Maritime CyberSecurity - · PDF fileMaritime CyberSecurity ... Maturity-Model Assessment ......
-
Upload
trinhduong -
Category
Documents
-
view
247 -
download
3
Transcript of Maritime CyberSecurity - · PDF fileMaritime CyberSecurity ... Maturity-Model Assessment ......
© 2016 HudsonAnalytix, Inc. 1
Maritime CyberSecuritySafety at Sea National Maritime Day
Seminar Series
National Press Club
Washington, DC
May 23rd 2016Cynthia A. HudsonCEO & Founder
HA - CYBER
Who We AreHudsonAnalytix, Inc. delivers a broad range of integrated risk management services and technical solutions to the global maritime industry. Our clients include:
Port Authorities & Terminal Operators
National and regional port systems
Integrated oil/gas companies
National oil companies
Maritime transportation companies
Insurance Companies
Governments
Operating Subsidiaries:HA-Cyber - Maritime Cyber Risk Management
HudsonMarine - Operational Marine Management
HudsonTrident - Security (Physical & Cyber)
HudsonTactix - Consequence Management
HudsonDynamix - Training
HudsonSystems - Software Solutions
2© 2016 HudsonAnalytix, Inc.
Key Facts:
• Established in 1986
• Worldwide Presence:
• Philadelphia (Global HQ)
• Washington, DC
• Seattle, WA
• San Diego, CA
• Houston, TX
• Copenhagen, Denmark
• London, UK
• Rome, Italy
• Piraeus, Greece
• Jakarta, Indonesia (JV)
• Manila, Philippines
Dedicated Maritime Cyber Risk Management Practice: HA-Cyber
© 2016 HudsonAnalytix, Inc. 3
Established late 2015
Trusted Best-in-Class Partners
Dedicated to the global
maritime industry
End-to-end Services and
technical capabilities
Blended, Standards-based,
Maturity-Model Assessment
Approach
Informed by “attack side”
Facilitation of Risk Transfer
Global ReachShip-owners
&
Operators
Offshore
Ports &
Terminal Operators
Waterside
Facilities
© 2016 HudsonAnalytix, Inc. 4
That cyber environment is
one that really is the thing
that keeps me up at night.
CIA Director John Brennan
14 February 2016
CBS 60 Minutes interview by Scott Pelley
The Cyberization of Risk -Everything is Connected Law 1: Everything that is connected to the Internet can be hacked.
Law 2: Everything is being connected to the Internet.
Law 3: Everything else follows from the first two laws.
5
The impact of a cyber event can cascade and across an organization, reinforcing the magnitude of its impact
Zurich - Atlantic Council Image, Risk Nexus, April 2014
© 2016 HudsonAnalytix, Inc.
The Maritime “Internet of Everything” (IoE) is Here and Evolving
The “Maritime IoE” is being driven by the growth,
adoption and ‘cheapening’ of:
Mobility devices
Storage capacity
Bandwidth availability
Social media
Cloud-based
applications
People
6© 2016 HudsonAnalytix, Inc.
PEOPLE
DATATHINGS
PROCESSES
Analytics
From Digital Ship to theAutonomous Ship
© 2016 HudsonAnalytix, Inc. 7
Global Maritime Technology Trends 2030, QinetiQ, U. of Southampton & Lloyd’s Register; ©2015
Smart ships don’t represent a ‘stand-alone’ technology. They are a
manifestation and exploitation of integrated, networked technologies (e.g.
sensors, robotics, big data, advanced materials, and communications)
What is Cybersecurity?
Cybersecurity is NOT just:
Information Technology (“IT”)
Compliance (e.g. ISM, ISO; ISPS)
Cybersecurity IS:
A risk management function designed to
provide a standard of care.
The mission and business of protecting the
enterprise.
8© 2016 HudsonAnalytix, Inc.
When we say “Cyber Risk” what do we mean?
Cyber risk signifies more than data breaches…
Seaworthiness
Client and employee information
Commercial confidential information / assets
Money (Profit and Loss)
Reputation
Stuxnet and Shamoon were game changers -they proved that physical events can be triggered through cyber means.
Sony was also a game changer - it targeted employees, damaging systems and reputations, and divulged corporate secrets and trade information.
9
The Telegraph, 30 Nov 2010
© 2016 HudsonAnalytix, Inc.
Why Should We Manage Cyber Risk in the Maritime Domain?Every port authority and terminal operator operating in the world
economy creates, utilizes, stores, manages, and exchanges digital
data, along with financial information, via internal and external
networks.
Ports sustain 90% of the global economy.
