Global Threats: Cybersecurity in Portsportalcip.org/wp-content/uploads/2017/03/Max-Bobys.pdfHudsonAnalytix - Cyber (“HA-Cyber”) 2 • Technology agnostic advisory • Unique capabilities

Global Threats: Cybersecurity in Ports (Donald Duck, Daughters & Dollars) Hemispheric Conference on Port Competitiveness & Security: Finding the Right Balance University of Miami Center for International Business Education & Research (CIBER) February 23, 2017

© 2017 HudsonAnalytix, Inc.

1

HudsonAnalytix - Cyber (“HA-Cyber”)

2

• Technology agnostic advisory

• Unique capabilities tailored to the global maritime industry

• End-to-end converged cyber-physical risk management services

• Proprietary cyber assessment methodology based on best in class standards and frameworks

• Tailored cyber threat intelligence (informed by the “attack side”)

• Global reach

Ship-owners & Operators

Offshore

Ports & Terminal Operators

Waterside Facilities


www.ha-cyber.com www.hacyberlogix.com

http://www.ha-cyber.com



http://www.hacyberlogix.com

The Greatest Cyber Threat to us All: Data Integrity

3

“Integrity. Cyber operations include an increased emphasis on changing or manipulating data to compromise its integrity to affect decision making, reduce trust in systems, or cause adverse physical effects.” Threat actions include: • Posting disinformation (false data);

• Altering of online media as a means to influence public discourse, sentiment and create confusion;

• Modifying stored data;

• Transmitting false data; and,

• Manipulating the flow of data


What is Cybersecurity?

Cybersecurity is NOT:

• Information Technology (“IT”);

• Compliance (e.g. ISO; ISPS Code); and,

• Solved by a “silver bullet” approach

Cybersecurity IS:

• A risk management function delivers a standard of care;

• The mission and business of protecting the entire business;

• A responsibility that starts at the top (it starts with you); and,

• About business transformation

4 © 2017 HudsonAnalytix, Inc.

So What’s Vulnerable? (Hint: Everything)

• Supervisory Control & Data Acquisition (SCADA) equipment and Industrial Control Systems (ICS) for loading / unloading of bulk / containerized cargo

• Cargo / Terminal Management Systems

• Domain Awareness / Navigational Systems - RADAR, AIS, VTS/VTMS, ECDIS, VDR, etc.

• Any Business Software Application (e.g. email, financial,

human resources, finance, logistics, business operations

Think “ERP”)

• Any Operating System (e.g. Microsoft, Linux)

• Any Security System - CCTV, Access/Gate Control

• Any Mobility device and platform (RFID)

• Communications Systems

• Employees (insiders) and Contractors


WHY? The Maritime Industry is a Target Because…

Lots of Information. Maritime Stakeholders exchange lots of information across different organizations. Data Overload!

Lots of legacy systems. Stakeholders have their own systems. Often, these systems are older and have not been patched or updated to the latest version.

Lots of money. Maritime stakeholders often transfer of large amounts of money. (e.g. between a ship owner and a yard, or a shipping company and a bunker operator).

Language. The maritime industry is global. Stakeholders operate in different languages, often not their native one.


WHO? - Defining Cyber “Threat Actors”

• Individuals • Hacktivists • Foreign

Intelligence • Organized

Criminal Rings • Competitors • Insiders • You

© 2017 HudsonAnalytix, Inc. 7

More WHO… Cyber Risk Begins and Ends with the Human


• Service-Oriented Ecosystems

• Crime-as-a-Service • Targeting-as-a-Service

• Networking / Social events • Tactics, techniques,

procedures, and strategies are exchanged

• Training / lessons-learned • Broker ecosystems • National teams • “Trench time”

WHAT? - When We Say “Cyber Risk” What is at Risk?

• Personal information: Credentials; financial data; health information; etc.

• Confidential information: Client lists; contracts and terms; processes, facility plans, client data; etc.

• Operational Information: Data Integrity; networks; etc.

