DCN AUGUST Edition 2019

More documents

Recommendations

Info

MARITIME CYBERSECURITY Published data over recent years suggests that these direct and indirect costs of a significant hacking event can be in the millions of dollars. Organisations also need to appreciate that where there has been, or there is suspected to have been, unauthorised access to their system, then the NDB scheme and foreign equivalents may apply even where personal information does not appear to be the primary target of the event. NDB SCHEME In May this year, the Office of the Australian Information Commissioner released a report reviewing the first 12 months in the life of the NDB scheme which provided some compelling insights into the rising risk of cyber security threats, and some important lessons for organisations. The OAIC has reported there were 964 eligible data breaches in that period, the vast majority of which were relatively small events, where affected individuals numbered less than 1000 (83%). Of the eligible data breaches, 60% were of a malicious nature and 35% were attributed to human error (the remaining 5% being attributed to system faults). The vast majority of the malicious events involved compromised or stolen credentials, enabling third parties to access email accounts or systems. VALUABLE LESSONS There are some valuable lessons that can be drawn from those statistics. Firstly, over a third of all incidents are the result of human error, and human error can be reduced by appropriate training and employee guidelines. Ensuring employees follow IT security procedures, and providing comprehensive training will go a long way to reducing that risk. Similarly, the prevalence of incidents arising from stolen credentials is a lesson in the importance of adopting simple but effective IT security procedures for staff – regularly changing passwords and dual-factor authentication would have prevented many of the reported incidents, we suspect. More targeted and sophisticated attacks will remain a risk, and appropriate level of cyber resilience (including a properly prepared data breach response plan and cyber insurance should be in place to manage and respond to such risks), but the starting point should be employee engagement and training. The best cyber resilience practices start with all employees understanding that their inadvertent actions, like clicking on a bogus link or responding to a fake email, are the greatest risk to your business. Matt Ellis, insurance partner and co-head of Norton Rose Fulbright’s cyber insurance and incident response practice in Australia Global shipping makes the connection on cybersecurity Whether in pursuit of personal data or money, cybercrime is now a big and highly automated business, ready to strike at the most vulnerable part of an organisation’s defences 24/7, writes Inmarsat’s Peter Broadhurst Speaking on a panel at the World Economic Forum earlier this year, A.P. Møller-Maersk chairman Jim Hagemann Snabe revealed that responding to the NotPetya ransomware attack of June 2017 had required the reinstallation of 4000 new servers, 45,000 new PCs, and 2500 applications, all within ten days. During this period, the company reverted to manual systems. In hitting a company equipped with experienced cybersecurity specialists, NotPetya showed the cyber threat is as real for shipping as it is for any other connected business, especially where legacy systems proliferate. THE STATE OF IOT-BASED SOLUTIONS If the warning should be sinking in, an Inmarsat research program report, The Industrial IoT on land and at sea suggests maritime minds are slow to change. The unique study drew on testimony from 750 survey respondents across a range of industries to establish preparedness and perceptions regarding the adoption of IoT-based solutions. The survey found 87% of maritime respondents saying they believed their cybersecurity arrangements could be improved. It also saw more of them identifying data storage methods (55%), poor network security (50%) and potential mishandling/misuse of data (44%) as likely to lead to breaches in cybersecurity than outright cyberattack (39%). Given the self-diagnosis, it is perhaps surprising to find just 25% of maritime respondents said they were working on new IoTbased security policies. In fact, Inmarsat’s research exposed ambivalence as one of shipping’s leading feelings towards IoT-based solutions. With some owners engaging at the level of blockchain, others take their lead from their need to comply with regulation: this is an industry which simultaneously sustains just over 30% of shipping respondents as ‘IoT leaders’ and just under 30% as ‘IoT laggards’, the report says. For every owner signed up to the benefits of condition-based monitoring and predictive maintenance based on real-time connectivity, there appears to be another for whom maintenance is something that takes place at regular and predictable intervals, or whenever is most convenient. Inconsistent views on cybersecurity also appear free to coexist with immature ones. Around 70% of respondents identify reducing marine insurance premiums as a main driver for Norton Rose Fulbright 48 August <strong>2019</strong> thedcn.com.au
IoT uptake, where insurers have shown themselves as especially sensitive to cyber threats. At the same time, other studies have found attitudes such as “I’m not the target; we have security in place, don’t we?” or “I will be protected by anti-virus”. NOT JUST ABOUT SOFTWARE For those prepared to engage in the IoT, ships today sustain crews in small numbers, representing both an opportunity and challenge for automation, and indeed for cybersecurity. On the one hand, low crew numbers align strongly with operational technology that is remotely updated, self-managing and supported by automated security and from third parties and OEMs, such as voyage planning, weather routing, navigation, fuel management, etc. On the other hand, the opportunities to ‘patch’ embedded operational technologies safely are not frequent, and patches usually require certification by control system manufacturers. The broader point, though, is that cybersecurity is