maritime cybersecurity - · pdf filemaritime cybersecurity ... maturity-model assessment ......

© 2016 HudsonAnalytix, Inc. 1

Maritime CyberSecuritySafety at Sea National Maritime Day

Seminar Series

National Press Club

Washington, DC

May 23rd 2016Cynthia A. HudsonCEO & Founder

HA - CYBER

Who We AreHudsonAnalytix, Inc. delivers a broad range of integrated risk management services and technical solutions to the global maritime industry. Our clients include:

Port Authorities & Terminal Operators

National and regional port systems

Integrated oil/gas companies

National oil companies

Maritime transportation companies

Insurance Companies

Governments

Operating Subsidiaries:HA-Cyber - Maritime Cyber Risk Management

HudsonMarine - Operational Marine Management

HudsonTrident - Security (Physical & Cyber)

HudsonTactix - Consequence Management

HudsonDynamix - Training

HudsonSystems - Software Solutions

2© 2016 HudsonAnalytix, Inc.

Key Facts:

• Established in 1986

• Worldwide Presence:

• Philadelphia (Global HQ)

• Washington, DC

• Seattle, WA

• San Diego, CA

• Houston, TX

• Copenhagen, Denmark

• London, UK

• Rome, Italy

• Piraeus, Greece

• Jakarta, Indonesia (JV)

• Manila, Philippines

Dedicated Maritime Cyber Risk Management Practice: HA-Cyber


Established late 2015

Trusted Best-in-Class Partners

Dedicated to the global

maritime industry

End-to-end Services and

technical capabilities

Blended, Standards-based,

Maturity-Model Assessment

Approach

Informed by “attack side”

Facilitation of Risk Transfer

Global ReachShip-owners

&

Operators

Offshore

Ports &

Terminal Operators

Waterside

Facilities


That cyber environment is

one that really is the thing

that keeps me up at night.

CIA Director John Brennan

14 February 2016

CBS 60 Minutes interview by Scott Pelley

The Cyberization of Risk -Everything is Connected Law 1: Everything that is connected to the Internet can be hacked.

Law 2: Everything is being connected to the Internet.

Law 3: Everything else follows from the first two laws.

5

The impact of a cyber event can cascade and across an organization, reinforcing the magnitude of its impact

Zurich - Atlantic Council Image, Risk Nexus, April 2014

© 2016 HudsonAnalytix, Inc.

The Maritime “Internet of Everything” (IoE) is Here and Evolving

The “Maritime IoE” is being driven by the growth,

adoption and ‘cheapening’ of:

Mobility devices

Storage capacity

Bandwidth availability

Social media

Cloud-based

applications

People


PEOPLE

DATATHINGS

PROCESSES

Analytics

From Digital Ship to theAutonomous Ship


Global Maritime Technology Trends 2030, QinetiQ, U. of Southampton & Lloyd’s Register; ©2015

Smart ships don’t represent a ‘stand-alone’ technology. They are a

manifestation and exploitation of integrated, networked technologies (e.g.

sensors, robotics, big data, advanced materials, and communications)

What is Cybersecurity?

Cybersecurity is NOT just:

Information Technology (“IT”)

Compliance (e.g. ISM, ISO; ISPS)

Cybersecurity IS:

A risk management function designed to

provide a standard of care.

The mission and business of protecting the

enterprise.


When we say “Cyber Risk” what do we mean?

Cyber risk signifies more than data breaches…

Seaworthiness

Client and employee information

Commercial confidential information / assets

Money (Profit and Loss)

Reputation

Stuxnet and Shamoon were game changers -they proved that physical events can be triggered through cyber means.

Sony was also a game changer - it targeted employees, damaging systems and reputations, and divulged corporate secrets and trade information.

9

The Telegraph, 30 Nov 2010


Why Should We Manage Cyber Risk in the Maritime Domain?Every port authority and terminal operator operating in the world

economy creates, utilizes, stores, manages, and exchanges digital

data, along with financial information, via internal and external

networks.

