Mitigating Cyber Risks - NAMEPA · What is “Cybersecurity”? Cybersecurity IS: • The...
Transcript of Mitigating Cyber Risks - NAMEPA · What is “Cybersecurity”? Cybersecurity IS: • The...
Mitigating Cyber Risks NAMEPA--Focusing on Solutions in Today’s Maritime World
Houston, TX
February 28, 2018
© 2018 HudsonAnalytix, Inc. 1
What is “Cybersecurity”?
Cybersecurity IS:
• The protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to remain accessible and productive to its intended users.
• Safeguarding and maintaining of information Confidentiality, Integrity and Availability (the “CIA” Triad)
• A sustained risk management activity
• Cultural change
• Business transformation / Business Process
Reengineering (“BPR”)
• The Balance Sheet
• A responsibility that starts at the top
• Includes YOU
2© 2017 HudsonAnalytix, Inc.
3© 2017 HudsonAnalytix, Inc.
Various factors can compromise
the confidentiality, integrity, or
availability of systems or data:
• Natural disasters
• Environmental issues
• Technical or mechanical
failure (loss of power)
• Human error
• Malicious actors
General Cyber Threat Sources
Natural Disasters Foster Cyber Scams
4© 2017 HudsonAnalytix, Inc.
How Should Ports Think About Cyber Resiliency in a Multi-Hazard World?
Port Impact Considerations:
• Safety & Security
• Economic
• Tourism
• Reputational
• Political (National, Regional)
5
General Cyber Threat Trends
6© 2017 HudsonAnalytix, Inc.
• Threats are increasing:
– Hacking tools are more readily available and simpler to use
– The potential impact of cyber attacks continues to grow
• Hacker motivations are changing:
– No longer egocentric, hobbyist hackers seeking entertainment and
internet status
– Shift to professional cyber criminals motivated by money whose
success relies on remaining undetected
• Certain common factors enable threat actor success:
• Economy of organized cybercrime
• Inter-connected systems
• Widespread organizational failure to implement cyber hygiene
Key Questions:
The HA-Cyber Team gives enables clients to confidently answer these questions:
– What is my cyber exposure (internally? externally?)?
– What are my most critical assets and are they at risk?
– Are my cyber defense and response capabilities mature?
– Do I have the financial ability to recover from an event?
– Where should the company focus its resources first?
© 2016 HudsonAnalytix, Inc. 7
Where to Start: Define Your Cyber Risk ExposureThe 360o Cyber Risk/Threat Assessment
Cyber Loss Scenario &Exposure Quantification
Insurance Analysis and Stress Test
Cyber Program Evaluation
Cyber Threat Analysis
Identify most valuable assets and establish what the exposure value is for each. Prioritize.
Review all insurance policies for gaps and/or exclusions in coverage due to cyber events.
Perform an enterprise-level cybersecurity capability assessment. Use outputs to update plan (or establish new one)
Assume your organization is already hacked and/or being targeted. Gain insights into where you are currently exploited and who is attacking you.
© 2016 HudsonAnalytix, Inc. 8
How We Do It: The 360o Cyber Risk/Threat Assessment (CRTA)
9
Phase III. Insurance Analysis and Stress Test
Phase II. Loss Scenario Analysis & ExposureQuantification Workshop
Phase IV. Cyber Program Evaluation Workshop
Project Kick Off Report
SubmissionFinal BriefingProject Close Out
Report Preparation
Phase I. Cyber Threat Analysis(external to client network)
Misc. Data Calls
How a Hacked Email Account Can Affect Your Business
• Offers illicit, trusted access into your organization.
• Represents reputational risk. Customers may receive malware and phishing scams, blaming you and your organization.
• Proprietary and sensitive information can be obtained and sold to competitors, leaked to the public or used in further attacks/thief.
• Complete loss in trust for your organization
10
• Maersk handles 18% of global container trade with over 600 vessels
• Operator at 76 ports via APM Terminals division
• Maersk estimated to book 3,300 TEUs ($2.7 million) per hour
• Caused global computer outages
– Computers were infected by ransomware that encrypted APM hard drives at 17 terminals leading to confusion and congestion
– “They went back to basics and did everything on paper.”
– No one knew where their cargoes and containers were until systems were back on line.
• Tens of thousands of shippers affected.
11
And then there was NotPetya… 0830 Hrs. EDT 27 June 2017
Common Challenges
• No single point of focus for security/cybersecurity/enterprise
security. Who owns this?