not just about software patching and systems configuration. Ship operators do not buy computer processors, disk storage and software and then build them into a system: they procure turnkey systems. Again, shipboard engineers may well be IT-literate, but no space has been made on the crew roster for cybersecurity specialists. In these circumstances, the integrity of the systems on ships is best maintained by software which can identify, contain and resolve threats wherever they appear in the network. Such Unified Threat Management detects all deviations from the ‘known good’ configuration as anomalies and potential threats to security and can update securely, even during operation. Some specialist functions such as a deep analysis of alerts or security forensics will need to be delivered remotely. COLLABORATIVE APPROACH Inmarsat believes a collaborative approach - that includes shipboard systems, but also the crew operating them and the processes involved - is vital to develop the mature response demanded by multiple threats from cyber villains. For this reason, we have been working with some of the best security-focused experts available to tailor products and services to meet shipping’s requirement. Inmarsat’s work with Singtel cybersecurity subsidiary, Trustwave, for example, has brought Fleet Secure into the industry as the first independent service designed to detect vulnerabilities, provide alerts, respond to threats and protect ships from cyber-attack. In fact, Fleet Secure is an urchin traffic module, or UTM, available without additional outlay on hardware, which also has no impact on contracted bandwidth. It can identify external attacks through high-speed broadband connectivity, including malware introduced Inmarsat Network Operations Centre accidentally to the ship’s local area network. It then isolates that part of the operating system infected to prevent wider disruption. As noted, however, software is only part of the answer: cybersecurity and vigilance for ‘the human element’ and a well thought-out recovery strategy to mitigate against multiple, automated assaults are also critical. Failures in processes and mistakes by people can present the security loophole that, if unchecked by the UTM, compromise the entire network. Weaknesses at the first line of defence (to phishing, plugging infected USB in, downloading from untrusted source etc.) are common but, in the case of satellite-connected ships, it is also common to see updates turned off and no AV software in operation. Today, cybersecurity training is not compulsory for the world’s 1.6m seafarers, while expertise in antivirus software is inevitably more likely to be based ashore. FIRST LINE OF DEFENCE As far as awareness is concerned, it is fair to say there is likely to be more temptation to risk plugging in a memory stick that might be infected once a vessel is under way. Creating awareness for seafarers and staff is a continuous task because good cybersecurity practice is shipping’s first line of defence against ‘attack’. Inmarsat recently participated in discussions with academics at the World Maritime University in Malmö over what future classroom-based and e-learning cybersecurity course content might include for Maritime Safety and Security Diploma students. Inmarsat is not and does not aspire to be a training company, but it is an interested party. As such, we are fully aware that training is not just a tick box exercise and must be backed up with monitoring and reinforcement. We also know that using tools to identify breaches of policies such as USB usage help reinforce the message: constant reminders and real-life examples are often the quickest ways to stop bad practice. Inmarsat Peter Broadhurst, senior vice president of safety and security, Inmarsat Maritime TRAINING AND AWARENESS There is no doubt digitalisation and new smart technologies are transforming ship operation at an exponential pace but Inmarsat’s view is that, to accelerate this transformation, all stakeholders interested in optimising the efficiency of ships and crew welfare must exert themselves if the industry is to be carried over the line. This means we must not only be training our seafarers more effectively, better managing our processes and protecting our systems, but nurturing awareness of best cybersecurity practice even on vessels that have little or no cybersecurity protection at all. Clearly, there is a long way to go. thedcn.com.au August <strong>2019</strong> 49
Page 1 and 2: First published in 1891 August 2019
Page 3 and 4: There’s a fresh new link in the t
Page 5 and 6: Experience the progress. Mobile Har
Page 7 and 8: You wouldn’t accept complex booki
Page 9 and 10: Darren Lambourn NEW CEO CONFIRMED F
Page 11 and 12: GET AHEAD OF THE STINK BUG DELAYS!
Page 14 and 15: NEWS IN BRIEF QLD transport ministe
Page 16 and 17: NEWS IN BRIEF PILBARA ANNUAL SHIPPI
Page 18 and 19: NAVIGATION Emergency towage vessel
Page 20 and 21: INTERNATIONAL TRADE G20 stalemate l
Page 22 and 23: INDUSTRY OPINION The growing logist
Page 24 and 25: GENDER DIVERSITY Daily Cargo News
Page 26: GENDER DIVERSITY It’s a sad indic
Page 29 and 30: In 2012, Ms Blank had the opportuni
Page 31 and 32: From 1995-1998 the sisters worked t
Page 33 and 34: [l-r] Magdalene Chew, WISTA Singapo
Page 35 and 36: Helping economies grow and customer
Page 37 and 38: Annual Meeting Scholarship which sp
Page 39 and 40: Keeping the ports of NSW safe, secu
Page 41 and 42: Searoad Mersey II, an important shi
Page 43 and 44: “We’ve announced as part of our
Page 45 and 46: Cyber protection at port & sea Iain
Page 47: SUBSCRIBE TODAY! Stay up to date wi
Page 51 and 52: emote access to a lot of these vess
Page 53 and 54: Naraya Lamart, senior associate, HF
Page 55 and 56: Ian Ackerman Andrew Hudson, partner
Page 57 and 58: Hxdyl associated with solvent-based
Page 59 and 60: Delegates at the Pacific Connect Di
Page 61 and 62: DARWIN CONVENTION CENTRE 29 - 30 oc
Page 63 and 64: Warwick Norman and Nigel Porteous a
Page 65 and 66: JOIN US ONLINE! Keep up to date wit
Page 67 and 68: WINNER

DCN AUGUST Edition 2019

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?