“port cyber security: maersk, cosco, barcelona, san …...“port cyber security: maersk, cosco,...

“Port Cyber Security: Maersk, Cosco, Barcelona, San Diego. Who is next?”Chronis Kapalidis, Academy Stavros Niarchos Foundation Fellow,International Security Department Europe Representative, HudsonAnalytix

Tuesday, November 27, 2018, Piraeus

• 80% conducted from crew network

• ~97% of malware is designedto exploit social engineering

weaknesses, not a technical flaw

Chatham House | The Royal Institute of International Affairs 2

Key findings (Facts & Figures)

Date Victim

2010-11 Greek Shipping Company

Aug 2011 Iranian Shipping Line (IRISL)

2011-13 Port of Antwerp

2012 Australian Customs and BorderProtection Service agency

2012-14 Danish Port Authority

Apr 2016 South Korea

Jun 2017 AP Moller Maersk

Jun 2017 Ships in Novorossiysk

Nov 2017 Clarksons

July 2018 Cosco US

Sep 2018 Ports of Barcelona & San Diego


Maritime Cyber Security at Chatham House

• 2 Ongoing research projects for cybersecurity at the MTS

• Expert Comments

• Global Insights Workshop

• Simulation Exercises


Key findings (Awareness)

• The urgency for action is becoming gradually understood

Why?• No systemic port-related cyber attacks• No mandatory framework (Other regulationsaffect maritime stakeholders (GDPR, NIS))


The 3 Pillars of cyber hygiene

5


Port of Antwerp

• 2011 to 2013• Hackers accessed container management system• Drug smuggling• Once discovered it was breached yet again

Lessons LearnedCyberspace used as a facilitator for organised crimeNecessity in developing resilience mechanismsResourcefulness of hackers


A.P. Moller Maersk

• June 2017• NotPetya malware against Ukraine• ~ 76 terminals affected• NOT a targeted attack against Maersk• Business disruption for about 2 weeks• $300 million total cost

Lessons LearnedNO need to be targeted – Collateral damage still catastrophicIneffective 3rd pillar policies - Necessity in developing resilience mechanismsNon-effective risk assessment


Cosco US – Barcelona – San Diego

• July – September 2018• Initially in the US the expanded to Americas• Major business disruption• Probably ransomware attacks

Lessons LearnedPorts are easy targetsNecessity in developing resilience mechanismsCommon vulnerabilities in 2 pillars (Infrastructure-Procedures)


IMO Maritime Safety CommitteeDraft Guidelines on Maritime Cyber Risk Management

One accepted approach is tocomprehensively assess and comparean organization's current, anddesired, cyber risk managementpostures.

Such a comparison may reveal gaps thatcan be addressed to achieve riskmanagement objectives through aprioritized cyber risk management plan.

This risk-based approach will enablean organization to best apply itsresources in the most effective manner.

“

”


Cybersecurity is about managing risk

• It’s about digitally identifying, informing, enabling, controlling, and describing an asset.

• Assets can be people, processes, tools and systems.

• It’s about managing riskto the confidentiality,integrity and availabilityof the informationimpacting assets.


But modelling cyber risk is difficult….

- No authoritative source of data

- A Cyber risk model requires input for people and processes in addition to technology

- Limited risk quantification models


Guidelines

Maritime cyber AWARENESS CYCLE

ASSETS

BUSINESS ENVIROMENT

THREAT ASSESSMENT

SCENARIOS

VULNERABILITIESRISK ASSESSMENT

MITIGATION MEASURES

RESIDUAL RISK

CONTINGENCY PREPAREDNESS

Examples:Vessel, Cargo, Crew, Business

processes, Enteprise IT-systems, Reputation.

Threat actors (APTs, Contractors, Criminals, Hacktivists) Intentions, Capabilites, TTPs (DDoS, CPM, Phishing, Human manipulation, Social Engineering)

Common Vulnerbilities and Exposures (CVEs):

People, Digital Footprint.

How relevant threat actors would attack our defined assets.

Which Vulnerabilities are exposed to the different

types of scenarios?

