“Port Cyber Security: Maersk, Cosco, Barcelona, San …...“Port Cyber Security: Maersk, Cosco,...
Transcript of “Port Cyber Security: Maersk, Cosco, Barcelona, San …...“Port Cyber Security: Maersk, Cosco,...
“Port Cyber Security: Maersk, Cosco, Barcelona, San Diego. Who is next?”Chronis Kapalidis, Academy Stavros Niarchos Foundation Fellow,International Security Department Europe Representative, HudsonAnalytix
Tuesday, November 27, 2018, Piraeus
• 80% conducted from crew network
• ~97% of malware is designedto exploit social engineering
weaknesses, not a technical flaw
Chatham House | The Royal Institute of International Affairs 2
Key findings (Facts & Figures)
Date Victim
2010-11 Greek Shipping Company
Aug 2011 Iranian Shipping Line (IRISL)
2011-13 Port of Antwerp
2012 Australian Customs and BorderProtection Service agency
2012-14 Danish Port Authority
Apr 2016 South Korea
Jun 2017 AP Moller Maersk
Jun 2017 Ships in Novorossiysk
Nov 2017 Clarksons
July 2018 Cosco US
Sep 2018 Ports of Barcelona & San Diego
Chatham House | The Royal Institute of International Affairs 3
Maritime Cyber Security at Chatham House
• 2 Ongoing research projects for cybersecurity at the MTS
• Expert Comments
• Global Insights Workshop
• Simulation Exercises
Chatham House | The Royal Institute of International Affairs 4
Key findings (Awareness)
• The urgency for action is becoming gradually understood
Why?• No systemic port-related cyber attacks• No mandatory framework (Other regulationsaffect maritime stakeholders (GDPR, NIS))
Chatham House | The Royal Institute of International Affairs 6
Port of Antwerp
• 2011 to 2013• Hackers accessed container management system• Drug smuggling• Once discovered it was breached yet again
Lessons LearnedCyberspace used as a facilitator for organised crimeNecessity in developing resilience mechanismsResourcefulness of hackers
Chatham House | The Royal Institute of International Affairs 7
A.P. Moller Maersk
• June 2017• NotPetya malware against Ukraine• ~ 76 terminals affected• NOT a targeted attack against Maersk• Business disruption for about 2 weeks• $300 million total cost
Lessons LearnedNO need to be targeted – Collateral damage still catastrophicIneffective 3rd pillar policies - Necessity in developing resilience mechanismsNon-effective risk assessment
Chatham House | The Royal Institute of International Affairs 8
Cosco US – Barcelona – San Diego
• July – September 2018• Initially in the US the expanded to Americas• Major business disruption• Probably ransomware attacks
Lessons LearnedPorts are easy targetsNecessity in developing resilience mechanismsCommon vulnerabilities in 2 pillars (Infrastructure-Procedures)
Chatham House | The Royal Institute of International Affairs 9
IMO Maritime Safety CommitteeDraft Guidelines on Maritime Cyber Risk Management
One accepted approach is tocomprehensively assess and comparean organization's current, anddesired, cyber risk managementpostures.
Such a comparison may reveal gaps thatcan be addressed to achieve riskmanagement objectives through aprioritized cyber risk management plan.
This risk-based approach will enablean organization to best apply itsresources in the most effective manner.
“
”
Chatham House | The Royal Institute of International Affairs 10
Cybersecurity is about managing risk
• It’s about digitally identifying, informing, enabling, controlling, and describing an asset.
• Assets can be people, processes, tools and systems.
• It’s about managing riskto the confidentiality,integrity and availabilityof the informationimpacting assets.
Chatham House | The Royal Institute of International Affairs 11
But modelling cyber risk is difficult….
- No authoritative source of data
- A Cyber risk model requires input for people and processes in addition to technology
- Limited risk quantification models
Maritime cyber AWARENESS CYCLE
ASSETS
BUSINESS ENVIROMENT
THREAT ASSESSMENT
SCENARIOS
VULNERABILITIESRISK ASSESSMENT
MITIGATION MEASURES
RESIDUAL RISK
CONTINGENCY PREPAREDNESS
Examples:Vessel, Cargo, Crew, Business
processes, Enteprise IT-systems, Reputation.
Threat actors (APTs, Contractors, Criminals, Hacktivists) Intentions, Capabilites, TTPs (DDoS, CPM, Phishing, Human manipulation, Social Engineering)
Common Vulnerbilities and Exposures (CVEs):
People, Digital Footprint.
