Marine Cyber Risk Management A Top-Down Holistic Approach AAPA Port Security Seminar & Expo Bellevue Hotel Philadelphia 24 July 2019

Who We Are

•  WhoWeAre:

•  TrustedBest-in-Classpartners

•  Technology/vendoragnostic

•  GlobalReach

•  WhatWeProvide:

•  Enterpriseassessmentapproach-theHACyberLogix

•  Tailored cyber threat intelligence-informedby“attackside”

•  CustomizedCyberTrainingShip-owners&Operators

Offshore

Ports&TerminalOperators

WatersideFacilities

2

Leveraging Aon Cyber Solutions Helping to protect today and safeguard tomorrow

Solvingyourcyberevents

Identifyingyoursecurityweaknesses

Illuminatingyoursystems’vulnerabilities

Using knowledge to empower

Respond to the incident, create an investigation strategy, contain the incident while preserving evidence, and confidently communicate with your stakeholders

Evaluateandremediateyourvulnerabilities,determineyourreadinesstorespond,andimproveyourorganization’scyberresilience.

Leveragereal-worldtestingandsimulationstohelpyoubetterunderstandyourweaknessesandstrengthenyourdefenses.

Helpprotectyourorganizationbyapplyingtraditionalinvestigativetechniquestothedigitalenvironment.

ProtectorsandProblemSolvers MorethantheSumofTheirParts

§  Forensic computer analysts §  Penetration testers §  IT security engineers §  Information security analysts §  Security architects

§  Former CISOs §  Fraud examiners §  Security risk consultants §  Investigators §  Criminologists

§  Forensic accountants

§  Governance & risk mgmt. professionals

§  Privacy professionals

§  Formerlawenforcement*§  Formerprosecutors§  AMLaw100formerpartners

§  FormerBig4Professionals§  Actuaries§  Statisticians§  Dataanalysts

Seeyourcompanylikeneverbefore.Findthesmokinggun.

Clearyourwayforpeaceofmind.

.Protect your organization’s brand.

OathTakers

§  Claims advocates §  Evidence

Technicians §  Brokers §  CPAs

SecurityAdvisory

Testing eDiscovery

Strategizeforyourcompany’sfuture.

Optimizingyourtotalcostofrisk

Modelcyberlossscenariosandstresstestyourcurrentinsurancelimitstoenhanceyourriskfinancingstrategies.

Quantification

OurU

niqu

eVa

lue

OurPeo

ple

Securingyourfuture

Protectyourorganizationfromthefinancialimpactofacyberincident.

Knowit’snotonesizefitsall.

BrokingDigital Forensics & Incident Response

Investigations & Intelligence

Avoidingcostlyinefficiencies

Benefitfromprofessionalguidancethrougheverchangingtechnicalandlegalchallenges.

Bringordertothedisorder

*IncludesformerHeadoftheCyberDivisionatFBIHeadquartersandformerfounderoftheFBI’scomputercrimesquadinNewYork

3

Establishing Cyber Risk Context

CarlvonClauswitz(1832)•  Warisapolitical,socialandmilitaryphenomenon.

•  Asymmetriescandefeattheperceivedsuperiorityofthedefense.

4

JoshuaCorman(2019)•  Thephysicsofcyberspacearewhollydifferentfromeveryotherwardomain.

What is “Cybersecurity”?

Cybersecurity is NOT just: •  Information Technology (“IT”) •  Compliance (e.g. ISO; MTSA; USCG NVICs) •  Solved by a “silver bullet” approach

5

Cybersecurity IS: •  Enterprise in nature •  Sustained risk management •  About cultural change and business transformation •  Managing financial risk (protecting the Balance Sheet

Cyber Risk Begins with the Human…

•  Service-OrientedEcosystems

•  Crime-as-a-Service•  Targeting-as-a-Service

•  Networking/Socialevents•  Tactics,techniques,proceduresandstrategiesareshared

•  Training/lessons-learned•  Brokerecosystems•  Nationalteams•  “Trenchtime”

6

The Maritime Industry is a Target Because…

Lots of Information.Maritime Stakeholders exchange lots ofinformationacrossdifferentorganizations.DataOverload!

Lotsof legacysystems.Stakeholdershave theirownsystems.Often, thesesystemsareolderandhavenotbeenpatchedorupdatedtothelatestversion.Easytarget!

Lotsofmoney. Maritime stakeholdersoften transferof largeamountsofmoney.(e.g.betweenashipownerandayard,orashippingcompanyandabunkeroperator).

Nexusofglobaltrade.Nationstateadversarieshaveprovenhowsuccessful supply chain attacks are. Cybercriminals are likely tolaunch emerging automated, active-adversary attacks againstsupplychaintargets.

