who are passionate about delivering innovative, robust and extensive defence systems to help protect businesses against cyber threats.

Carbide

Carbide

Carbide (formerly Securicy) breaks down enterprise-class security and privacy requirements and makes them accessible to, and achievable by, companies of all sizes.

Militus

Militus

Militus provides the only information security service available that learns and analyzes your network over time using a custom-built network-based toolset.

Towerwall

Towerwall

Towerwall offers a comprehensive suite of security services and solutions using best-of-breed tools and information security services.

Swedish Incubators & Science Parks (SISP)

Swedish Incubators & Science Parks (SISP)

Swedish Incubators & Science Parks (SISP) is the Swedish industry association for Swedish incubators and science parks.

riskmethods

riskmethods

riskmethods helps you proactively identify, assess and mitigate supply chain risk. You need to master supply chain risk management—we can help.

Conversant Group

Conversant Group

Conversant Group is an IT infrastructure and security consulting company, providing technical, organizational, procedural, and process consulting internationally.

CodeLock

CodeLock

Codelock is a patent-pending solution that continuously provides software security at the code level, while providing advanced management insights with performance metrics and data analytics.

Cyber Capital Partners

Cyber Capital Partners

Cyber Capital Partners build strategic and financial partnerships with small and mid-sized cybersecurity companies in highly regulated markets.

Fivecast

Fivecast

Fivecast is enabling a safer world. We help organizations around the world explore masses of data to uncover actionable insights.