The State of Cybersecurity Readiness in the U.S. Maritime ...• USCG opened its Coast Guard Cyber...

The State of Cybersecurity Readiness in the U.S. Maritime Industry

Andrew R. LeeFord Wogan

December 4, 2019

June 27, 2017 Ransomware message received by Maersk employees

joneswalker.com | 2

Maritime industry: vulnerable

joneswalker.com | 4

The Marine Industry is Vulnerable

• Insider threats• External threats – jamming,

spoofing, extortion• Mismatched, out-of-date

software• Inadequate budget allocation• Limited training• General lack of readiness

Impacts

• Cargo stolen or lost

• Port disruptions

• Physical Damage

• Loss of life

• Ecological Harm

• Terror incident

• Lost revenue

• Lost stakeholder confidence

Jones Walker Maritime Cybersecurity Survey

joneswalker.com | 5

126 respondents

Including:

75 Vessel Owners/Operators 28 Port Operators / Service Providers 23 Cargo Shippers

from Small (36), mid-size (58), and large (23) companies

Respondents believe the industry is prepared … … but their own companies are not.

Big companies -- ready.Mid- and small companies -- not so much.

• 100 percent of large companies claim: -- prepared to deal with a data breach.

• Respondents from small (94%) and mid-size companies (81%) reported that their organizations were unprepared to prevent a data breach.

Readiness by sub-sector

70% unprepared 78% unprepared 43% unprepared

Readiness measured by potential bad outcomes

* Negative public opinion * Lost customers * Lost business partners / goodwill

* Lost confidential info * Lost intellectual property * Mandatory notification

What is the cost of an attack? (IHS Markit / Fairplay Survey International Survey)

joneswalker.com | 10

0 10 20 30 40 50 60 70

< $5,000

$5,000 - $50,000

$50,000 - $100,000

$100,000 - $500,000

$500,000 - $1 million

$1 million - $10 million

Cost of an Attack

17% - $100,000 and up

6% - $500,000 and up

3% - over $1 million

Are companies spending enough to address?NO

Where is the industry going?

Autonomous Shipping

From Future Directions International Research Institute…

“The maritime industry appears still to be ill-equipped to deal with such future challenges as the cybersecurity of fully autonomous vessels.”

Where is industry going?

Widespread Automation

Recent Port Breaches

• Barcelona

• San Diego

• Long Breach

June 27, 2017 Ransomware message received by Maersk employees

Maersk NotPetya Incident

June 2017

• Global shutdowns• Obstructed system • Destroyed 50,000 PC’s• $250-$300 mm cost• $10 bn impact (est.)• Affected container shipping,

tug boat and oil tanker operations

Chairman: company had “only average” cyber-readiness

Indications of preparedness

But is the industry even aware?

What you don’t know can hurt you

97% - “no breach” or “unsure”

Industry unsure if data has been compromised

Where is the government?

• Trying to raise the alarm

• USCG opened its Coast Guard Cyber Command (CGCYBER) in May 2017

• 39-person cyber event response team• Integrated with DHS support

• USCG and DHS issued proposed cybersecurity draft guidelines for Maritime Transportation Security Act in July 2017

“The key is to treat a cyberattack as if it were a physical threat.”

-- USCG Cyber Commander Rear Adm. Kevin Lunday

USCG Warnings

Where is industry as a whole?

• In June 2017, Maritime Safety Committee adopted Resolution MSC.428(98)

• Encourages governments “to ensure that cyber risks are appropriately addressed in safety management systems no later than” January 2021

• In July 2017, IMO issued MSC-Fal.1/Circ. 3 • Provide “high-level recommendations

on maritime cyber risk management”

BIMCO Guidelines on Cyber Security Onboard Ships

• World’s largest international shipping association

• Issued third edition of cyber risk management guidelines in December 2018

• Third edition in as many years

• Spring 2019 – BIMCO cybersecurity clause will require parties to contract to have “plans and procedures in place to protect its computer systems and data, and to be able to respond quickly and efficiently to a cyber incident”

