Mitigating Cyber Risks - NAMEPA · What is “Cybersecurity”? Cybersecurity IS: • The...

Mitigating Cyber Risks NAMEPA--Focusing on Solutions in Today’s Maritime World

Houston, TX

February 28, 2018

© 2018 HudsonAnalytix, Inc. 1

What is “Cybersecurity”?

Cybersecurity IS:

• The protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to remain accessible and productive to its intended users.

• Safeguarding and maintaining of information Confidentiality, Integrity and Availability (the “CIA” Triad)

• A sustained risk management activity

• Cultural change

• Business transformation / Business Process

Reengineering (“BPR”)

• The Balance Sheet

• A responsibility that starts at the top

• Includes YOU

2© 2017 HudsonAnalytix, Inc.


Various factors can compromise

the confidentiality, integrity, or

availability of systems or data:

• Natural disasters

• Environmental issues

• Technical or mechanical

failure (loss of power)

• Human error

• Malicious actors

General Cyber Threat Sources

Natural Disasters Foster Cyber Scams


How Should Ports Think About Cyber Resiliency in a Multi-Hazard World?

Port Impact Considerations:

• Safety & Security

• Economic

• Tourism

• Reputational

• Political (National, Regional)

5

General Cyber Threat Trends


• Threats are increasing:

– Hacking tools are more readily available and simpler to use

– The potential impact of cyber attacks continues to grow

• Hacker motivations are changing:

– No longer egocentric, hobbyist hackers seeking entertainment and

internet status

– Shift to professional cyber criminals motivated by money whose

success relies on remaining undetected

• Certain common factors enable threat actor success:

• Economy of organized cybercrime

• Inter-connected systems

• Widespread organizational failure to implement cyber hygiene

Key Questions:

The HA-Cyber Team gives enables clients to confidently answer these questions:

– What is my cyber exposure (internally? externally?)?

– What are my most critical assets and are they at risk?

– Are my cyber defense and response capabilities mature?

– Do I have the financial ability to recover from an event?

– Where should the company focus its resources first?


Where to Start: Define Your Cyber Risk ExposureThe 360o Cyber Risk/Threat Assessment

Cyber Loss Scenario &Exposure Quantification

Insurance Analysis and Stress Test

Cyber Program Evaluation

Cyber Threat Analysis

Identify most valuable assets and establish what the exposure value is for each. Prioritize.

Review all insurance policies for gaps and/or exclusions in coverage due to cyber events.

Perform an enterprise-level cybersecurity capability assessment. Use outputs to update plan (or establish new one)

Assume your organization is already hacked and/or being targeted. Gain insights into where you are currently exploited and who is attacking you.


How We Do It: The 360o Cyber Risk/Threat Assessment (CRTA)

9

Phase III. Insurance Analysis and Stress Test

Phase II. Loss Scenario Analysis & ExposureQuantification Workshop

Phase IV. Cyber Program Evaluation Workshop

Project Kick Off Report

SubmissionFinal BriefingProject Close Out

Report Preparation

Phase I. Cyber Threat Analysis(external to client network)

Misc. Data Calls

How a Hacked Email Account Can Affect Your Business

• Offers illicit, trusted access into your organization.

• Represents reputational risk. Customers may receive malware and phishing scams, blaming you and your organization.

• Proprietary and sensitive information can be obtained and sold to competitors, leaked to the public or used in further attacks/thief.

• Complete loss in trust for your organization

10

• Maersk handles 18% of global container trade with over 600 vessels

• Operator at 76 ports via APM Terminals division

• Maersk estimated to book 3,300 TEUs ($2.7 million) per hour

• Caused global computer outages

– Computers were infected by ransomware that encrypted APM hard drives at 17 terminals leading to confusion and congestion

– “They went back to basics and did everything on paper.”

– No one knew where their cargoes and containers were until systems were back on line.

• Tens of thousands of shippers affected.

11

And then there was NotPetya… 0830 Hrs. EDT 27 June 2017

Common Challenges

• No single point of focus for security/cybersecurity/enterprise

security. Who owns this?

