understanding & mitigating cyber threats in the maritime domain - nato nmiotc june 2015

7/25/2019 Understanding & Mitigating Cyber Threats in the Maritime Domain - NATO NMIOTC June 2015

1/35

Robert Hayes

Senior DirectorMicrosoft Global Cyber Security & Data Protection Group


2/35

Presentation Objectives

IntroductionsCyber security context

Cyber security in the maritime sector

Developing cybersecurity maturity

What does success look like?

Characteristics of Successful Organisations

Quick wins


3/35

Introductions


4/35


5/35


6/35

Context

Organisations cannot ignore the potentialbenefits of emerging technologies

Efficiency savings & effectiveness gains

Dynamic data driven decision making

Context specific data to myriad of devices

Optimise business processes

Understand & predict behaviour

Innovate or go out of business


7/35


8/35

Context

However, using these technologies changesyour security environment

A new security model is needed

Concept of perimeter changes

Detection & Response becomes as importanceas Defence

Security exists within and enables an agreedorganizational risk model


9/35

Context

Cyber-attacks are growing in scale, scope,and sophistication

Hardware & software are targeted, often in

the supply chainAttackers range from disaffectedemployees, single-issue activists, hobby-

hackers, criminals, terrorists, and nationstates

It is safe to assume that you are a target


10/35

Context

Getting it wrong is expensive & can kill yourbusiness

5 % of business-related privacy and securitybreaches result in more $20 million in directcosts and damages

Those costs include legal expenses and legalsettlements, business interruption costs,

investigating and remediating problems, aswell as possibly paying for crisiscommunications and other specialized services

Aon Corp


11/35

Context

Just having insurance isnt enoughThe average cost for a breach is $7 million.Yet, the average portion of that cost borne bycyber-risk insurance is just $3 million

If you consider all revenue classes, only 8percent (of U.S. businesses) buy cybercoverage

Aon Corp


12/35

Context

This isnt just a data protection & privacyissue

What harm could an attacker do if they

chose to disrupt your infrastructure?Manipulate your connected equipment?

Disrupt GPS & navigation systems

Remotely change the mixing formula in yoursuppliers factory?


13/35


14/35


15/35

Cyber Security in the Maritime Sector

The maritime sector is particularlyvulnerable to a successful cyber attack

Reliance on complex embedded systems

Complex hardware & software supply chainwith dependence on remote management

Challenges of achieving skilled 1st, 2nd& 3rd

line supportLack of proximate third party or emergencysupport


16/35


17/35

Impact Assessment

Regulators, Markets & Media will judge yourorganization based on:How long it took to detect a breach

How long the attacker had been in the system

& level of access obtainedThe quality of control, monitoring & cyberhygiene measures in place & supported bypolicy

The effectiveness of the response planThe time taken to resume key services

The effectiveness & speed of the post breachcommunication


18/35

Impact Assessment

An increasing number of governments,insurance companies & enterprises areestablishing minimum standards of cybersecurity if your organization is to be part of

their supply chain or to seek insuranceOnly 1 in 3 supply chain vendor contractscontain security provisions

Only 1 in 3 supply chain vendors have anysecurity certification or accreditation


19/35


20/35


21/35

Developing Cybersecurity Maturity

The key here is to strike the right balanceenabling your organization to exploit thepotential of emerging technologieseffectively & securely?

Most organizations lack the skills at boardlevel to do this effectively & in-house ITalone is not enough

Who is advising you?


22/35

Organizations which regularly review cyberthreat & response planning at Board levelare subject to fewer successful attacks, andrespond more effectively when attacked

This is not a technology issue, it is abusiness change issue driven by strategicrisk & organizational imperatives

It has to be enshrined in policy & process tosucceed

Developing Cybersecurity Maturity


23/35


24/35


25/35

Attackers ROI = (G x T) (CV + CW)

Goal: increase attacker costs

Cyber Economics


26/35


27/35

Assume Breach is the operating principle& systems are tested against this

Situational awareness & assessment informstrategy & operational decision making

Supply chain & dependencies areunderstood & mapped

Coherent & rehearsed dynamic response

planEnshrined in policy, training, and process

Owned & reviewed at Board level

Characteristics of Successful Organisations


28/35


29/35


30/35

Reduce the number of privileged adminaccounts to the absolute minimum, reducethe scope of the ones left, and use multi-factor authentication

Patch & Update promptly

Cyberkeel Maritime Sector survey April 2015

37% failure rate

Control physical access to your network &devices and establish gateway identity &health checks for network connections

Quick Wins


31/35

Application whitelist

Baseline normal activity on your network& look for outlier behaviour

Have an alternative communication systemready for when you are attacked

Understand who will help you on tactical &

strategic recovery & have the relationshipin place. Have 24/7 contact numbers forkey personnel & vendors

Quick Wins


32/35

Most attacks require some user interaction.Writing clear policy, training & educatingstaff, combined with visible sanctions forbreaching policy works!

Quick Wins


33/35


34/35

The maritime sector is particularlyvulnerable to cyber attack, and theconsequences of a successful attack couldbe more severe than other domains

Organisations in the maritime sector shouldbe treating this as a high priority

The processes of Protect, Detect, Respondare mature in other sectors & will workequally effectively in the maritime sector.

Conclusion


35/35

Robert Hayes

Microsoft Global Cyber Security Group

[email protected]

The difficulty lies not in the new ideas,but in escaping from the old ones

John Maynard Keynes1883 - 1946

understanding & mitigating cyber threats in the maritime domain - nato nmiotc june 2015

Documents