© 2016 HudsonAnalytix, Inc. 10
www.mits-forum.org
• 4,764 Ports in 196 countries
• 68,000+ vessels by 2023
Recurring Industry
Themes:
• Multimodal connectivity
• Increase efficiency of
operations
• Increase capacity for
small port infrastructure
• Passenger traffic
Internet of Things Cyber Risk Insight: Mobile Computing
11
ILO MLC 2006, Title 3 Amendments list the requirements for
recreational facility amenities that include but are not limited to
some or all of the following: PC equipment, communication
facilities, including email and internet access…
© 2016 HudsonAnalytix, Inc.
Similarly, with the ISM…
Section 1.2.2.2 of the International
Safety Management (ISM) Code states:
“Assess all identified risk to its ships,
personnel and the environment and
establish appropriate safe guards.”
12© 2016 HudsonAnalytix, Inc.
REF: IMO’s Facilitation Committee -40th Session, Meeting April 4th - 8th 2016
Cyber Security
The Facilitation Committee is expected to identify the facilitation
aspects with regards to protecting the maritime transport network from
cyber threats, with a view to developing voluntary maritime
cybersecurity guidelines, including best practices.
© 2016 HudsonAnalytix, Inc. 13
Recent Guidelines Issued
14© 2016 HudsonAnalytix, Inc.
Jan. 2016 Feb. 2016 May 2016
So What’s Vulnerable?
Supervisory Control & Data Acquisition (SCADA)
equipment and Industrial Control Systems (ICS) for
loading/unloading of bulk/containerized cargo
Cargo / Terminal Management Systems
Domain Awareness / Navigational Systems - RADAR,
AIS, VTS/VTMS
Any Business Software Application (e.g. email,
financial, human resources, finance, logistics,
business operations, etc. - Think “ERP”)
Any Operating Systems (e.g. Microsoft, Linux)
Security Systems - CCTV, Access Control
Mobility devices and platforms - RFID
Communications Systems
Employees (insiders)
15© 2016 HudsonAnalytix, Inc.
Are Ships Vulnerable?
16
Source: USCG Cyber Strategy
© 2016 HudsonAnalytix, Inc.
IRISL Hack (2011)
© 2016 HudsonAnalytix, Inc. 17
• Servers were compromised
• Logistics systems crashed
• Entire fleet of 172 vessels was
compromised
• False information input into systems:
• Compromised manifests
• Falsification of rates
• Containers ‘cloaked’
• Delivery dates
• Client / Vendor Data
• Major Business Interruption!
Port of Antwerp Cyber Attack, 2011-2013 Cyber-enabled cargo theft
Drug traffickers recruited hackers to
breach IT systems
Controlled the movement and location
of containers over a 2-year period
from June 2011
Drugs were hidden in containers
among legitimate cargo
Enabled traffickers to steal the cargo
before the legitimate owners arrived
Hacking technique involved physical
access to computer networks and
installation of snooping devices
Impact: cargo theft
http://www.bbc.com/news/world-europe-24539417
http://www.portstrategy.com/__data/assets/image/0026/207449/Antwerp-port-is-a-massive-
operation-despite-being-50-miles-inland.jpg
18
The Greatest Cyber Threat to us All: Data Integrity
© 2016 HudsonAnalytix, Inc. 19
“Integrity. Cyber operations include an increased
emphasis on changing or manipulating data to
compromise its integrity to affect decision making,
reduce trust in systems, or cause adverse physical
effects.”
Threat actions include:
• Posting disinformation on websites,
• Altering of online media as a means to influence
public discourse and sentiment
• Modify stored data
• Transmit false data
• Track and/or manipulate the flow of information
USCG Maritime Cyber Bulletin -28 December 2015
© 2016 HudsonAnalytix, Inc. 20
Business Email Compromise is a global
scam with subjects and victims in many
countries. The FBI received victim
complaints from more than 45 countries
between 2013 - 2014:
Total U.S. victims: 1,198
Total U.S. dollar loss: $179,755,367.08
Total non-U.S. victims: 928
Total non-U.S. dollar loss: $35,217,136
Combined victims: 2,126
Combined dollar loss: $214,972,503
The “Whale” Attack:Targeting Key Executives
As of April 2016:
• USD $2.3 billion in
losses since 2013;
• 270% increase since
January 2015; and,
• 79 Countries have
been affected.
21© 2016 HudsonAnalytix, Inc.
Re-Thinking Maritime Cyber Resiliency in a “Cyberized” World
22© 2016 HudsonAnalytix, Inc.
Assume your business has already
been attacked, infiltrated and
compromised
Understand that there is no “magic
bullet”
Develop a New Approach:
• Take a top-down approach
• Implement an enterprise cyber risk
management strategy
The Cyber Risk Reduction Curve
23
Axio provides cyber risk engineering services and data an -
alytics to support the improved management of cyber risk,
including the deployment of cyber insurance. We work with
private and public sector organizations to help them better
understand and manage their exposure to cyber risk through
cybersecurity program evaluations and cyber loss scenario
development and analysis.