• Lack of ability to put value or ROI on cybersecurity vs. value of doing

the minimum required or nothing

• No incident response and recovery capability or disjointed incident

response and recovery

• Lack of a converged approach to enterprise risk

• Limitations in the ability to deploy software and patches across the

enterprise in a timely manner

• Lack of policies and/or enforcement of existing policies


The Greatest (Common) Challenges: Internal Culture

Working through a change resistant culture

• “Vessel” security is different than “office” security

• False positives: “Nothing’s happened so we’re okay”

Establishing and maintaining a sense of urgency

• “Why would anyone want to attack us?”

• Compliance isn’t required until January 2021

Coordinating across the enterprise

• Perceived silos of ‘asset’ ownership (it’s the “IT department’s”’ problem)

• Competing projects/demands/budgets

Allocating resources

• Unwillingness to allocate budget and other resources

• No history of outsourcing key responsibilities/tasks


Its Purpose…

© 2017 HudsonAnalytix, Inc.

• A structure for assessing all functional areas• A consistent methodology for evaluating and

benchmarking capabilities in order to supportcontinuous improvement;

• A tool for identifying capability strengths andweaknesses;

• A decision-making process for determiningwhere to invest and allocate resources;

• A means for understanding why somecapabilities may be more suitable for investingin than others; and,

• A platform for sharing knowledge across theorganization.

Cybersecurity capability maturity analysis provides:

14

Have a Plan

Just like a Hurricane…. Plan

Use outputs from your baseline assessment to inform cyber risk management planning, investment earmarks and resource allocations


Capability Maturity

Enterprise Risk

Management

CorporateCulture

Achieving and Sustaining Cyber Resilience

• Culture• Begins at the top• Build a cyber aware culture both at sea and

ashore• Cybersecurity seen as change agent• Cybersecurity enables business value

• Capability Maturity• People• Processes (includes Threat Intelligence,

Information Sharing)• Tools• Funding

• Risk Management• Enterprise focus – ashore and afloat• Utilize consistent methodology• Communicate risk to all stakeholders• Leverage current compliance efforts (ISM,

ISPS)• Develop response and recovery playbooks

Reputation

Thank You & Questions?

Ferry Terminal BuildingSuite 3002 Aquarium DriveCamden, NJ 08103

Office: +1.856.342.7500Email: [email protected]

Cynthia A. HudsonCEO & Founder


www.ha-cyber.comwww.hudsonanalytix.com

http://www.ha-cyber.com/

http://www.hudsonanalytix.com/

What is HACyberLogix?Easy-to-use, cloud-based tool designed for shipping

companies to support assessing and managing cyber risk.

Who is HACyberLogix for?Shipowners and operators with Balance Sheet responsibilities.

What does HACyberLogix do?Assess enterprise cybersecurity capabilities and

Deliver tailored decision-support guidance

Why use HACyberLogix?Supports continuous improvement in cybersecurity capabilities

and informs investments and resource allocation.

What is HACyberLogix

OBJECTIVES

• Strengthen cybersecurity capabilities

• Institute consistent evaluation and benchmarking ofcybersecurity capabilities

• Acquire knowledge/identify best practices

• Enable prioritized resource allocation

• Inform cybersecurity investments

• Drive continuous improvement


– Based on Best in Class Cybersecurity Standards:• The US National Institute of Standards & Technology (NIST)

Cybersecurity Framework;• The Center for Internet Security’s Critical Controls; and,• The ISO / IEC 27001 Framework

– Aligned with:• IMO’s Interim Guidelines on Maritime Cyber Risk Management• BIMCO’s Guidelines on Cyber Security Onboard Ships, and• The US Coast Guard’s Cybersecurity Strategy

– Harmonized with:• ISPS Code• ISM Code• OCIMF’s TMSA 3 (Element 13)

Incorporates All Relevant standards & Guidelines


Features

• Available on demand (24 x 7 x 365)

• Secure - Utilizes two-factor authentication

• Customized scoring algorithm supports trending andbenchmarking

• Fosters Collaboration among all relevant stakeholders

• Reports are available on demand

• Recommendations are custom-tailored and prioritized

• No limit on the number of assessments


Mitigating Cyber Risks - NAMEPA · What is “Cybersecurity”? Cybersecurity IS: • The...

Documents

Transcript of Mitigating Cyber Risks - NAMEPA · What is “Cybersecurity”? Cybersecurity IS: • The...