7

So What’s Vulnerable? (Hint: Everything)

•  SupervisoryControl&DataAcquisition(SCADA)equipmentandIndustrialControlSystems(ICS)forloading/unloadingofbulk/containerizedcargo

•  Cargo/TerminalOperatingSystems•  DomainAwarenessSystems-RADAR,AIS,VTS/VTMS,GIS

Systems•  AnyBusinessSoftwareApplication(e.g.email,financial,humanresources,finance,logistics,businessoperationsThink“ERP”)•  AnyOperatingSystem(e.g.Microsoft,Linux)•  AnySecuritySystem-CCTV,Access/GateControl•  AnyMobilitydeviceandplatform(RFID)•  CommunicationsSystems•  Employees(insiders)andContractors

8

ThevolumeofIoTattacksremainedhighin2018.Routersandconnectedcameraswerethemostinfecteddevicesandaccountedfor75and15%oftheattacks,respectively.

-Symantec2019InternetSecurityThreatReport

And it’s Getting Worse… Internet of Things Growth Trends

9

High Probability: ERP System Compromises

Enterprise Resource Planning (ERP) Systems offer virtual windows into an organization’s activities as it relates to the movement of people, resources, goods, and money. ERP Systems integrate core business processes and leverage shared databases to support multiple functions used by different business units. Systems affected include: •  Financial (re: Fraud, Payment info) •  Cargo Handling & Management •  Taxes (e.g. VAT) •  Customs •  Banking •  Shipping

10

Threat Ecosystem Convergence The Port of Antwerp Cyber Attack, 2011-2013

•  DrugtraffickersrecruitedhackerstobreachITsystems

•  Hackingtechniqueinvolvedphysicalaccesstocomputernetworksandinstallationofsnoopingdevices

•  Controlledcontainermovementsandlocationinformationover2years

•  Drugshiddenamonglegitimatecargo•  Enabledtraffickerstostealthecargobeforethelegitimateownersarrived

•  Representstransnationalrisk(supplychaindataintegrity)

http://www.portstrategy.com/__data/assets/image/0026/207449/Antwerp-port-is-a-massive-operation-despite-being-50-miles-inland.jpg

11

Maritime Cybersecurity Survey by Jones Walker (Oct 2018)

•  126 Senior executives

•  Nearly 80% of large US Maritime industry companies (more than 400 employees) and 38% of all industry respondents reported that cyber attackers targeted their companies within the past year.

•  10% of survey respondents reported that the data breach was successful and 28% reported a thwarted attempt.

•  69% of respondents expressed confidence in the maritime industry's overall cybersecurity readiness.

•  64% indicated their own companies are unprepared

•  100% of large organizations indicated they are prepared vs. 6% for small companies

•  92% of small and 69% of mid-size orgs have no cyber insurance

•  97% of large organizations have cyber insurance

12

Cybersecurity is a Challenge for Everyone

“Wewastedmillionsofdollars.Notonlywereweundisciplinedinourdeploymentofcybersecuritytechnologies,wepossiblycreatedmorevulnerabilitieswithouradhocapproach.Inactivitywasnotanoption,butIamnotsureourresponsessolvedtheproblemsandprotectedshareholdervalue.”

AnonymousFormerSecurityExecutiveGoldmanSachs

NotableCybersecurityFigures:•  2019Budget:USD$600–1billion•  WorldwideStaff:3,000+

Commonquestionswegetfromourclientsinclude:•  Whatdoweinvestinfirst?•  Howmuchdowebudget?•  Whatareourpriorities?•  Howcanwemeasuretheeffectivenessofourinvestments?

•  Areourinvestmentssustainable?

The Challenge: Business Leaders Are Not Getting Informed Answers

14

Who Owns Cyber Risk?

15

Shareholders,PE,Partners,Commissioners

EvaluateandFundRisk(IntermsofInvestmentdecisions)

BoardofDirectors

EvaluateandFundRisk(Minimizelosses;support/protectshareholderequity)

BusinessLeaders(CEOs,MDs)

ManageRisk(ProfitandLoss/BalanceSheet)

Identify,Prevent,Accept,andTransferRisk(Insurance;AgreementsandContractsintermsofandrisktoProfitandLossandBalanceSheet)

RiskLeadership(Counsel,RiskMgr.)

ValidateRisk,AllocateResources(IntermsofcyberrisktooperationsandProfitandLoss)

SecurityLeadership

CommunicateNeeds,Solutions(Intermsofcyberrisktooperationsthatsupportscashflowandprofitandloss)

SecurityPractioners

Re-Thinking Cyber Risk Management

16

ü  Considercyberriskintermsofmoneyü  Thecyber-risk-to-moneyintersectionoffersmeasurablevalueto

informresourceprioritizationü  Financialgroundingtranslatescyberriskintocommonlanguageü  Empowersdecision-makerswithrelevantcontextandinputssoasto

makeinformeddecisionsoncyberrisk

A CASE FOR CYBERSECURITY CAPABILITY MATURITY

17

What is Cybersecurity Capability Maturity?

