Automation, digitisation, system integration, internet of things…….the list goes on. Technology and our use of it, is advancing at a staggering rate. The speed at which this advance is taking place and our reliance on the technology to get business done, has meant that vulnerabilities in the systems have either been ignored altogether, because of a lack of perceived risk and the “It’ll never happen to me” attitude. Or, the vulnerabilities have just not been considered.
I could be talking about any industry or part of the economy you can think of today.
Many industries and sectors of the economy are currently putting measures in place to improve the protection of their information and the security of their IT systems, against the cyber threat. No doubt this is due in part to new legislation such as EU GDPR and the NIS Directive.
There is one industry however that has been slow to respond and slow to recognise its own vulnerability to the cyber threat and that industry is the maritime and shipping industry.
There are a number of disturbing scenarios being discussed amongst maritime organisations and in the media in general. These range from cyber enabled hijacking of a ship and its crew by pirates. The “spoofing” of the automatic Identification System (AIS), to change the reported positions of ships at sea.
Through to cyber-attacks, similar to those that affected Maersk shipping and cost it in the region of a reported $300 million. Superyachts are not immune either, as demonstrated by students from the University of Texas, when they successfully sent a yacht off course in the Mediterranean, without the crew’s knowledge.
Of course, all things are possible given the technical expertise, planning and resources required to perform a determined and targeted attack. And when we read of these incidents it’s easy to forget the more mundane and everyday risks that affect the maritime sector and shipping in general. The same risks that affect every other sector, in any industry and in any country, that uses technology as part of its business.
Due to a number of factors however, the risk of cyber-attack to the shipping industry is magnified. The international shipping industry is responsible for the carriage of around 90% of world trade.
Shipping enables the global economy. Without shipping, intercontinental trade, the bulk transport of raw materials, and the import/export of food and manufactured goods on its current scale would simply not be possible.
Ships are technically sophisticated, high value assets (larger hi-tech vessels can cost over US $200 million to build), and the operation of merchant ships generates an estimated annual income of over half a trillion US Dollars in freight rates. (figures courtesy of ICS)
There is a huge drive towards digitisation and a reduction in crewing numbers, allowed by the increasing automation and a desire for completely autonomous vehicles. The sheer complexity of a ships systems and lastly, the size and value of the ships themselves and of their cargo.
Ships have a huge number of digital systems and networked devices, from navigation equipment, bridge and engine control, crane equipment, load and stability computers, bow thruster control systems, alarm monitoring, ship safety systems, power management, mooring and winch control, electronic chart display and Information Systems (ECDIS), automatic identification systems (AIS) and more. All of these systems form part of a ships network or networks. All systems require maintenance and patching and all should be subject to “controls”.
A survey by I.H.S. Fairplay, last year into cyber security survey in the maritime industry found that 34 % of companies had knowingly experienced a cyber-attack in the previous 12 months. Of those attacks, the majority were ransomware and phishing incidents; exactly the same sorts of incidents affecting companies everywhere else.
The survey also revealed that employees had not received cyber awareness training of any kind.
34% of those questioned said that their company had no IT security policy at all. Suggesting that IT security in a 1/3 of all maritime and shipping companies is being ignored or being is handled through an unsatisfactory, ad hoc, incident by incident approach.
For an industry as important to global trade and prosperity as shipping and with the immense investment required in infrastructure and operations, this disregard for cyber security is negligence on an unprecedented scale. It also leaves company executives and boards in indefensible, exposed and vulnerable positions. Open to sanction and personal liability in the event of a breach, for failing to implement appropriate “systems”, to prevent and defend against such eventualities. Not to mention the catastrophic damage a serious cyber incident could have on the company itself or its reputation.
In line with other industries, the employee risk is a big concern. The survey showed that 47 % of believed that their organisation’s biggest vulnerability was its staff, the “insider threat”. It should also be remembered that the insider threat will include 3rd party suppliers, contractors and others in the supply chain, outside of the direct control of the shipping company.