• Political: “Hacktivism” (Direct and Indirect)

• Business: Competition, Competency and Reputation

• Money: Financial Information, payment terms and processes


WHERE & WHEN? - The Cyberization of Risk Everything is Getting Connected Faster

Law 1: Everything that is connected to the Internet can be hacked* Law 2: Everything is being connected to the Internet Law 3: Everything else follows from the first two laws

10

The impact of a cyber event can cascade and across an organization, reinforcing the magnitude of its impact

*Rod Beckstrom / Zurich - Atlantic Council Image, Risk Nexus, April 2014 © 2017 HudsonAnalytix, Inc.

7 Months (average)

– Involves everyone!

• Home

• Work

– It is asymmetrical

– Easily executable

– Affects the entire organization

– Is persistent

– Financially rewarding

– Evolved from a luxury to a necessity

11

HOW? Cyber Risk & Trust Relationships


A Common HOW? The Whale Attack Targeting the Decision Makers (You!)

As of April 2016:

• USD $2.3 billion in losses since 2013;

• 270% increase since January 2015; and,

• 79 Countries have been affected.

© 2016 HudsonAnalytix, Inc. 12 © 2017 HudsonAnalytix, Inc.

A Growing HOW? Threat Convergence Port of Antwerp Cyber Attack, 2011-2013

• Drug traffickers recruited hackers to breach IT systems;

• Hacking technique involved physical access to computer networks and installation of snooping devices;

• Controlled container movements and location information over 2 years;

• Drugs hidden among legitimate cargo;

• Enabled traffickers to steal the cargo before the legitimate owners arrived; and,

• Represents trans-national risk (supply chain data integrity).

http://www.portstrategy.com/__data/assets/image/0026/207449/Antwerp-port-is-a-massive-operation-despite-being-50-miles-inland.jpg


http://www.portstrategy.com/__data/assets/image/0026/207449/Antwerp-port-is-a-massive-operation-despite-being-50-miles-inland.jpg

http://www.bbc.com/news/world-europe-24539417

THIS PRESENTATION IS TLP AMBER. IT MAY BE

SHARED APPROPRIATELY THROUGH SANITIZATION OF MARKED CONTENT.

A Really Big HOW? “The Daily Show” Campaign

• Started in Nigeria with a spear-phishing attack

• Every major port targeted across 88 countries

infiltrated

• Comprehensive supply chain targeting (incl.

downstream sectors)

• 70+ domains and servers

• Others include routes in/around the Black Sea,

Sea of Azov

• Heavy Representation around Panama and

Suez canals

14

Courtesy: Wapack Labs



High Probability: ERP System Compromises

Enterprise Resource Planning (ERP)

Systems offer virtual windows into an

organization’s activities as it relates to

the movement of people, resources,

goods, and money.

ERP Systems integrate core business

processes and leverage shared

databases to support multiple functions

used by different business units.

Systems affected include:

• Financial (re: Fraud, Payment info)

• Cargo Handling & Management

• Taxes (e.g. VAT)

• Customs

• Banking

• Shipping

15



What Does The Daily Show Tell Us?

Main Targets:

• Ship Management Firms

• Vessel Owner/Operators

• Port Terminal Operators

• Logistics Companies

• Manufacturers

• Trade Zones

• Port State Control

• Customs Agencies

• Pilots

• Agents

16

Piracy Organized

Crime

[Terrorists?]

Nation States Commercial

Actors

Cyber Threat Actors

A Business Interruption Case Study: The IRISL Hack (2011)

17

• Servers were compromised

• Logistics systems crashed

• Entire fleet of 172 vessels and shore-based systems were compromised

• False information input into systems:

• Compromised manifests

• Falsified Rates

• Containers ‘cloaked’

• Delivery dates altered

• Client / Vendor Data corrupted

• Major Business Interruption!



OAS CIP CYBER SURVEY FINDINGS

Cyber Risk 19

Survey Results: Expressions of Interest in…

• Having a cyber security assessment performed (57%)

• Learning more about cyber liability and cyber insurance (57%)

• Meeting with a cyber security / cyber risk management expert who understands port-operating environments (51%)

• Hosting a cyber security seminar for their organization (31%)

• In a confidential maritime cyber risk briefing for their executive team (37%)


PRACTICAL RECOMMENDATIONS

Cyber Risk Management Begins at the Top It’s a Boardroom Challenge

Managing Directors, CEOs and Board Members are increasingly being held accountable for their organization’s cybersecurity.