BIMCO Guidelines on Cyber Security Onboard Ships

• Good starting point, but not enough

• Clause requires parties to:• Implement appropriate cybersecurity measures and

systems

• Maintain appropriate procedures and policies “to allow [an efficient and effective response] to a cybersecurity incident

• Regularly review arrangements to verify procedures and policies being followed

• Use reasonable efforts to ensure third-party compliance with contract

• Promptly notify other party of breach

Clause permits parties to limit total liability to the other

Default amount if none specified: $100,000

Takeaways from survey

Cyber-secure companies do these things:

• Appoint empowered information security officers, with well-defined roles and responsibilities

• Train their workforce in cybersecurity procedures

• Participate in threat assessments and share information

• Obtain or re-evaluate cyber risk insurance

• Include cybersecurity as part of their OT and strategic plans

• Devote budget to cyber-readiness like their company’s reputation depends on it

• Develop and maintain disaster recovery, business continuity, and other contingency plans

• Document and implement cybersecurity policies and procedures

Thank you!

Andrew R. Lee Ford Woganwww.joneswalker.com

The State of Cybersecurity Readiness in the U.S. Maritime ...• USCG opened its Coast Guard Cyber...

Documents

Cybersecurity and cyber defence: national level strategic

EMERGING COVERAGE ISSUES IN CYBER, CYBERSECURITY AND …

Cybersecurity: Comparison of Selected Cyber Incident

Cybersecurity Management Programs - Cyber Thoughts

Crowdsourcing Cybersecurity: Cyber Attack Detection using ...people.cs.vt.edu/naren/papers/case1872-khandpurA.pdf · Crowdsourcing Cybersecurity: Cyber Attack Detection using Social

Cybersecurity Maturity Model€¦ · Cybersecurity Maturity Model . Cyber Crisis Communication Playbook 1 Abstract: ... The June 2, 2016 circular on Cyber Security Framework in Banks

CYBER RESILIENCE REVIEW (CRR) · Cyber Resilience Review (CRR): NIST Cybersecurity Framework Crosswalks Cyber Resilience Review (CRR) to NIST Cybersecurity Framework (CSF) Crosswalk

Understanding Cyber of USCG NVIC 01-20

Cyber security the cybersecurity kill chan - myth or threat

COSO-Focused Cyber Risk Assessment for Internal Auditors · obligations relating to cybersecurity risks and incidents….. “Registrants should address cybersecurity risks and cyber

Maritime Bulk Liquids Transfer Cybersecurity …portalcip.org/wp-content/uploads/2017/05/Maritime_BLT...The USCG consulted NIST regarding its work on the Cybersecurity Framework, and

European Cybersecurity PPP European Cyber Security Organisation - ECSO · European Cybersecurity PPP European Cyber Security Organisation - ECSO Luigi Rebuffi ... SMEs, critical

Cyber Ranges: The (R)evolution in Cybersecurity Training

The Cybersecurity Report: Emerging Global Threats from Cyber Attacks

SAFETY, RISK AND COMPLIANCE CYBERSECURITY TRAINING …€¦ · SAFETY, RISK AND COMPLIANCE CYBERSECURITY TRAINING SOLUTIONS Addressing the Human Element in Your Cyber Program Cyber

Cybersecurity in cyber-physical systems

National Cybersecurity Preparation to deal with Cyber Attacks

CYBERSECURITY OF THE FUTURE BSIDES... · CYBERSECURITY OF THE FUTURE November 27th 2018. DUBAI CYBERSECURITY FUTURE TECHNOLOGIES. DUBAI CYBERSECURITY STRATEGY. CYBER SMART SOCIETY

IoT Cybersecurity in a Connected World - British Columbia...IoT Cybersecurity in a Connected World June 2017 2 Cybersecurity. “cyber” … from the FBI’s standpoint. “Cyber

IT & NICE Cybersecurity Enterprise Training Curriculum · • Cybersecurity Management (NIST Cybersecurity Framework, NIST 800-171 etc.) • Cyber Resilience Management (RESILIA)