Regulation / Compliance
The EU General Data Protection Regulations (GDPR) and the Network and Information Systems Directive (NIS) both coming into force in May.
GDPR’s territorial scope is global. If your company holds or processes the personal data of E.U. citizens, people working for E.U. entities or trading with the E.U. then you need to comply. Failing to do so could result in punitive fines following a breach. Under GDPR the definition of “personal data” is also much broader than you might expect, and encompasses any information that can identify a living individual.
GDPR also requires companies to report data breaches within 72 hours. Compulsory breach notification will highlight those companies not applying appropriate measures to protect the data they hold. In turn, it will also spotlight potential vulnerabilities in systems and processes, allowing the industry as a whole to take coordinated and complementary action to mitigate the vulnerabilities identified. Staff training must also feature heavily in these measures.
GDPR also places obligations on organisations to ensure that all those within the supply chain, with data processing responsibilities, to apply appropriate security measures in the collection, handling, access and destruction of data. If the processor suffers a breach, the controller could still be liable. So, it is incumbent on the controller to make sure that suitable security measures, agreements and contracts are in force.
The NIS Directive, covering network and information systems across the EU hasn’t received the publicity and attention that GDPR has and you might be forgiven for not noticing it. NIS applies to organisations working with Critical National Infrastructure and Services, including water, energy, digital infrastructure, banking, healthcare and transport.
The fines are in line with GDPR, for those organisations that “fail to demonstrate” that they have sufficient “systems” in place to protect their systems and networks against cyber-attack. Think of the Maersk shipping incident costing $300 million and add on GDPR size fines.
The level of security is not mandated but should include: Systems and Facilities, Incident Response, Business Continuity, Monitoring, Auditing and Testing and Compliance. The directive requires organisations to have an “appropriate” level of security in place to manage the cyber risk.
The way to protect your company and yourselves (if you are directors) and to become compliant with the GDPR and the NIS Directive is to implement a cyber security and resilience programme within your organisation. Incorporating cyber / information security and business continuity, to provide you with robust, risk-based defences, appropriate preventative measures and the tools and systems to deal with incidents when they occur.
Implementation of an Information Security Management System (ISMS) within your business, aligned with international standards such as ISO27001 for Information Security and ISO 22301 for Business Continuity, will ensure that all cyber and business resilience risks are identified and controlled appropriately. Protecting you, your organisation and global trade.
Need help, call us... ESID Consulting Tel 0844 358 2362 or email email@example.com
Together with Jonathan Thornton, Dale Howarth, Chris Court and Alistair Dickinson I spoke yesterday on the subject of GDPR to a packed conference room (extra seating required !) Really great questions and an overwhelmingly positive response and feedback from the delegates.
We were able to provide much needed clarity in a space that is becoming crowded with "experts" and scaremongers.
Thank you to Jonathan and PC Consultants for hosting the seminar and to all those involved in what was an enjoyable, well managed and professional event.
Need help with GDPR ? Call ESID Consulting Tel 0844 358 2362 or email firstname.lastname@example.org
Twice in the last month ESID Consulting has been requested to provide support and advice concerning information security risk assessments performed by other vendors. My being called to assist was due to the fact that the customer didn’t understand the final report they were given (and paid for) and for some reason they didn’t want to or didn’t feel that they could ask the company concerned to explain things to them.
On both occasions the reasons that the customer didn’t understand what they had was because the reports were full of “geek” speak and padding (with useless information and confusing flow diagrams).
The other thing I found was that these so called risk assessments were not what I would call risk assessments.
The first was called “data security risk assessment” and the other a “high level risk assessment”. Now, I suppose if you want to argue it that may well be correct in a grey / wooly sense of the term. But all they served to do was mislead the customer ! They were in fact both “Gap Analysis” assessments, not the same things.
A “proper” risk assessment is mapped against risk, threats and vulnerabilities, takes considerably longer to perform and is asset based, meaning that the organisation needs to know and understand what its assets are in the first place.
This lack of clear description leaves the customer understandably “miffed” when they are told that they need to have another more granular risk assessment done. Now, this may be just down to the language used at the time of sale, and subsequent misunderstanding by the customer. But it shouldn’t ever come to that.