Cyber risk management must be owned by leadership.

Cyber risk affects an organization’s:

• Balance Sheet / Profit & Loss

• Legal Exposure

• Operational Effectiveness

• Customers (Reputation!)

• Vendors

• Partners

• Employees

21


Cyb

er M

aturity (a

nd

(In

sura

bility)

Q1 Q2 Q3 Q4

Assess and

Benchmark cyber

program at

enterprise level

across all domains.

Realign cyber risk

strategy and

solutions to

address prioritized

assets and threats.

ASSESS &

DISCOVER

REALIGN &

REMEDIATE

Baseline

Remediate

identified

vulnerabilities.

Train stakeholders.

Monitor for change.

REMEDIATE

(CONT.) & TRAIN

Report changes

against base-lines,

benchmarks and

remediated states.

MEASURE &

REPORT

Establish & Sustain Continuous Feedback Loops

Achieving Cyber Resiliency & Sustainability

22

Cyber Maturity

Cyber Immaturity

Start Here Mistakes Occur Here


Where to Start: Assess & Discover Define Your “Cyber Ecosystem” & Discover Where the Gaps Are

Cyber Loss Scenario & Exposure Quantification

Insurance Analysis & Stress Test

Cyber Program Evaluation

Maritime Cyber Threat Analysis & Support

Identify most valuable assets and establish what the financial exposure value is for each. Prioritize.

Review all insurance policies for gaps and/or exclusions in coverage due to cyber events.

Perform an enterprise-level cybersecurity capability assessment. Use outputs to update plan (or establish new one) and develop a strategy.

Assume your organization is already hacked and/or being targeted. Gain insights into where you are currently exploited and who is attacking you.


Cyber Risk Reduction and Transfer

• Initial investments should be in cyber capability development— to protect and sustain.

• As risk curve flattens, cyber insurance becomes an efficient means to further reduce risk.

• Cybersecurity Capability and Maturity inform Risk Transfer.

• Harmonizing investments requires better exposure and loss metrics.

Axio provides cyber risk engineering services and data an -

alytics to support the improved management of cyber risk,

including the deployment of cyber insurance. We work with

private and public sector organizations to help them better

understand and manage their exposure to cyber risk through

cybersecurity program evaluations and cyber loss scenario

development and analysis.

ABOUT US

Much of our work is performed for or in collaboration with the insurance industry; we are on the forefront

of developing and enabling improved cyber insurance products that protect firms in the energy sector and

other sectors for which physical damage, environmental damage, and bodily injury from cyber risk are

real concerns.

The core of our data analytics work is the Axio knowledge center, which aggregates data from our ser-

vices and other sources to provide a basis for cyber program capability benchmarks, modeling, and other

data sciences to improve the understanding of cyber risk losses and associated predictive indicators. Our

vision is that the rich data provided through our collaboration with the insurance industry will ultimately

provide insight into predictive indicators for cyber loss that materially advance cybersecurity knowledge.

AXIO PROCESS

Equiatem poreni ut ipienda et et ilic tem quid unt prae sapis samus simusci dessimus as suntot a turem.

Itatem sus. Equiatem poreni ut ipienda et et ilic tem quid unt prae sapis samus simusci dessimus as

suntota turem. Itatem sus.

CYBER INSURANCE AS A CONTROL

The Ultimate Value Proposition: Insight and analysis from Axio’s Cyber Risk Knowledge Center enables

clients to deploy risk transfer capacity to lower their overall risk.

SERVICES


Itatem sus. Equiatem poreni ut ipienda et et ilic.

ABOUT US CYBER INSURANCEAXIO PROCESS OUR SERVICESAXIO KNOWLEDGE

CENTER

MORE

INFORMATION

CONTACT US

“ Et ati as ut eum cus nisim vel in nossi ut rehendunt auditatusa voloriorum sam qui dolupta

verios ant eum qui doluptatio. Et volorrore necum quibus eosam fugitam.”