Ports sustain 90% of the global economy.


www.mits-forum.org

• 4,764 Ports in 196 countries

• 68,000+ vessels by 2023

Recurring Industry

Themes:

• Multimodal connectivity

• Increase efficiency of

operations

• Increase capacity for

small port infrastructure

• Passenger traffic

Internet of Things Cyber Risk Insight: Mobile Computing

11

ILO MLC 2006, Title 3 Amendments list the requirements for

recreational facility amenities that include but are not limited to

some or all of the following: PC equipment, communication

facilities, including email and internet access…


Similarly, with the ISM…

Section 1.2.2.2 of the International

Safety Management (ISM) Code states:

“Assess all identified risk to its ships,

personnel and the environment and

establish appropriate safe guards.”


REF: IMO’s Facilitation Committee -40th Session, Meeting April 4th - 8th 2016

Cyber Security

The Facilitation Committee is expected to identify the facilitation

aspects with regards to protecting the maritime transport network from

cyber threats, with a view to developing voluntary maritime

cybersecurity guidelines, including best practices.


Recent Guidelines Issued


Jan. 2016 Feb. 2016 May 2016

So What’s Vulnerable?

Supervisory Control & Data Acquisition (SCADA)

equipment and Industrial Control Systems (ICS) for

loading/unloading of bulk/containerized cargo

Cargo / Terminal Management Systems

Domain Awareness / Navigational Systems - RADAR,

AIS, VTS/VTMS

Any Business Software Application (e.g. email,

financial, human resources, finance, logistics,

business operations, etc. - Think “ERP”)

Any Operating Systems (e.g. Microsoft, Linux)

Security Systems - CCTV, Access Control

Mobility devices and platforms - RFID

Communications Systems

Employees (insiders)


Are Ships Vulnerable?

16

Source: USCG Cyber Strategy


IRISL Hack (2011)


• Servers were compromised

• Logistics systems crashed

• Entire fleet of 172 vessels was

compromised

• False information input into systems:

• Compromised manifests

• Falsification of rates

• Containers ‘cloaked’

• Delivery dates

• Client / Vendor Data

• Major Business Interruption!

Port of Antwerp Cyber Attack, 2011-2013 Cyber-enabled cargo theft

Drug traffickers recruited hackers to

breach IT systems

Controlled the movement and location

of containers over a 2-year period

from June 2011

Drugs were hidden in containers

among legitimate cargo

Enabled traffickers to steal the cargo

before the legitimate owners arrived

Hacking technique involved physical

access to computer networks and

installation of snooping devices

Impact: cargo theft

http://www.bbc.com/news/world-europe-24539417

http://www.portstrategy.com/__data/assets/image/0026/207449/Antwerp-port-is-a-massive-

operation-despite-being-50-miles-inland.jpg

18


http://www.portstrategy.com/__data/assets/image/0026/207449/Antwerp-port-is-a-massive-operation-despite-being-50-miles-inland.jpg

http://www.portstrategy.com/__data/assets/image/0026/207449/Antwerp-port-is-a-massive-operation-despite-being-50-miles-inland.jpg



The Greatest Cyber Threat to us All: Data Integrity


“Integrity. Cyber operations include an increased

emphasis on changing or manipulating data to

compromise its integrity to affect decision making,

reduce trust in systems, or cause adverse physical

effects.”

Threat actions include:

• Posting disinformation on websites,

• Altering of online media as a means to influence

public discourse and sentiment

• Modify stored data

• Transmit false data

• Track and/or manipulate the flow of information

USCG Maritime Cyber Bulletin -28 December 2015


Business Email Compromise is a global

scam with subjects and victims in many

countries. The FBI received victim

complaints from more than 45 countries

between 2013 - 2014:

Total U.S. victims: 1,198

Total U.S. dollar loss: $179,755,367.08

Total non-U.S. victims: 928

Total non-U.S. dollar loss: $35,217,136

Combined victims: 2,126

Combined dollar loss: $214,972,503

The “Whale” Attack:Targeting Key Executives

As of April 2016:

• USD $2.3 billion in

losses since 2013;

• 270% increase since

January 2015; and,

• 79 Countries have

been affected.


