Cyber Security Part II – Air gaps, door-knockers and soft underbellies: the threat to the maritime supply chain
What does it mean to be cyber-secure? In our first look at digital risk in shipping we considered the external threat landscape; the nightmare situation where a hacker targets your business or your assets. http://www.greatcircle.co/article/cyber-security-your-it-network-secure
External threats continue to grab the headlines, but what about the more insidious risk of insider or even accidental breaches? This doesn’t necessarily mean a disgruntled former employee who decides to takes revenge, but the threat that comes from failing to understand the distributed risk inside an organisation and across the supply chain.
Take the thought process further and the threat might not be ‘digital’ at all, but in fact all too physical.
Professor of Cybersecurity and Director of the Cyber Security Centre at the University of Oxford Sadie Creese believes shipping has so far failed to understand the threat in terms of how shipping works day to day: as part of a long and complex supply chain. Speaking at the recent SAMI seminar on cyber-security, Prof Creese advised the industry to focus less on data and more on assets.
“To understand the threat to your assets you have to worry about physical location, port control systems, ships and cargoes. We tend towards a very data-centric view but the value is in interpretation of the information flowing across networks,” she said. “It’s not just about protecting stuff from unauthorised people. It’s about knowing what they can do with it.”
The problem for shipping companies and their clients is that the level of risk is so variable depending on location and position in the shipping cycle. The tendency of the security industry to assign threats to different ‘buckets’ is something that doesn’t apply well across a horizontal model.
“It’s important to understand that threats are not just external in the sense that most people understand that. We are very focussed on building hard edges and perimeters but that leaves a soft underbelly,” she says. “Air gaps don’t have to be crossed by hackers. It might be the cleaners, the stevedores or the transport company. You have to think about the entirety of a system in its broadest sense.”
So rather than coming from malicious third parties these ‘internal threats’ – or at least the door into them – can be inadvertently opened by staff, partners or suppliers for others to walk through.
This she accepts is ‘scary when you think about it’ but getting some way towards understanding the risks to the asset base is a start. That may change according to whether a ship is loaded or empty, is navigating in certain locations or has a new crew onboard.
Ships are moving targets and loading or loading cargo will change the risk profile, she says. “I’m afraid that any sort of static risk assessment is irrelevant as soon as you put new cargo on. The environment determines the degree to which you come under attack because of the close coupling between systems on ships, ports and cargo owners.”
Put that in a ‘safety’ rather than security context and the concerns escalate dramatically. Whether the primary business is shipowning, chartering or insurance, the concerns begin to converge into common problems.
The impacts are clearly numerous but Prof Creese has some words of comfort along with the warnings. In the last 10 years she says, so many people have been hacked or at least been ‘door-knocked’ that it has become OK to admit to it.
Large organisations in particular have attracted blackmail and ransom demands and are rightly seen as victims. But that sympathy evaporates when the attack comes from inside is the result of internal failings.
“That smacks of lack of poor management and goes to fiduciary responsibility and lack of awareness. Take the example of [US retailer] Target where a malware alert got lost in a sea of alerts and customer credit cards were cloned. They didn’t react fast enough and now they are fighting in court over who was to blame; the IT security provider, the ICT provider or the company itself.”
This scenario is perhaps the scariest of all, she says because very often a breach of security is not first discovered by the victim, but instead by their customers or business partners. That can be a concerned enquiry as to why your servers are suddenly spamming an existing client or an enraged customer who wants to know how his competition became aware he is about to launch a new product.
The ‘smarter’ the supply chain the greater the potential risk, with RFID (Radio Frequency Identification) tracking tags on so much containerised cargo and SCADA (Supervisory Control and Data Acquisition) routines and other machine-to-machine communications increasing as shippers look to increase visibility of cargoes during transport.
The bad news, Prof Creese says is that a company’s starting point should be to assume that its systems are already compromised. “There is no such thing as a totally uncompromised system. You must tolerate it and be resilient. The real question is how much can you tolerate.”
And all the while, your customers have a world of choice and their own competitive edge to maintain. Be unable to demonstrate an appreciation of the risks and an active approach to protection and you may find them harder and harder to retain.
“The problem of supply chains is broad but it is acute in your industry,” Prof Creese warned delegates. “From ship to ship, ship to port and carrier to warehouse, who you are interacting with, what are their smartphones doing and who do you trust? Who can really zap your RFID code and is it just the people you imagine?”
The supply chain presents an asymmetric risk too, because even when one company’s systems and processes are first class, they can never entirely rely on those of others. “Third party systems may not be managed with the same kind of risk culture that you have and because the pain they feel is much less than yours, they are very unlikely to be taking care of your interests to the degree that you would,” is her blunt assessment.
Clearly internal processes can be improved and ‘IT hygiene’ increased to some degree but Prof Creese warned that confronting cyber risk in the supply chain is a painful, if cathartic process.
Surveys of security professionals regularly report that top management do not understand insider threat or that the company doesn’t have a culture where concerns can be raised or managed. That may seem obvious when it is common for new hires to learn from old hands and internal corporate cultures are commonplace. But she says tearing down those ways of working can result in ‘vicious’ culture change.
“A group-think culture will limit your ability to act. You are asking your people to spot the suspicious bag left on the platform by their own colleagues. That’s extremely challenging culturally in many parts of the world and especially when there is no culture to encourage the kind of openness you are going to need to tackle this.”
Follow Professor Sadie Creese on Twitter @sadieoxford