1 2 3 4 5

Policy AnalysisIdentify gaps in

current insurance

coverage.

Understand the

types of impacts

from potential

cyber events that

are not covered by

your current

insurance.

Cyber Loss

ScenariosDevelop notional

and feasible cyber

loss scenarios.

Workshop to

brainstorm several

cyber loss

scenarios that

could lead to

covered and

uncovered impacts;

estimate total

potential cost of

each.

Program

EvaluationEvaluate cyber risk

management

capability and

maturity.

Evaluation based

on Cybersecurity

Capability Maturity

Model (C2M2).

Cyber Risk

EngineeringDetailed impact

analysis, frequency

estimation, and

loss control.

More in-depth

cyber loss scenario

development and

analysis than in

step 2.

Insurance

PlacementWith brokers and

insurers, secure

meaningful

coverage.

Various new

coverage forms

and enhanced

existing forms are

becoming available.

Catastrophic cyber risk

tranfer capacity lowers

the curve overall.

CYBERSECURITY CAPABILITY

RISK

INVEST IN

TECHNOLOGY

INVEST IN

TRANSFER

FOR INSURERS

Scalable cybersecurity program evaluations and benchmarking to

support underwriting, ranging from online self-evaluations to onsite

in-depth evaluations.

Data collection and analysis to monitor systemic and aggregation risk

and to improve cyber loss models.

Technology support for evaluations, data collection, and analysis.

Training and consulting services to better enable insurers and broker

partners to address the full range of cyber risk with clients.

FOR POLICYHOLDERS

Policy analysis to identify and understand cyber exclusions in

existing policies.

Scenario workshops to develop and analyze cyber loss scenarios.

Scalable cybersecurity program evaluations and benchmarking, ranging

from online self-evaluations to onsite in-depth evaluations.

Intra-organizational benchmarking to compare cyber risk management

capabilities among parallel business units for in-depth analysis of

large organizations.

Cyber risk engineering services to in-depth loss scenario analysis,

control, and modeling.

FOR BROKERS

Policy analysis to identify and understand cyber exclusions in existing

policies in support of specific clients or market analysis.

Consulting services for design and placement of bespoke cyber

insurance solutions such as captives to address unique client needs.

Training and consulting services to better enable brokerage teams to

address the full range of cyber risk with clients.

Axio Knowledge Center


Itatem sus. Equiatem poreni ut ipienda et et ilic.

Sign me up! Email Us

NEWSLETTER

Iquem turit iniquideo,

consum patus liquam

Iquem turit iniquideo,

CONTACT US

Address

address

Phone 000.000.0000

ABOUT US

NEWS

ENGAGE WITH US

LEGAL

Benchmarks

Cybersecurity

program

evaluations

Loss and claims

for insurance

partners

Pedictive Models

Aggregation

and systemic

risk analysis

Publications

Cyber risk and

insurance

training and

consulting

Loss scenario

development

and engineering

Aggregated data from

Risk Engineering services,

open sources, and

insurance industry

DATA SOURCES

KNOWLEDGE CENTER

INVEST IN CYBER

CAPABILITIES

SUSTAIN CAPABILITY &

INVEST IN INSURANCE

Courtesy: Axio


Gain Awareness: Train & Exercise!

• Executive Leadership Briefings

• Workforce training spanning multiple cyber capabilities (e.g. spear-phishing, passwords, social media, etc.)

• Consider tailored training workshops to drive awareness among all staff

• In-house Cyber TTX combined with ISPS Code requirements

• Technical Staff Training


Thank You & Questions?

Ferry Terminal Building Suite 300 2 Aquarium Drive Camden, NJ 08103 Office: +1.856.342.7500 Mobile: +1.301.922.5618 Email: [email protected]

Max Bobys VP, Global Strategies


www.ha-cyber.com www.hacyberlogix.com




http://www.hacyberlogix.com

Documents

Global Threats: Cybersecurity in Portsportalcip.org/wp-content/uploads/2017/03/Max-Bobys.pdfHudsonAnalytix - Cyber (“HA-Cyber”) 2 • Technology agnostic advisory • Unique capabilities