Re-Thinking Maritime Cyber Resiliency in a “Cyberized” World


Assume your business has already

been attacked, infiltrated and

compromised

Understand that there is no “magic

bullet”

Develop a New Approach:

• Take a top-down approach

• Implement an enterprise cyber risk

management strategy

The Cyber Risk Reduction Curve

23

Axio provides cyber risk engineering services and data an -

alytics to support the improved management of cyber risk,

including the deployment of cyber insurance. We work with

private and public sector organizations to help them better

understand and manage their exposure to cyber risk through

cybersecurity program evaluations and cyber loss scenario

development and analysis.

ABOUT US

Much of our work is performed for or in collaboration with the insurance industry; we are on the forefront

of developing and enabling improved cyber insurance products that protect firms in the energy sector and

other sectors for which physical damage, environmental damage, and bodily injury from cyber risk are

real concerns.

The core of our data analytics work is the Axio knowledge center, which aggregates data from our ser-

vices and other sources to provide a basis for cyber program capability benchmarks, modeling, and other

data sciences to improve the understanding of cyber risk losses and associated predictive indicators. Our

vision is that the rich data provided through our collaboration with the insurance industry will ultimately

provide insight into predictive indicators for cyber loss that materially advance cybersecurity knowledge.

AXIO PROCESS

Equiatem poreni ut ipienda et et ilic tem quid unt prae sapis samus simusci dessimus as suntot a turem.

Itatem sus. Equiatem poreni ut ipienda et et ilic tem quid unt prae sapis samus simusci dessimus as

suntota turem. Itatem sus.

CYBER INSURANCE AS A CONTROL

The Ultimate Value Proposition: Insight and analysis from Axio’s Cyber Risk Knowledge Center enables

clients to deploy risk transfer capacity to lower their overall risk.

SERVICES


Itatem sus. Equiatem poreni ut ipienda et et ilic.

ABOUT US CYBER INSURANCEAXIO PROCESS OUR SERVICESAXIO KNOWLEDGE

CENTER

MORE

INFORMATION

CONTACT US

“ Et ati as ut eum cus nisim vel in nossi ut rehendunt auditatusa voloriorum sam qui dolupta

verios ant eum qui doluptatio. Et volorrore necum quibus eosam fugitam.”







1 2 3 4 5

Policy AnalysisIdentify gaps in

current insurance

coverage.

Understand the

types of impacts

from potential

cyber events that

are not covered by

your current

insurance.

Cyber Loss

ScenariosDevelop notional

and feasible cyber

loss scenarios.

Workshop to

brainstorm several

cyber loss

scenarios that

could lead to

covered and

uncovered impacts;

estimate total

potential cost of

each.

Program

EvaluationEvaluate cyber risk

management

capability and

maturity.

Evaluation based

on Cybersecurity

Capability Maturity

Model (C2M2).

Cyber Risk

EngineeringDetailed impact

analysis, frequency

estimation, and

loss control.

More in-depth

cyber loss scenario

development and

analysis than in

step 2.

Insurance

PlacementWith brokers and

insurers, secure

meaningful

coverage.

Various new

coverage forms

and enhanced

existing forms are

becoming available.

Catastrophic cyber risk

tranfer capacity lowers

the curve overall.

CYBERSECURITY CAPABILITY

RISK

INVEST IN

TECHNOLOGY

INVEST IN

TRANSFER

FOR INSURERS

Scalable cybersecurity program evaluations and benchmarking to

support underwriting, ranging from online self-evaluations to onsite

in-depth evaluations.

Data collection and analysis to monitor systemic and aggregation risk

and to improve cyber loss models.

Technology support for evaluations, data collection, and analysis.

Training and consulting services to better enable insurers and broker

partners to address the full range of cyber risk with clients.

FOR POLICYHOLDERS

Policy analysis to identify and understand cyber exclusions in

existing policies.

Scenario workshops to develop and analyze cyber loss scenarios.

Scalable cybersecurity program evaluations and benchmarking, ranging

from online self-evaluations to onsite in-depth evaluations.

Intra-organizational benchmarking to compare cyber risk management

capabilities among parallel business units for in-depth analysis of

large organizations.

Cyber risk engineering services to in-depth loss scenario analysis,

control, and modeling.

FOR BROKERS

Policy analysis to identify and understand cyber exclusions in existing

policies in support of specific clients or market analysis.

Consulting services for design and placement of bespoke cyber

insurance solutions such as captives to address unique client needs.