Examples:• Move/re-organize Assets• Patch Managment• General awareness & training regime• Detection systems

• What threats can still exploit vulnerabilities and interfere with Assets?

Examples:• Contingency Preparedness plan• Available and capable CERT?• Recovery Plans and Back up• Post Incidents Analysis

Owner of: hardware, software, business-network. Rules and regulations. Authorization to access and investigate when breached (juristiction) , IT trends.


Cybersecurity Capability Maturity

…defines an organization’s cyber ecosystem, identifies the depth and breadth of deployed capabilities, establishes benchmarks to support long-term measurement and continuous improvement,

and serves as the primary mechanism for sustaining the

organization’s cybersecurity strategy and investments.

Evolving from Cybersecurity to Cyber Maturity

Is the ability of an

organization to

technically prevent

cyber attacks from

breaching cyber

defenses and then

recover when a cyber

attack occurs.

Is the ability of an

organization to detect

anomalies as they

occur; correct

vulnerabilities as they

are identified and before

a full recovery is

required.

CLASSIC

CYBERSECURITY CYBER RESILIENCY

Involves the blended

‘institutionalization’ of

participant awareness,

cyber best practices,

controls, and defense

technologies across the

entire enterprise.

CYBER

MATURITY

KEY STAKEHOLDERS:

INFORMATION TECHNOLOGY

KEY STAKEHOLDERS:EVERYONE IN THE

ORGANIZATION EXCEPT “IT”

KEY STAKEHOLDERS:

THE ENTIRE ORGANIZATION

Likelihood of a claim diminishes as organizations move towards higher levels of cyber maturity

16

Evolving from Cybersecurity to Cyber Maturity

17

Axio provides cyber risk engineering services and data an -

alytics to support the improved management of cyber risk,

including the deployment of cyber insurance. We work with

private and public sector organizations to help them better

understand and manage their exposure to cyber risk through

cybersecurity program evaluations and cyber loss scenario

development and analysis.

ABOUT US

Much of our work is performed for or in collaboration with the insurance industry; we are on the forefront

of developing and enabling improved cyber insurance products that protect firms in the energy sector and

other sectors for which physical damage, environmental damage, and bodily injury from cyber risk are

real concerns.

The core of our data analytics work is the Axio knowledge center, which aggregates data from our ser-

vices and other sources to provide a basis for cyber program capability benchmarks, modeling, and other

data sciences to improve the understanding of cyber risk losses and associated predictive indicators. Our

vision is that the rich data provided through our collaboration with the insurance industry will ultimately

provide insight into predictive indicators for cyber loss that materially advance cybersecurity knowledge.

AXIO PROCESS

Equiatem poreni ut ipienda et et ilic tem quid unt prae sapis samus simusci dessimus as suntot a turem.

Itatem sus. Equiatem poreni ut ipienda et et ilic tem quid unt prae sapis samus simusci dessimus as

suntota turem. Itatem sus.

CYBER INSURANCE AS A CONTROL

The Ultimate Value Proposition: Insight and analysis from Axio’s Cyber Risk Knowledge Center enables

clients to deploy risk transfer capacity to lower their overall risk.

SERVICES


Itatem sus. Equiatem poreni ut ipienda et et ilic.

ABOUT US CYBER INSURANCEAXIO PROCESS OUR SERVICESAXIO KNOWLEDGE

CENTER

MORE

INFORMATION

CONTACT US

“ Et ati as ut eum cus nisim vel in nossi ut rehendunt auditatusa voloriorum sam qui dolupta

verios ant eum qui doluptatio. Et volorrore necum quibus eosam fugitam.”







1 2 3 4 5

Policy AnalysisIdentify gaps in

current insurance

coverage.

Understand the

types of impacts

from potential

cyber events that

are not covered by

your current

insurance.

Cyber Loss

ScenariosDevelop notional

and feasible cyber

loss scenarios.

Workshop to

brainstorm several

cyber loss

scenarios that

could lead to

covered and

uncovered impacts;

estimate total

potential cost of

each.

Program

EvaluationEvaluate cyber risk

management

capability and

maturity.