A risk assessment also forms an integral part of an Information Security Management System (ISMS), which is the natural follow up to the risk assessment exercise. An ISMS is entirely risk based, covers the whole business and is integral to all business processes. It is a framework that becomes a business enabler, it drives efficiency, transparency and trust within an organisation. And it provides a framework that secures and protects your business assets and your bottom line.
All of the work performed by ESID Consulting is based on openness and transparency. All of our reports are clear and as free of jargon as possible. We will explain everything and hold your hand through the entire project. We don’t just give you the report and walk away. We very much become part of the team and provide a “shared” CISO / CSO facility for those organisations that either don’t have one or for those that do, we can share the load.
So, if you are currently looking at a risk assessment or report from another company or you are trying to implement an ISMS and you haven’t got a clue of what it means or where to start or go next then call us.
ESID Consulting Tel 0844 358 2362 or email email@example.com
A client has recently asked me for advice on how to protect themselves when travelling abroad on company business. So I have decided to republish this article as a reminder to all of our clients.
There are two common themes that come up. Both separate concerns in their own right, but connected. The first was personal safety and the second was that of security around their work devices and mobile phones.
In dealing with the first “personal safety”issue the advice is to simply carry on as normal, as you would when you perhaps travel to a new city or any new part of a city in the UK. This is best described with the use of a short scenario.
Let’s just say the you arrive at your hotel late in the evening and after unpacking, you decide to go for a short walk, to stretch your legs before dinner.
You come out of the hotel, turn right and wander up the street, browsing in the brightly lit shop windows along the main road.
You spend 5 or 10 minutes turning down some smaller side streets, before realising that those streets are slightly darker and less well lit than those before.
It also becomes apparent that the area is becoming more residential and less commercial. After a little while you notice that some of the streetlights are broken, that the cars are less new and more in need of some TLC than those high-value prestige models that you walked past earlier. You also start to notice that some of the windows have tatty curtains or even blankets in them and one or two of the doorways have been boarded up. There is also a slight smell of urine and the area has a decidedly “uncared for” feeling to it.
I would suggest that by now, or possibly some time before, you would be thinking that it’s high time to turn around and make your way back to the bright lights and the main roads? Or maybe your risk tolerance level is such that they are happy to continue, right up until the point that you now notice a couple of unsavoury individuals sitting on a wall or standing in a dimly lit doorway, looking at you (at least that’s what the hackles on the back of your neck are telling you).
Maybe that’s the point, that you decide that it’s time for dinner and time to wander back to the main street and your hotel ?
It’s about maintaining an awareness of your surroundings and knowing where you are. Not making ostentatious signs of wealth, (think about leaving the Rolex in the hotel safe, or at least make sure that it’s covered up with the sleeve of your jacket).
Be careful how you carry your camera, with it’s £1000 lens and maybe cover it up with an inexpensive bag of some kind, as opposed to a label that says “money”.
Just follow and apply the rules handed down to your own teenage sons and daughters, about keeping your handbag in front of you and not just on the shoulder. Make sure that your wallet isn’t just in the back pocket and make sure you don’t ride in unlicenced taxi’s!
It’s just about being careful. These rules are good for both the UK and abroad.
Make use of Foreign and Commonwealth Office (FCO) security and travel advice in all instances of foreign travel.
Moving on to security around your work and mobile devices.
The cyber risk posed by hotels is a significant one. There are plenty of reports of attacks on high-profile company executives and employees of government agencies. However, what goes unreported, perhaps because of a lack of an awareness, is of those less well known attacks, on the modern business traveller, with a veritable feast of files and personal information stored on their mobile devices and laptops.
After a long and sometimes fraught journey, these travellers and executives will (irrespective of how well-intentioned they are), let their guard down once inside the relative “safety” of their hotel rooms.
The biggest risk by far is the hotel or coffee shop Wi-Fi network. It is easy and free to download software that will “sniff”a Wi-Fi network and enable a criminal or foreign power, to spy on the communications traffic using that network (it is illegal to do this in the UK).