Training and consulting services to better enable brokerage teams to

address the full range of cyber risk with clients.

Axio Knowledge Center


Itatem sus. Equiatem poreni ut ipienda et et ilic.

Sign me up! Email Us

NEWSLETTER

Iquem turit iniquideo,

consum patus liquam

Iquem turit iniquideo,

CONTACT US

Address

address

Phone 000.000.0000

ABOUT US

NEWS

ENGAGE WITH US

LEGAL

Benchmarks

Cybersecurity

program

evaluations

Loss and claims

for insurance

partners

Pedictive Models

Aggregation

and systemic

risk analysis

Publications

Cyber risk and

insurance

training and

consulting

Loss scenario

development

and engineering

Aggregated data from

Risk Engineering services,

open sources, and

insurance industry

DATA SOURCES

KNOWLEDGE CENTER

INVEST IN CYBER CAPABILITIESSUSTAIN CAPABILITY & INVEST IN

INSURANCE

BASIC

CYBERSECURITY

CAPABILITIES

CYBER

MATURITY

CYBER

RESILIENCY


Cybersecurity Capability

Cyber R

isk

Cyber Risk Management Begins atthe Top - it’s a Boardroom Challenge

CEOs and Board Members are increasingly being held accountable for their

organization’s cyber resilience. Cyber risk management must be owned by

leadership rather than be relegated to an “IT” challenge.

Cyber risk affects an organization’s:

• Balance Sheet / Profit & Loss

• Legal Exposure

• Operational Effectiveness

24

• Customers

• Vendors & Partners

• Employees


Gain Awareness & Train!

Executive Leadership Briefings

Workforce training spanning multiple

cyber maturity dimensions (e.g. spear-

phishing, passwords, social media,

etc.)

Consider web-based training

awareness tools for baseline and

refresher training

In-house Cyber TTX combined with

ISPS Code requirements

Technical Staff Training

25

Global organizations can rapidly deliver and sustain cybersecurity and cyber risk awareness training across the enterprise.


Insurance Considerations


First Party Damages

(Tangible & Financial)• Response Costs - Forensics,

notifications,

• Legal expenses: advice and defense

• Revenue losses due to network or

computer outages

• Restoration costs related to

reconstitution of lost data

• Ransomeware: Cyber extortion

• IP Loss: values of stolen property

• Mechanical compromise / breakdown

• Destruction of equipment or property

• Lost revenue due to physical damages

• Bodily injury to employees

Scenarios: Insider threat; Network

Disruption; Network breach; Malware attack

(e.g. on SCADA); Ransomeware

Third Party Damages

(Tangible & Financial)• Financial recovery due to

consequential loss of revenue

• Restoration activity expenses

• Legal expenses: advice and defense

• Credit monitoring costs

• Physical damage / destruction of

equipment and /or property

• Environmental cleanup

• Bodily injury to others

• Regulatory fines

Scenarios: Insider threat; Network

Disruption; Network breach; Malware

attack (e.g. on SCADA)

Cybersecurity as a Social Compact?


2016 Award for

Outstanding Woman

in Maritime Port

Protection

Cyber-Social

Responsibility:

from Awareness

to Action

Panama City, Panama

April 27, 2016

Packaged Offerings Available


Available Description Type

√ Tier 1, 2 & 3 Maritime ESA Assessment

√ Penetration Testing Assessment

√ Executive Briefings Training

√ In-House Cyber TTX Customized Training

√ Awareness Training (Web/Email) Training

√Enterprise Managed Security Service

Provider (MSSP)

Cyber Defense / Includes

Incident Response support

√Cybersecurity Program Design,

Development and PlanningAdvisory Support

√ Cyber Incident Response / Crisis Mgmt. Advisory / Response

√ Cyber Threat Intelligence ServiceAvailable Early April / Priced

for Maritime Market

Thank You & Questions?

Ferry Terminal Building, Suite 300

2 Aquarium Drive

Camden, NJ 08103

Office: +1.856.342.7500

Mobile: +1.609.505.6878

[email protected]

Cynthia A. HudsonCEO & Founder


maritime cybersecurity - · pdf filemaritime cybersecurity ... maturity-model assessment ......

Documents