Maritime Cybersecurity: No Substitute for Testing

By Chronis Kapalidis.

When no defence is completely effective against cyberattacks, it is vital to test responses to the inevitable incursions. Concerns were raised about the cyber vulnerability of the new HMS Queen Elizabeth (pictured).

It is not a matter of if you will be attacked, but when. No organization, be those international institutions, government agencies or small businesses can ever be 100 per cent cyberattack proof, as several examples have recently indicated. Therefore preparedness, in the form of testing cybersecurity structure via different tools for any potential attacks, is vital for minimizing cyber risks. This is as true for the maritime sector and any other, since the outcomes of such an attack may vary from loss of revenue to environmental disaster and loss of life.

Testing, as a feedback process, is required for two reasons. Varying from large scale simulation exercises to pen-testing and internal drills, the initial aim is to identify potential deficiencies, vulnerabilities and back doors to the systems under test. In addition, testing helps to define the most effective code of practise when such an attack occurs; in other words, to develop an effective contingency plan.

The effects of the Petya ransomware attack on AP Moller-Maersk in June this year indicate that the dependence of the international maritime community on cyberspace is substantially increasing and, thus, exposed to new and uncalculated vulnerabilities. The Petya attack on Maersk was not a targeted one but nonetheless caused extensive problems in several of its port terminals across the globe. This collateral attack resulted in revenue loss of around $300 million. One can only imagine what the actual scale of the consequences would have been had this been an advanced persistent threat (APT) attack. It seems that no matter how prepared the company claims to have been for such an attack, their feedback process appeared to be inefficient. The shipping giant was unable to resume normal operations within a limited time frame and keep the loss of revenue at a minimum level.

Another apt example that highlights the poor understanding of the problem is the controversy as to whether the Royal Navy’s newly commissioned aircraft carrier is using Windows XP as the main software platform. This is potentially problematic given the recent vulnerability of the software during the WannaCry attack. There is broad speculation about the navy’s planning, since one would expect that newly deployed units are well prepared in terms of software and hardware protection, using state-of-the-art technology which is difficult to infiltrate. However, it should be understood that, as the Ministry of Defence highlighted, it is common practice for newly commissioned, and especially prototype, warships to utilize commercial software while they undergo their Harbour Acceptance and Sea Acceptance Tests (HATs and SATs). Instead, the focus should be on persistent cyber testing of the new software that will be installed in the platform once the carrier is fully operational in 2023.

To that end, considering that it requires high levels of expertise of cybersecurity to plan and perform these tests, companies should assign this task to trustworthy third party IT firms and ensure that it is a completely different and unconnected company from the one that designed and set up the IT infrastructure and cybersecurity framework of the corporation. These considerations are particularly sensitive when applied in the defence sector, due to significant security risks that the corporation may be exposed to when outsourcing its cyber policy.

The testing procedure, in order to mitigate risk regarding cyberattacks, should be comprehensive and focus on three main pillars within each commercial and military organization: the human factor, the infrastructure and the procedures.

Corporations within the maritime sector, including those that work in the defence sector, should educate and train their staff in order to build a cybersecurity culture. The challenge is to maintain this culture, especially at-sea, when a ship may be underway for large periods of time; that is when testing and training comes into play.
They should invest resources in installing the most suitable cybersecurity equipment for the organization’s infrastructure, in terms of software and hardware, while this equipment should constantly be tested by both in-house and third party experts.
Procedures followed within the organization’s everyday routine – be that email exchange, sensor and weapon monitoring or use of online financial transactions – should be periodically evaluated and revised in order to remain cyber-resilient.
The maritime sector, which includes navies, coastguards, commercial shipping and the cruise industry, has built its excellence by investing in equipment and training. Over countless hours of tests, exercises and drills within the sterile environment of the ship or up to large scale multi-coalition deployments, the sector and the companies associated with it are constantly investing time and resources to learn from mistakes. Fortressing an organization against cyberattacks and maintaining a cyber resilient working environment, both on-shore and at-sea, requires the same approach.

Chatham House

Chronis Kapalidis is Academy Fellow, International Security Department Royal Insitute of International Affairs 

You Might Also Read: 

Cybersecurity Can Learn From Maritime Security:

Cyber Security On the High Seas:

 

« UK Must Prepare For The 4th Industrial Revolution
Cyber Defense Is All About Political Decisions »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Checkmarx

Checkmarx

Checkmarx provides state-of-the-art application security solutions with static code analysis software.

NQA Certification

NQA Certification

NQA provides certification to a range of ISO standards including ISO 27001 for information security management.

CommuniTake

CommuniTake

CommuniTake builds security, enablement, and management solutions to provide people and organizations with better, and more secure mobile device use.

FedRAMP

FedRAMP

FedRAMP, is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

CyberArrow

CyberArrow

CyberArrow (formerly EBDAA) is a consultancy company providing high quality consultancy services in Risk & Compliance and Awareness & Education.

XignSYS

XignSYS

XignSys develops innovative password-free and user-friendly Authentication solutions and electronic signature systems for B2B and B2C applications.

ComCERT

ComCERT

ComCERT SA is an independent, private consulting company focusing in the assistance of its customers facing the dangers of cyber threats and security incidents.

Founder Shield

Founder Shield

Founder Shield is a data driven insurance brokerage focused excusively on rapidly evolving high-growth companies.

Texas A&M Cybersecurity Center

Texas A&M Cybersecurity Center

Texas A&M Cybersecurity Center is dedicated to combating adversaries who desire to harm our citizens, our government, and our industry through cyber-attacks.

CY4GATE

CY4GATE

CY4GATE was conceived to design, develop and produce technologies and products that are able to meet the most stringent and modern requirements of Cyber Intelligence & Cyber Security.

Neosec

Neosec

We’re reinventing API security. Understanding behavior requires data, analytics, and intelligence. Neosec brings XDR techniques to application security.

Aembit

Aembit

Aembit is the Identity Platform that lets DevOps and Security manage, enforce, and audit access between federated workloads

Secjur

Secjur

Secjur is a provider of AI-based compliance tools that aim to put compliance, data protection, information security and whistleblowing on autopilot.

Beetles Cyber Security

Beetles Cyber Security

Beetles is a crowdsourced penetration testing platform designed to build a trusted, hacker-centric approach to protectan organization’s digital attack surface.

ABPGroup

ABPGroup

ABPGroup is Asia’s leading cybersecurity technology provider focusing on providing best-of-breed solutions that address today’s pressing challenges.

CoGuard

CoGuard

CoGuard is a patented solution that uses AI driven automation to provide fast, cost effective white-box penetration testing, infrastructure audits and infrastructure design services.