• Lack of ability to put value or ROI on cybersecurity vs. value of doing
the minimum required or nothing
• No incident response and recovery capability or disjointed incident
response and recovery
• Lack of a converged approach to enterprise risk
• Limitations in the ability to deploy software and patches across the
enterprise in a timely manner
• Lack of policies and/or enforcement of existing policies
© 2017 HudsonAnalytix, Inc. 12
The Greatest (Common) Challenges: Internal Culture
Working through a change resistant culture
• “Vessel” security is different than “office” security
• False positives: “Nothing’s happened so we’re okay”
Establishing and maintaining a sense of urgency
• “Why would anyone want to attack us?”
• Compliance isn’t required until January 2021
Coordinating across the enterprise
• Perceived silos of ‘asset’ ownership (it’s the “IT department’s”’ problem)
• Competing projects/demands/budgets
Allocating resources
• Unwillingness to allocate budget and other resources
• No history of outsourcing key responsibilities/tasks
© 2017 HudsonAnalytix, Inc. 13
Its Purpose…
© 2017 HudsonAnalytix, Inc.
• A structure for assessing all functional areas• A consistent methodology for evaluating and
benchmarking capabilities in order to supportcontinuous improvement;
• A tool for identifying capability strengths andweaknesses;
• A decision-making process for determiningwhere to invest and allocate resources;
• A means for understanding why somecapabilities may be more suitable for investingin than others; and,
• A platform for sharing knowledge across theorganization.
Cybersecurity capability maturity analysis provides:
14
Have a Plan
Just like a Hurricane…. Plan
Use outputs from your baseline assessment to inform cyber risk management planning, investment earmarks and resource allocations
16© 2017 HudsonAnalytix, Inc.
Capability Maturity
Enterprise Risk
Management
CorporateCulture
Achieving and Sustaining Cyber Resilience
• Culture• Begins at the top• Build a cyber aware culture both at sea and
ashore• Cybersecurity seen as change agent• Cybersecurity enables business value
• Capability Maturity• People• Processes (includes Threat Intelligence,
Information Sharing)• Tools• Funding
• Risk Management• Enterprise focus – ashore and afloat• Utilize consistent methodology• Communicate risk to all stakeholders• Leverage current compliance efforts (ISM,
ISPS)• Develop response and recovery playbooks
Reputation
17© 2017 HudsonAnalytix, Inc.
18© 2017 HudsonAnalytix, Inc.
Thank You & Questions?
Ferry Terminal BuildingSuite 3002 Aquarium DriveCamden, NJ 08103
Office: +1.856.342.7500Email: [email protected]
Cynthia A. HudsonCEO & Founder
19© 2017 HudsonAnalytix, Inc.
www.ha-cyber.comwww.hudsonanalytix.com
What is HACyberLogix?Easy-to-use, cloud-based tool designed for shipping
companies to support assessing and managing cyber risk.
Who is HACyberLogix for?Shipowners and operators with Balance Sheet responsibilities.
What does HACyberLogix do?Assess enterprise cybersecurity capabilities and
Deliver tailored decision-support guidance
Why use HACyberLogix?Supports continuous improvement in cybersecurity capabilities
and informs investments and resource allocation.
What is HACyberLogix
OBJECTIVES
• Strengthen cybersecurity capabilities
• Institute consistent evaluation and benchmarking ofcybersecurity capabilities
• Acquire knowledge/identify best practices
• Enable prioritized resource allocation
• Inform cybersecurity investments
• Drive continuous improvement
© 2017 HudsonAnalytix, Inc. 21
– Based on Best in Class Cybersecurity Standards:• The US National Institute of Standards & Technology (NIST)
Cybersecurity Framework;• The Center for Internet Security’s Critical Controls; and,• The ISO / IEC 27001 Framework
– Aligned with:• IMO’s Interim Guidelines on Maritime Cyber Risk Management• BIMCO’s Guidelines on Cyber Security Onboard Ships, and• The US Coast Guard’s Cybersecurity Strategy
– Harmonized with:• ISPS Code• ISM Code• OCIMF’s TMSA 3 (Element 13)
Incorporates All Relevant standards & Guidelines
© 2017 HudsonAnalytix, Inc. 22
Features
• Available on demand (24 x 7 x 365)
• Secure - Utilizes two-factor authentication
• Customized scoring algorithm supports trending andbenchmarking
• Fosters Collaboration among all relevant stakeholders
• Reports are available on demand
• Recommendations are custom-tailored and prioritized
• No limit on the number of assessments
© 2017 HudsonAnalytix, Inc. 23