Given the number of external parties with which maritime businesses interact, the opportunities for cyber exploitation are immense. You cannot be cyber-resilient without measuring the onboard vessel systems’ levels of protection. Out of sight absolutely should not mean out mind!
Calculating the effectiveness of cybersecurity protocols and systems is one of the most challenging aspects for any IT team. It simply isn’t enough to work on the basis that if no cyber-attacks or breaches have taken place thus far, that means the cybersecurity defenses are robust and effective.
Organizations have been using KPIs and objectives to measure employee and company performance for many years, but this is a relatively new concept in the world of infosec. As systems, networks and data become ever more connected so vulnerabilities increase, it is imperative that KPIs and metrics are developed and implemented in this realm. Basically, if you are not measuring, how can you calculate the effectiveness of the protection?
Measurement for shipping companies, which are particularly vulnerable to cyber-attacks, should be done in a dual-layered approach: the organization as a whole and the vessels/onboard assets. Recent events in Greece have highlighted the vulnerability of hacker–to–ship–to shore–to–fleet with many ships being affected and now subject to potential ransom attacks.
Putting the right KPIs and metrics in place is crucial. The models used should be simple and easy to demonstrate to a non-IT audience. An organization needs to find an objective method of calculating recovery time. At a high level, cybersecurity effectiveness can be broken down into a three-step model:
- Time elapsed between the detection of a threat and appropriate action being taken.
- The number of systems with known vulnerabilities.
- The number and frequency of third party access to internal networks.
Because the threat is always present, it is vital the protection and defense are always on. An effective defense must be scanning all vulnerabilities in real-time, all of the time, to provide a complete solution.
A good example is the maritime industry, which handles over 80% of the world’s supply chain. The industry has access to maritime cybersecurity solutions, specifically designed for this industry, which are self-deploying and monitor threats across both IT and OT real estate. However, we have still seen recent attacks across a fleet’s entire technology and communications stack, exploiting shore-based and third-party vulnerabilities. This is why the new generation of cyber-defense includes a real-time map of all assets connected to the network, with an automated, built-in cybersecurity check-up, validating ongoing compliance with maritime regulations.
Because the technology aboard each ship is different in age and complexity, there is no “one size fits all” approach to cybersecurity measurement, which is why IT managers are encouraged to regularly test and measure their cybersecurity effectiveness. With real-time monitoring capabilities, the detection of a threat results in immediate remediation. With continuous vulnerability scanning (attack simulation), all such vulnerabilities are easily reported, together with the mitigation recommendations and, with unauthorized/third parties access detection, a company can demonstrate the frequency of access to internal networks and its monitoring.
The world is changing rapidly and as we see the challenges and squeeze points facing the global economy it is easy to forget that nowadays all systems are interconnected due to an increase in digitalization and therefore are even more vulnerable to cybercrime. There is a vital, urgent need to establish best practices for defense and protection from breaches and mitigate the extensive risks in the industry.
The recent vulnerability to hit the headlines should come as a warning to companies. The commonly used piece of software called Apache Log4j, a Java-based system used to configure applications, reported a major vulnerability that has the potential to impact the entire internet. Companies have now been left in the dark, not knowing whether their vendors have been affected by this and with little possibility of finding out. This is another example of the importance of measuring your cybersecurity measures’ effectiveness and ensuring that you won’t experience any downtime.
Another example of an attack due to weakened or inadequate cybersecurity measures is the recent one on several Greek fleets via an unwitting vessel communications provider, resulting in dozens of ships being hacked. But it could have been much worse as it is not uncommon for a communications company to be providing services to over 6000 vessels in more than 600 different maritime entities.
A successful cyber-attack via this single, third-party vendor with direct vessel access could put 6% of the global fleet at risk.
Measure – check – update – test – repeat needs to be the security mantra because if you don’t check and you don’t measure, you simply cannot know if your cyber defenses are sufficient.