ABOUT US
Much of our work is performed for or in collaboration with the insurance industry; we are on the forefront
of developing and enabling improved cyber insurance products that protect firms in the energy sector and
other sectors for which physical damage, environmental damage, and bodily injury from cyber risk are
real concerns.
The core of our data analytics work is the Axio knowledge center, which aggregates data from our ser-
vices and other sources to provide a basis for cyber program capability benchmarks, modeling, and other
data sciences to improve the understanding of cyber risk losses and associated predictive indicators. Our
vision is that the rich data provided through our collaboration with the insurance industry will ultimately
provide insight into predictive indicators for cyber loss that materially advance cybersecurity knowledge.
AXIO PROCESS
Equiatem poreni ut ipienda et et ilic tem quid unt prae sapis samus simusci dessimus as suntot a turem.
Itatem sus. Equiatem poreni ut ipienda et et ilic tem quid unt prae sapis samus simusci dessimus as
suntota turem. Itatem sus.
CYBER INSURANCE AS A CONTROL
The Ultimate Value Proposition: Insight and analysis from Axio’s Cyber Risk Knowledge Center enables
clients to deploy risk transfer capacity to lower their overall risk.
SERVICES
Equiatem poreni ut ipienda et et ilic tem quid unt prae sapis samus simusci dessimus as suntot a turem.
Itatem sus. Equiatem poreni ut ipienda et et ilic.
ABOUT US CYBER INSURANCEAXIO PROCESS OUR SERVICESAXIO KNOWLEDGE
CENTER
MORE
INFORMATION
CONTACT US
“ Et ati as ut eum cus nisim vel in nossi ut rehendunt auditatusa voloriorum sam qui dolupta
verios ant eum qui doluptatio. Et volorrore necum quibus eosam fugitam.”
“ Et ati as ut eum cus nisim vel in nossi ut rehendunt auditatusa voloriorum sam qui dolupta
verios ant eum qui doluptatio. Et volorrore necum quibus eosam fugitam.”
“ Et ati as ut eum cus nisim vel in nossi ut rehendunt auditatusa voloriorum sam qui dolupta
verios ant eum qui doluptatio. Et volorrore necum quibus eosam fugitam.”
“ Et ati as ut eum cus nisim vel in nossi ut rehendunt auditatusa voloriorum sam qui dolupta
verios ant eum qui doluptatio. Et volorrore necum quibus eosam fugitam.”
1 2 3 4 5
Policy AnalysisIdentify gaps in
current insurance
coverage.
Understand the
types of impacts
from potential
cyber events that
are not covered by
your current
insurance.
Cyber Loss
ScenariosDevelop notional
and feasible cyber
loss scenarios.
Workshop to
brainstorm several
cyber loss
scenarios that
could lead to
covered and
uncovered impacts;
estimate total
potential cost of
each.
Program
EvaluationEvaluate cyber risk
management
capability and
maturity.
Evaluation based
on Cybersecurity
Capability Maturity
Model (C2M2).
Cyber Risk
EngineeringDetailed impact
analysis, frequency
estimation, and
loss control.
More in-depth
cyber loss scenario
development and
analysis than in
step 2.
Insurance
PlacementWith brokers and
insurers, secure
meaningful
coverage.
Various new
coverage forms
and enhanced
existing forms are
becoming available.
Catastrophic cyber risk
tranfer capacity lowers
the curve overall.
CYBERSECURITY CAPABILITY
RISK
INVEST IN
TECHNOLOGY
INVEST IN
TRANSFER
FOR INSURERS
Scalable cybersecurity program evaluations and benchmarking to
support underwriting, ranging from online self-evaluations to onsite
in-depth evaluations.
Data collection and analysis to monitor systemic and aggregation risk
and to improve cyber loss models.
Technology support for evaluations, data collection, and analysis.
Training and consulting services to better enable insurers and broker
partners to address the full range of cyber risk with clients.
FOR POLICYHOLDERS
Policy analysis to identify and understand cyber exclusions in
existing policies.
Scenario workshops to develop and analyze cyber loss scenarios.
Scalable cybersecurity program evaluations and benchmarking, ranging
from online self-evaluations to onsite in-depth evaluations.
Intra-organizational benchmarking to compare cyber risk management
capabilities among parallel business units for in-depth analysis of
large organizations.
Cyber risk engineering services to in-depth loss scenario analysis,
control, and modeling.
FOR BROKERS
Policy analysis to identify and understand cyber exclusions in existing
policies in support of specific clients or market analysis.