Evaluation based

on Cybersecurity

Capability Maturity

Model (C2M2).

Cyber Risk

EngineeringDetailed impact

analysis, frequency

estimation, and

loss control.

More in-depth

cyber loss scenario

development and

analysis than in

step 2.

Insurance

PlacementWith brokers and

insurers, secure

meaningful

coverage.

Various new

coverage forms

and enhanced

existing forms are

becoming available.

Catastrophic cyber risk

tranfer capacity lowers

the curve overall.

CYBERSECURITY CAPABILITY

RISK

INVEST IN

TECHNOLOGY

INVEST IN

TRANSFER

FOR INSURERS

Scalable cybersecurity program evaluations and benchmarking to

support underwriting, ranging from online self-evaluations to onsite

in-depth evaluations.

Data collection and analysis to monitor systemic and aggregation risk

and to improve cyber loss models.

Technology support for evaluations, data collection, and analysis.

Training and consulting services to better enable insurers and broker

partners to address the full range of cyber risk with clients.

FOR POLICYHOLDERS

Policy analysis to identify and understand cyber exclusions in

existing policies.

Scenario workshops to develop and analyze cyber loss scenarios.

Scalable cybersecurity program evaluations and benchmarking, ranging

from online self-evaluations to onsite in-depth evaluations.

Intra-organizational benchmarking to compare cyber risk management

capabilities among parallel business units for in-depth analysis of

large organizations.

Cyber risk engineering services to in-depth loss scenario analysis,

control, and modeling.

FOR BROKERS

Policy analysis to identify and understand cyber exclusions in existing

policies in support of specific clients or market analysis.

Consulting services for design and placement of bespoke cyber

insurance solutions such as captives to address unique client needs.

Training and consulting services to better enable brokerage teams to

address the full range of cyber risk with clients.

Axio Knowledge Center


Itatem sus. Equiatem poreni ut ipienda et et ilic.

Sign me up! Email Us

NEWSLETTER

Iquem turit iniquideo,

consum patus liquam

Iquem turit iniquideo,

CONTACT US

Address

address

Phone 000.000.0000

ABOUT US

NEWS

ENGAGE WITH US

LEGAL

Benchmarks

Cybersecurity

program

evaluations

Loss and claims

for insurance

partners

Pedictive Models

Aggregation

and systemic

risk analysis

Publications

Cyber risk and

insurance

training and

consulting

Loss scenario

development

and engineering

Aggregated data from

Risk Engineering services,

open sources, and

insurance industry

DATA SOURCES

KNOWLEDGE CENTER

INVEST IN CYBER CAPABILITIESSUSTAIN CAPABILITY & INVEST IN

INSURANCE

CLASSIC

CYBERSECURITY

CYBER

MATURITY

CYBER

RESILIENCY

Cybersecurity Capability

Cyb

er Risk

17

The Cyber Risk Reduction Curve

Technology Risk Reduction

Insurance Risk Reduction

Structure

The Maritime Transportation Cybersecurity Capability Assessment Approach

The HACyberLogix application provides maritime organizational leadership with the sustained ability to analyze,benchmark, measure, and facilitate cybersecurity capability evolution across all the areas of a port’s business.

Event & Incident Response

Information Sharing

ICT

Situational Awareness

Cyber Program

Management

Commercial

Change Management

Physical

Threat & Vulnerability

Management

Workforce & TrainingRisk Management Governance

18

The HACyberLogix Structure

Designed for “Balance Sheet Owners”

19

Risks are well understood

and managed

Risks are recognized

but not well managed

Risks are not well

understood

Understanding the approach

Cyber as ROITwo aspects in increasing ROI from

investing in cybersecurity

User Corporate

Invest in user awareness training

Use the knowledgeand best practises of other industries

Educate staff on new measures,

technologies and tools

Cyber security by design

Thank you

Chatham House | The Royal Institute of International Affairs

We have land and a home

as long as we have ships at sea..

Themistocles 480 B.C.

“port cyber security: maersk, cosco, barcelona, san …...“port cyber security: maersk, cosco,...

Documents