There has been much talk about the Russian cyber attacks against the US Presidential elections in 2016 and others and the release of stolen emails and political campaign information resulting from those hacks.
I've put together this mindmap to demistify how it all happened and to show why it is critical to manage the insider threat / employee risk holistically - alongside your information security and your IT risks.
The mindmap shows that by using open source research and social media the hackers were able to socially engineer members of political organisations and campaigners in order to trick them into clicking on links and allowing the hackers "in" to their networks. From there they were able to gain access to other related organisations and eventually Hillary Clinton's private email server.
The information stolen was then passed to a variety people and groups - all of whom had a use for that information or found value in knowing the content. From political opponents to lobbiest and protest groups. A knowledge of the risks and threats posed and how attacks happen would have gone along way in mitigating these issues.
If you would like to talk more about protecting your business. Get in touch.
“The manufacturing sector is the third most targeted sector for cyber-attacks; yet it is one of the least prepared and protected sectors of the economy”.
These are the findings of a report published by the Manufacturers organisation, the EEF, in partnership with insurance firm AIG and RUSI, the Royal United Services Institute.
Many cyber-incidents (those that are discovered) go unreported; however, there have been a number of notable attacks on manufacturing companies in the recent past that have been widely acknowledged:
At the end of 2014, a German steel mill suffered a cyber-attack. The attack caused the office network to become compromised and prevented the shutdown of the blast furnace itself, resulting in massive damage to the foundry; in 2017, an attack on the industrial control systems of the Saudi Arabian petrochemical company, designed to cause an explosion, failed – only because the developers of the malicious software made an error in the code, the attack still caused the system to shut down, but it did so it in a safe manner.
Both of these attacks, are thought to have been assisted by “insiders”, with extensive access to systems and information.
Report – Headlines
The EEF report found that:
48% of manufacturers polled said that they had been the victim of a cyber-incident and ½ of them had suffered financial loss or business disruption as a result of the incident;
35% of manufacturing businesses are not embracing digitisation where possible, due to cyber security concerns and are therefore missing possible business opportunity to their competitors, who have modernised;
41% of manufacturing don’t believe they can assess the cyber risk properly because of a lack of information and advice and 45% don’t believe that they have the right tools to do the job;
Worryingly, 12% of manufacturers have no systems or measures in place at all to defend against the threat of cyber-attack and the resulting disruption that it would cause.
Cyber-security however is more than just dealing with the threat of technology and control systems being compromised to inflict damage and financial loss on a company.
Cyber-attacks can result in a multitude of different outcomes, including but not limited to the theft of sensitive information, the loss of access to control and IT systems and the loss of competitive advantage through Industrial espionage.
There is also another information loss vector that is often overlooked and should be considered – “Competitive Intelligence”.
All information leakage, legal or otherwise, can potentially be damaging to your business. The first thing to make clear is that the practice of competitive intelligence is not in any way illegal. It is a legitimate and respected business intelligence function, that provides extremely valuable information for those companies using it and is for this reason being included in my definition of “threat”.
An interesting paper, “Are we being innovative enough with composites”, written by Alison McMillan, PhD (a consultant at WOT-I Ltd) and published at the SAMPE Europe conference last year, suggests how it would possible for a competitor to discover likely “technology insertion timeframes” in manufacturing companies.
The full paper can be accessed at the following link;
“Technology Insertion Timeframes” can be identified by analysing the number of patent applications and comparing them against the rate of publishing of those applications and then looking for the peak. The report illustrates how easy it can be to identify the timeframe of a product coming to market.
When combined also with sophisticated data analysis, Alison McMillan demonstrates that this form of competitive intelligence could be an extremely powerful and predictive tool.
From my own conversations with Dr McMillan. In the circumstances described above, Patent and IP protection, held in a small number of major customer countries is likely to be sufficient to protect IP for a product globally. This is not the case however for manufacturing processes.
In order to protect manufacturing processes, Dr McMillan observes that companies should consider expanding the number of countries bound by IP protection measures, to include as many countries as possible with the advanced manufacturing and design capability, to provide the greatest possible protection. Without such action, a determined competitor could analyse the patent(s) and simply move the manufacture of “their” competing product to a country with a high-tech manufacturing capability, where the patent is not in force – combining information from design data and inferred manufacturing processes to gain competitive advantage.