How relevant threat actors would attack our defined assets.
Which Vulnerabilities are exposed to the different
types of scenarios?
Examples:• Move/re-organize Assets• Patch Managment• General awareness & training regime• Detection systems
• What threats can still exploit vulnerabilities and interfere with Assets?
Examples:• Contingency Preparedness plan• Available and capable CERT?• Recovery Plans and Back up• Post Incidents Analysis
Owner of: hardware, software, business-network. Rules and regulations. Authorization to access and investigate when breached (juristiction) , IT trends.
Chatham House | The Royal Institute of International Affairs 15
Cybersecurity Capability Maturity
…defines an organization’s cyber ecosystem, identifies the depth and breadth of deployed capabilities, establishes benchmarks to support long-term measurement and continuous improvement,
and serves as the primary mechanism for sustaining the
organization’s cybersecurity strategy and investments.
Evolving from Cybersecurity to Cyber Maturity
Is the ability of an
organization to
technically prevent
cyber attacks from
breaching cyber
defenses and then
recover when a cyber
attack occurs.
Is the ability of an
organization to detect
anomalies as they
occur; correct
vulnerabilities as they
are identified and before
a full recovery is
required.
CLASSIC
CYBERSECURITY CYBER RESILIENCY
Involves the blended
‘institutionalization’ of
participant awareness,
cyber best practices,
controls, and defense
technologies across the
entire enterprise.
CYBER
MATURITY
KEY STAKEHOLDERS:
INFORMATION TECHNOLOGY
KEY STAKEHOLDERS:EVERYONE IN THE
ORGANIZATION EXCEPT “IT”
KEY STAKEHOLDERS:
THE ENTIRE ORGANIZATION
Likelihood of a claim diminishes as organizations move towards higher levels of cyber maturity
16
Evolving from Cybersecurity to Cyber Maturity
17
Axio provides cyber risk engineering services and data an -
alytics to support the improved management of cyber risk,
including the deployment of cyber insurance. We work with
private and public sector organizations to help them better
understand and manage their exposure to cyber risk through
cybersecurity program evaluations and cyber loss scenario
development and analysis.
ABOUT US
Much of our work is performed for or in collaboration with the insurance industry; we are on the forefront
of developing and enabling improved cyber insurance products that protect firms in the energy sector and
other sectors for which physical damage, environmental damage, and bodily injury from cyber risk are
real concerns.
The core of our data analytics work is the Axio knowledge center, which aggregates data from our ser-
vices and other sources to provide a basis for cyber program capability benchmarks, modeling, and other
data sciences to improve the understanding of cyber risk losses and associated predictive indicators. Our
vision is that the rich data provided through our collaboration with the insurance industry will ultimately
provide insight into predictive indicators for cyber loss that materially advance cybersecurity knowledge.
AXIO PROCESS
Equiatem poreni ut ipienda et et ilic tem quid unt prae sapis samus simusci dessimus as suntot a turem.
Itatem sus. Equiatem poreni ut ipienda et et ilic tem quid unt prae sapis samus simusci dessimus as
suntota turem. Itatem sus.
CYBER INSURANCE AS A CONTROL
The Ultimate Value Proposition: Insight and analysis from Axio’s Cyber Risk Knowledge Center enables
clients to deploy risk transfer capacity to lower their overall risk.
SERVICES
Equiatem poreni ut ipienda et et ilic tem quid unt prae sapis samus simusci dessimus as suntot a turem.
Itatem sus. Equiatem poreni ut ipienda et et ilic.
ABOUT US CYBER INSURANCEAXIO PROCESS OUR SERVICESAXIO KNOWLEDGE
CENTER
MORE
INFORMATION
CONTACT US
“ Et ati as ut eum cus nisim vel in nossi ut rehendunt auditatusa voloriorum sam qui dolupta
verios ant eum qui doluptatio. Et volorrore necum quibus eosam fugitam.”
“ Et ati as ut eum cus nisim vel in nossi ut rehendunt auditatusa voloriorum sam qui dolupta
verios ant eum qui doluptatio. Et volorrore necum quibus eosam fugitam.”
“ Et ati as ut eum cus nisim vel in nossi ut rehendunt auditatusa voloriorum sam qui dolupta
verios ant eum qui doluptatio. Et volorrore necum quibus eosam fugitam.”
“ Et ati as ut eum cus nisim vel in nossi ut rehendunt auditatusa voloriorum sam qui dolupta
verios ant eum qui doluptatio. Et volorrore necum quibus eosam fugitam.”