Cybersecurity Capability Maturity analysis definesanorganization’scyberecosystem, identifies thedepthandbreadthofdeployedcapabilities,establishesbenchmarkstosupport long-termmeasurement,andservesastheprimarymechanism for sustaining the organization’s cybersecuritystrategyandinvestments.

18

Why it’s Important: Driving Enterprise Cyber Risk Reduction

INVEST IN CYBER CAPABILITIES!

SUSTAIN CAPABILITY & INVEST IN INSURANCE!

Image Courtesy of Axio

Resilience,Compliance&Insurability

TheCyberRiskReductionCurveInvestingintherightcombinationoftechnologyandinsurancemaximizesriskreduction.1.  TechnologyRisk

Reduction2.  InsuranceRiskReduction

19

CybersecurityCapability

Risk

Cyber Losses Continue to Increase

TorstenJeworrek,MemberofMunichRe’sBoardofManagement

“The economic costs of large-scale cyber attacks already exceed lossescausedbynatural disasters. Where small andmedium-sized enterprisesare affected, such attacks can soon threaten their very existence. Thebiggest cyber-relatedeconomic losses todatehavebeen those causedbyRansomware andmalware, especiallyWannaCry andNotPetya– attacksthataffectedthemarinesector.”

20

CyberRisk 21

There may be no greater risk to the marine industry including commercial ports than cyber

insecurity.

The question is, what should ports - and those that lead and manage

them- be doing right now to prepare?

Pre-Breach (1)

Beforeabreachoccurs:– Establishanactionable,up-to-dateincidentresponse(IR)plan• IdentifykeystakeholdersforIR

– Conducttabletopexercises,atleastannually

– WorkingwithIT,developdetaileddatalossprevention(DLP),disasterrecovery(DR)andbusinesscontinuityplans(BCP)

22

Pre-Breach (2)

IdentifyyourPartners:

•  NegotiateanIRretaineragreementwithaforensicprovider,gettoknowthem

•  Selectalawfirmpartner

•  EstablisharelationshipwithaPRfirm

•  Gettoknowlawenforcement

23

Pre-Breach (3)

SecureCyberInsurance!

– Greatresourceforsupporttocreatecyberresilience

– Oftenresultsinlowerhourlyrateforbreachresponse

24

Pre-Breach (4)

BuildAwareness

•  Trainyourselfandouremployeesonhowtobecomemoreresilienttocyberattacks– Phishingcampaigns– USBkeydrops– Onlineandin-persontrainingmodules

•  Createaculturewhereeveryoneunderstandsthatsecurityisanenterprise-widecorevalueandeachindividualplaysarole

25

RiskAssessmentandMitigationHudsonCyber(AONpartner)HACyberLogix– CybersecurityAssessment/DecisionSupportSystemProvidesCyberSecuritycomplianceelementsspecifictoVesselOperators

•  Diagnostic: CyberResiliencyReportCard•  DecisionSupport: HighestImpactforLowestCostRecommendations

LossMitigationandIncidentResponseStrozFriedberg(anAONcompany)

LeadingCyberSecurity,DigitalForensicsandIncidentResponsecompany

RiskTransferAON

•  Cost-effectiverisktransfersolutionbasedonRiskAssessmentandIncidentResponse

•  TobeplacedwithaconsortiumofunderwritersfromtheMarineandCybermarkets.

•  Toincludestandardcyberandmarinerelatedcoverages.

Aon’s Global Marine Cyber Strategy

26

3535TravisStreetSuite105Dallas,TX75204t+1.214.377.4566m+1.214.971.3352john.ansbach@strozfriedberg.comwww.strozfriedberg.com

FerryTerminalBuilding2AquariumDrive,Suite300Camden,NJ08103Office:+1.856.342.7500Mobile:+1.301.922.5618Email:max.bobys@hudsoncyber.com

MaxBobysVicePresident

27

PatrickO’NeillSeniorVicePresident

NationalHull&LiabilityPracticeLeader

JohnAnsbachVicePresidentEngagementManagement

AonRiskSolutionsAonBrokingMarineOneLibertyPlaza165Broadway,Suite3201NewYork,NY10006t212.479.3683m917.991.0838patrick.oneill@aon.comaon.com

Thank You!

1150ConnecticutAve.NWSuite700Washington,DCt+1.202.534.3292m+1.202.389.7890Heidi.wachs@strozfriedberg.comwww.strozfriedberg.com

HeidiWachsVicePresidentEngagementManagement