“In many cases keeping manufacturing processes secret can be a much more effective means as a protection strategy” [than relying on IP protection alone].
[There are cases where a patent can be a necessary option – it protects the original inventor from another company patenting the same idea, and thereby being excluded from using it]
– Alison McMillan.
The danger posed through the use of competitive intelligence analysis, the increasing use of cyber-attack, industrial espionage and the theft of intellectual property, to steal the lead on a competitor, makes the need for that target firm to secure its information more important than ever.
Without “active” measures to secure and protect information against these threats, the route to manufacture for competitors and foreign governments alike, becomes a much more achievable one.
So, how do you protect your IP and your manufacturing processes?
The way to protect your company and your IP is to implement an Information Security Management System (ISMS) within your organisation.
A tailored system, incorporating cyber / information security and business continuity should be simple, measurable and achievable. It will ensure you have robust, risk based defences, with appropriate measures, tools and systems to prevent information leakage or to deal with incidents when they occur.
Implementation of an Information Security Management System within your business, aligned with international standards such as ISO27001 for Information Security will ensure that all cyber and business resilience risks are identified and controlled appropriately. Protecting you, your organisation and your Intellectual Property from risk.
For information on how ESID Consulting can help you to defend against the cyber threat please contact us
at firstname.lastname@example.org or Tel +44 (0) 844 358 2362
Automation, digitisation, system integration, internet of things…….the list goes on. Technology and our use of it, is advancing at a staggering rate. The speed at which this advance is taking place and our reliance on the technology to get business done, has meant that vulnerabilities in the systems have either been ignored altogether, because of a lack of perceived risk and the “It’ll never happen to me” attitude. Or, the vulnerabilities have just not been considered.
I could be talking about any industry or part of the economy you can think of today.
Many industries and sectors of the economy are currently putting measures in place to improve the protection of their information and the security of their IT systems, against the cyber threat. No doubt this is due in part to new legislation such as EU GDPR and the NIS Directive.
There is one industry however that has been slow to respond and slow to recognise its own vulnerability to the cyber threat and that industry is the maritime and shipping industry.
There are a number of disturbing scenarios being discussed amongst maritime organisations and in the media in general. These range from cyber enabled hijacking of a ship and its crew by pirates. The “spoofing” of the automatic Identification System (AIS), to change the reported positions of ships at sea.
Through to cyber-attacks, similar to those that affected Maersk shipping and cost it in the region of a reported $300 million. Superyachts are not immune either, as demonstrated by students from the University of Texas, when they successfully sent a yacht off course in the Mediterranean, without the crew’s knowledge.
Of course, all things are possible given the technical expertise, planning and resources required to perform a determined and targeted attack. And when we read of these incidents it’s easy to forget the more mundane and everyday risks that affect the maritime sector and shipping in general. The same risks that affect every other sector, in any industry and in any country, that uses technology as part of its business.
Due to a number of factors however, the risk of cyber-attack to the shipping industry is magnified. The international shipping industry is responsible for the carriage of around 90% of world trade.
Shipping enables the global economy. Without shipping, intercontinental trade, the bulk transport of raw materials, and the import/export of food and manufactured goods on its current scale would simply not be possible.
Ships are technically sophisticated, high value assets (larger hi-tech vessels can cost over US $200 million to build), and the operation of merchant ships generates an estimated annual income of over half a trillion US Dollars in freight rates. (figures courtesy of ICS)
There is a huge drive towards digitisation and a reduction in crewing numbers, allowed by the increasing automation and a desire for completely autonomous vehicles. The sheer complexity of a ships systems and lastly, the size and value of the ships themselves and of their cargo.
Ships have a huge number of digital systems and networked devices, from navigation equipment, bridge and engine control, crane equipment, load and stability computers, bow thruster control systems, alarm monitoring, ship safety systems, power management, mooring and winch control, electronic chart display and Information Systems (ECDIS), automatic identification systems (AIS) and more. All of these systems form part of a ships network or networks. All systems require maintenance and patching and all should be subject to “controls”.
A survey by I.H.S. Fairplay, last year into cyber security survey in the maritime industry found that 34 % of companies had knowingly experienced a cyber-attack in the previous 12 months. Of those attacks, the majority were ransomware and phishing incidents; exactly the same sorts of incidents affecting companies everywhere else.