1 2 3 4 5
Policy AnalysisIdentify gaps in
current insurance
coverage.
Understand the
types of impacts
from potential
cyber events that
are not covered by
your current
insurance.
Cyber Loss
ScenariosDevelop notional
and feasible cyber
loss scenarios.
Workshop to
brainstorm several
cyber loss
scenarios that
could lead to
covered and
uncovered impacts;
estimate total
potential cost of
each.
Program
EvaluationEvaluate cyber risk
management
capability and
maturity.
Evaluation based
on Cybersecurity
Capability Maturity
Model (C2M2).
Cyber Risk
EngineeringDetailed impact
analysis, frequency
estimation, and
loss control.
More in-depth
cyber loss scenario
development and
analysis than in
step 2.
Insurance
PlacementWith brokers and
insurers, secure
meaningful
coverage.
Various new
coverage forms
and enhanced
existing forms are
becoming available.
Catastrophic cyber risk
tranfer capacity lowers
the curve overall.
CYBERSECURITY CAPABILITY
RISK
INVEST IN
TECHNOLOGY
INVEST IN
TRANSFER
FOR INSURERS
Scalable cybersecurity program evaluations and benchmarking to
support underwriting, ranging from online self-evaluations to onsite
in-depth evaluations.
Data collection and analysis to monitor systemic and aggregation risk
and to improve cyber loss models.
Technology support for evaluations, data collection, and analysis.
Training and consulting services to better enable insurers and broker
partners to address the full range of cyber risk with clients.
FOR POLICYHOLDERS
Policy analysis to identify and understand cyber exclusions in
existing policies.
Scenario workshops to develop and analyze cyber loss scenarios.
Scalable cybersecurity program evaluations and benchmarking, ranging
from online self-evaluations to onsite in-depth evaluations.
Intra-organizational benchmarking to compare cyber risk management
capabilities among parallel business units for in-depth analysis of
large organizations.
Cyber risk engineering services to in-depth loss scenario analysis,
control, and modeling.
FOR BROKERS
Policy analysis to identify and understand cyber exclusions in existing
policies in support of specific clients or market analysis.
Consulting services for design and placement of bespoke cyber
insurance solutions such as captives to address unique client needs.
Training and consulting services to better enable brokerage teams to
address the full range of cyber risk with clients.
Axio Knowledge Center
Equiatem poreni ut ipienda et et ilic tem quid unt prae sapis samus simusci dessimus as suntot a turem.
Itatem sus. Equiatem poreni ut ipienda et et ilic.
Sign me up! Email Us
NEWSLETTER
Iquem turit iniquideo,
consum patus liquam
Iquem turit iniquideo,
CONTACT US
Address
address
Phone 000.000.0000
ABOUT US
NEWS
ENGAGE WITH US
LEGAL
Benchmarks
Cybersecurity
program
evaluations
Loss and claims
for insurance
partners
Pedictive Models
Aggregation
and systemic
risk analysis
Publications
Cyber risk and
insurance
training and
consulting
Loss scenario
development
and engineering
Aggregated data from
Risk Engineering services,
open sources, and
insurance industry
DATA SOURCES
KNOWLEDGE CENTER
INVEST IN CYBER CAPABILITIESSUSTAIN CAPABILITY & INVEST IN
INSURANCE
CLASSIC
CYBERSECURITY
CYBER
MATURITY
CYBER
RESILIENCY
Cybersecurity Capability
Cyb
er Risk
17
The Cyber Risk Reduction Curve
Technology Risk Reduction
Insurance Risk Reduction
Structure
The Maritime Transportation Cybersecurity Capability Assessment Approach
The HACyberLogix application provides maritime organizational leadership with the sustained ability to analyze,benchmark, measure, and facilitate cybersecurity capability evolution across all the areas of a port’s business.
Event & Incident Response
Information Sharing
ICT
Situational Awareness
Cyber Program
Management
Commercial
Change Management
Physical
Threat & Vulnerability
Management
Workforce & TrainingRisk Management Governance
18
The HACyberLogix Structure
Designed for “Balance Sheet Owners”
19
Risks are well understood
and managed
Risks are recognized
but not well managed
Risks are not well
understood
Understanding the approach
Cyber as ROITwo aspects in increasing ROI from
investing in cybersecurity
User Corporate
Invest in user awareness training
Use the knowledgeand best practises of other industries
Educate staff on new measures,
technologies and tools
Cyber security by design