Users can also be misdirected through rogue (not set up by the hotel or coffee shop) Wi-Fi access points to fake sites or to inadvertently download malicious software to their or your devices.
An encrypted VPN connection is the only effective way to protect your data (or your web surfing) from snooping at the network level. Businesses and IT departments should make sure that employees who travel, have this connectivity. VPN software is easy, cheap and affordable enough that even those travelling for personal reasons, can use this technology to protect themselves.
It’s also good practice to plug in to a wired network port (in my experience, normally next to the kettle!) wherever possible, to reduce the risk of connecting to a rogue access point.
An alternative to using the hotel network is to take your own travel wireless router, although you should make sure that you’ve changed the default username and passwords and enabled encryption. It makes sense also, to avoid software updates whilst travelling also (unless you know what you are doing).
Depending on your data allowance you could also consider creating a personal hotspot or similar and using the Wi-Fi created by your mobile phone for access to emails or the web. Or you could use a Wi-Fi dongle for this access.
Beware of using USB charging stations as these can be used to inject malicious software into the devices travellers plug into them. Either use your own laptop USB ports or if you need to charge multiple devices then consider taking a portable USB charger.
RFID skimmers (imagine something similar to the devices used for touch and go payment cards) are now commonplace and can be used to read data from digital room keys and other access cards. Hidden cameras in bathrooms and hotel rooms have also hit the headlines recently and all but the most conscientious hotel staff would find it very difficult to detect these devices.
Avoid placing sensitive items near obvious places within the room (a wallet on the bed stand). And leave your access work cards and fobs at home. Hidden cameras are a little more difficult and putting the personal privacy issue aside, which is whole other area of risk. Consider placing a laptop slightly off angle on the invariably fixed hotel room desk and continue to use the “privacy shield” you might normally use when travelling on the train. Two factor authentication would also help in this instance, with password identification for any services you plan to use in your room.
Theft and physical intrusion in hotel rooms is a huge problem. Key cards are very easy to duplicate and clone with the skimmers mentioned previously. And hotel staff can come and go with frightening regularity. Portable devices, money, documents and laptops can easily be stolen unless secured in the room safe. If you plan to step outside of your hotel room, for any length of time without taking your digital devices, then lock them away in the safe. And if you can’t do this, make sure that they are protected with robust password protection and preferably, encryption.
Make sure that “full disk encryption” is enabled on your laptop and in addition make sure that you have a suitably short sleep/screen lock period set and that you have to unlock the laptop after this period with a password.
Without encryption, it is a straightforward process for someone to remove the hard drive from the laptop and copy it without leaving a trace (that you will notice). If you have a portable storage device, make sure that encryption is enabled on this also. In both cases, the passwords should be complicated and long. Encryption is seldom broken. Access is invariably made through a weak password!
Depending on the job you do and the data that you have access to and the country you’re visiting, it may also be advisable to travel with “clean”devices only. And when I say clean, this means a device not containing any personal or business related data that might be use to a competitor or foreign government. It means a blank phone or laptop!
For no nonsense practical advice or help with any of the points made in this post please contact ESID Consulting
on firstname.lastname@example.org or Telephone 0844 358 2362
Insider Threat Workshop to IoD Advance members.
A really enjoyable session last night with an engaged and knowledgeable audience. Thank you all!
Cyber Security and Cyber Crime are intrinsically linked. The term cyber is fast becoming the buzz word, coined by everybody with something to say about the risks and threats of doing anything online…….
There is much talk in the cyber security world about what is termed the insider threat. To those not in the know however the term can be misleading and coveys different things to different people……..
How real is the threat and how can you redcue the risk?
Cyber security is a hot topic for us all, whether we’re in the business world, the IT world or the employment world. Everywhere you look, data and forecasts demonstrate the scale of the problem and news of major corporations being hit by hackers regularly hits the headlines.
Gary is CEO and Founder of ESID Consulting. An Insider Threat & Information Security consultancy.