The survey also revealed that employees had not received cyber awareness training of any kind.
34% of those questioned said that their company had no IT security policy at all. Suggesting that IT security in a 1/3 of all maritime and shipping companies is being ignored or being is handled through an unsatisfactory, ad hoc, incident by incident approach.
For an industry as important to global trade and prosperity as shipping and with the immense investment required in infrastructure and operations, this disregard for cyber security is negligence on an unprecedented scale. It also leaves company executives and boards in indefensible, exposed and vulnerable positions. Open to sanction and personal liability in the event of a breach, for failing to implement appropriate “systems”, to prevent and defend against such eventualities. Not to mention the catastrophic damage a serious cyber incident could have on the company itself or its reputation.
In line with other industries, the employee risk is a big concern. The survey showed that 47 % of believed that their organisation’s biggest vulnerability was its staff, the “insider threat”. It should also be remembered that the insider threat will include 3rd party suppliers, contractors and others in the supply chain, outside of the direct control of the shipping company.
Regulation / Compliance
The EU General Data Protection Regulations (GDPR) and the Network and Information Systems Directive (NIS) both coming into force in May.
GDPR’s territorial scope is global. If your company holds or processes the personal data of E.U. citizens, people working for E.U. entities or trading with the E.U. then you need to comply. Failing to do so could result in punitive fines following a breach. Under GDPR the definition of “personal data” is also much broader than you might expect, and encompasses any information that can identify a living individual.
GDPR also requires companies to report data breaches within 72 hours. Compulsory breach notification will highlight those companies not applying appropriate measures to protect the data they hold. In turn, it will also spotlight potential vulnerabilities in systems and processes, allowing the industry as a whole to take coordinated and complementary action to mitigate the vulnerabilities identified. Staff training must also feature heavily in these measures.
GDPR also places obligations on organisations to ensure that all those within the supply chain, with data processing responsibilities, to apply appropriate security measures in the collection, handling, access and destruction of data. If the processor suffers a breach, the controller could still be liable. So, it is incumbent on the controller to make sure that suitable security measures, agreements and contracts are in force.
The NIS Directive, covering network and information systems across the EU hasn’t received the publicity and attention that GDPR has and you might be forgiven for not noticing it. NIS applies to organisations working with Critical National Infrastructure and Services, including water, energy, digital infrastructure, banking, healthcare and transport.
The fines are in line with GDPR, for those organisations that “fail to demonstrate” that they have sufficient “systems” in place to protect their systems and networks against cyber-attack. Think of the Maersk shipping incident costing $300 million and add on GDPR size fines.
The level of security is not mandated but should include: Systems and Facilities, Incident Response, Business Continuity, Monitoring, Auditing and Testing and Compliance. The directive requires organisations to have an “appropriate” level of security in place to manage the cyber risk.
The way to protect your company and yourselves (if you are directors) and to become compliant with the GDPR and the NIS Directive is to implement a cyber security and resilience programme within your organisation. Incorporating cyber / information security and business continuity, to provide you with robust, risk-based defences, appropriate preventative measures and the tools and systems to deal with incidents when they occur.
Implementation of an Information Security Management System (ISMS) within your business, aligned with international standards such as ISO27001 for Information Security and ISO 22301 for Business Continuity, will ensure that all cyber and business resilience risks are identified and controlled appropriately. Protecting you, your organisation and global trade.
Need help, call us... ESID Consulting Tel 0844 358 2362 or email email@example.com
Together with Jonathan Thornton, Dale Howarth, Chris Court and Alistair Dickinson I spoke yesterday on the subject of GDPR to a packed conference room (extra seating required !) Really great questions and an overwhelmingly positive response and feedback from the delegates.
We were able to provide much needed clarity in a space that is becoming crowded with "experts" and scaremongers.
Thank you to Jonathan and PC Consultants for hosting the seminar and to all those involved in what was an enjoyable, well managed and professional event.
Need help with GDPR ? Call ESID Consulting Tel 0844 358 2362 or email firstname.lastname@example.org
Gary is CEO and Founder of ESID Consulting. An Insider Threat & Information Security consultancy.