Consulting services for design and placement of bespoke cyber
insurance solutions such as captives to address unique client needs.
Training and consulting services to better enable brokerage teams to
address the full range of cyber risk with clients.
Axio Knowledge Center
Equiatem poreni ut ipienda et et ilic tem quid unt prae sapis samus simusci dessimus as suntot a turem.
Itatem sus. Equiatem poreni ut ipienda et et ilic.
Sign me up! Email Us
NEWSLETTER
Iquem turit iniquideo,
consum patus liquam
Iquem turit iniquideo,
CONTACT US
Address
address
Phone 000.000.0000
ABOUT US
NEWS
ENGAGE WITH US
LEGAL
Benchmarks
Cybersecurity
program
evaluations
Loss and claims
for insurance
partners
Pedictive Models
Aggregation
and systemic
risk analysis
Publications
Cyber risk and
insurance
training and
consulting
Loss scenario
development
and engineering
Aggregated data from
Risk Engineering services,
open sources, and
insurance industry
DATA SOURCES
KNOWLEDGE CENTER
INVEST IN CYBER CAPABILITIESSUSTAIN CAPABILITY & INVEST IN
INSURANCE
BASIC
CYBERSECURITY
CAPABILITIES
CYBER
MATURITY
CYBER
RESILIENCY
© 2016 HudsonAnalytix, Inc.
Cybersecurity Capability
Cyber R
isk
Cyber Risk Management Begins atthe Top - it’s a Boardroom Challenge
CEOs and Board Members are increasingly being held accountable for their
organization’s cyber resilience. Cyber risk management must be owned by
leadership rather than be relegated to an “IT” challenge.
Cyber risk affects an organization’s:
• Balance Sheet / Profit & Loss
• Legal Exposure
• Operational Effectiveness
24
• Customers
• Vendors & Partners
• Employees
© 2016 HudsonAnalytix, Inc.
Gain Awareness & Train!
Executive Leadership Briefings
Workforce training spanning multiple
cyber maturity dimensions (e.g. spear-
phishing, passwords, social media,
etc.)
Consider web-based training
awareness tools for baseline and
refresher training
In-house Cyber TTX combined with
ISPS Code requirements
Technical Staff Training
25
Global organizations can rapidly deliver and sustain cybersecurity and cyber risk awareness training across the enterprise.
© 2016 HudsonAnalytix, Inc.
Insurance Considerations
© 2016 HudsonAnalytix, Inc. 26
First Party Damages
(Tangible & Financial)• Response Costs - Forensics,
notifications,
• Legal expenses: advice and defense
• Revenue losses due to network or
computer outages
• Restoration costs related to
reconstitution of lost data
• Ransomeware: Cyber extortion
• IP Loss: values of stolen property
• Mechanical compromise / breakdown
• Destruction of equipment or property
• Lost revenue due to physical damages
• Bodily injury to employees
Scenarios: Insider threat; Network
Disruption; Network breach; Malware attack
(e.g. on SCADA); Ransomeware
Third Party Damages
(Tangible & Financial)• Financial recovery due to
consequential loss of revenue
• Restoration activity expenses
• Legal expenses: advice and defense
• Credit monitoring costs
• Physical damage / destruction of
equipment and /or property
• Environmental cleanup
• Bodily injury to others
• Regulatory fines
Scenarios: Insider threat; Network
Disruption; Network breach; Malware
attack (e.g. on SCADA)
Cybersecurity as a Social Compact?
27© 2016 HudsonAnalytix, Inc.
2016 Award for
Outstanding Woman
in Maritime Port
Protection
Cyber-Social
Responsibility:
from Awareness
to Action
Panama City, Panama
April 27, 2016
Packaged Offerings Available
© 2016 HudsonAnalytix, Inc. 28
Available Description Type
√ Tier 1, 2 & 3 Maritime ESA Assessment
√ Penetration Testing Assessment
√ Executive Briefings Training
√ In-House Cyber TTX Customized Training
√ Awareness Training (Web/Email) Training
√Enterprise Managed Security Service
Provider (MSSP)
Cyber Defense / Includes
Incident Response support
√Cybersecurity Program Design,
Development and PlanningAdvisory Support
√ Cyber Incident Response / Crisis Mgmt. Advisory / Response
√ Cyber Threat Intelligence ServiceAvailable Early April / Priced
for Maritime Market
Thank You & Questions?
Ferry Terminal Building, Suite 300
2 Aquarium Drive
Camden, NJ 08103
Office: +1.856.342.7500
Mobile: +1.609.505.6878
Cynthia A. HudsonCEO & Founder
© 2016 HudsonAnalytix, Inc. 29