Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
© 2019 Jones Walker LLP joneswalker.com© 2019 Jones Walker LLP
The State of Cybersecurity Readiness in the U.S. Maritime Industry
Andrew R. LeeFord Wogan
December 4, 2019
© 2019 Jones Walker LLP
June 27, 2017 Ransomware message received by Maersk employees
joneswalker.com | 2
© 2019 Jones Walker LLP joneswalker.com | 3
© 2019 Jones Walker LLP
Maritime industry: vulnerable
joneswalker.com | 4
The Marine Industry is Vulnerable
• Insider threats• External threats – jamming,
spoofing, extortion• Mismatched, out-of-date
software• Inadequate budget allocation• Limited training• General lack of readiness
Impacts
• Cargo stolen or lost
• Port disruptions
• Physical Damage
• Loss of life
• Ecological Harm
• Terror incident
• Lost revenue
• Lost stakeholder confidence
© 2019 Jones Walker LLP
Jones Walker Maritime Cybersecurity Survey
joneswalker.com | 5
126 respondents
Including:
75 Vessel Owners/Operators 28 Port Operators / Service Providers 23 Cargo Shippers
from Small (36), mid-size (58), and large (23) companies
© 2019 Jones Walker LLP
Respondents believe the industry is prepared … … but their own companies are not.
© 2019 Jones Walker LLP
Big companies -- ready.Mid- and small companies -- not so much.
• 100 percent of large companies claim: -- prepared to deal with a data breach.
• Respondents from small (94%) and mid-size companies (81%) reported that their organizations were unprepared to prevent a data breach.
© 2019 Jones Walker LLP
Readiness by sub-sector
70% unprepared 78% unprepared 43% unprepared
© 2019 Jones Walker LLP
Readiness measured by potential bad outcomes
* Negative public opinion * Lost customers * Lost business partners / goodwill
* Lost confidential info * Lost intellectual property * Mandatory notification
© 2019 Jones Walker LLP
What is the cost of an attack? (IHS Markit / Fairplay Survey International Survey)
joneswalker.com | 10
0 10 20 30 40 50 60 70
< $5,000
$5,000 - $50,000
$50,000 - $100,000
$100,000 - $500,000
$500,000 - $1 million
$1 million - $10 million
Cost of an Attack
17% - $100,000 and up
6% - $500,000 and up
3% - over $1 million
© 2019 Jones Walker LLP
Are companies spending enough to address?NO
joneswalker.com | 11
© 2019 Jones Walker LLP
Where is the industry going?
joneswalker.com | 12
Autonomous Shipping
© 2019 Jones Walker LLP
From Future Directions International Research Institute…
joneswalker.com | 13
“The maritime industry appears still to be ill-equipped to deal with such future challenges as the cybersecurity of fully autonomous vessels.”
© 2019 Jones Walker LLP
Where is industry going?
joneswalker.com | 14
Widespread Automation
© 2019 Jones Walker LLP
Recent Port Breaches
joneswalker.com | 15
• Barcelona
• San Diego
• Long Breach
© 2019 Jones Walker LLP
June 27, 2017 Ransomware message received by Maersk employees
joneswalker.com | 16
© 2019 Jones Walker LLP
Maersk NotPetya Incident
joneswalker.com | 17
June 2017
• Global shutdowns• Obstructed system • Destroyed 50,000 PC’s• $250-$300 mm cost• $10 bn impact (est.)• Affected container shipping,
tug boat and oil tanker operations
Chairman: company had “only average” cyber-readiness
© 2019 Jones Walker LLP
Indications of preparedness
joneswalker.com | 18
© 2019 Jones Walker LLP
But is the industry even aware?
What you don’t know can hurt you
joneswalker.com | 19
97% - “no breach” or “unsure”
© 2019 Jones Walker LLP
Industry unsure if data has been compromised
joneswalker.com | 20
© 2019 Jones Walker LLP
Where is the government?
joneswalker.com | 21
• Trying to raise the alarm
• USCG opened its Coast Guard Cyber Command (CGCYBER) in May 2017
• 39-person cyber event response team• Integrated with DHS support
• USCG and DHS issued proposed cybersecurity draft guidelines for Maritime Transportation Security Act in July 2017
“The key is to treat a cyberattack as if it were a physical threat.”
-- USCG Cyber Commander Rear Adm. Kevin Lunday
© 2019 Jones Walker LLP
USCG Warnings
joneswalker.com | 22
© 2019 Jones Walker LLP
Where is industry as a whole?
joneswalker.com | 23
• In June 2017, Maritime Safety Committee adopted Resolution MSC.428(98)
• Encourages governments “to ensure that cyber risks are appropriately addressed in safety management systems no later than” January 2021
• In July 2017, IMO issued MSC-Fal.1/Circ. 3 • Provide “high-level recommendations
on maritime cyber risk management”
© 2019 Jones Walker LLP
BIMCO Guidelines on Cyber Security Onboard Ships
joneswalker.com | 24
• World’s largest international shipping association
• Issued third edition of cyber risk management guidelines in December 2018
• Third edition in as many years
• Spring 2019 – BIMCO cybersecurity clause will require parties to contract to have “plans and procedures in place to protect its computer systems and data, and to be able to respond quickly and efficiently to a cyber incident”
© 2019 Jones Walker LLP
BIMCO Guidelines on Cyber Security Onboard Ships
joneswalker.com | 25
• Good starting point, but not enough
• Clause requires parties to:• Implement appropriate cybersecurity measures and
systems
• Maintain appropriate procedures and policies “to allow [an efficient and effective response] to a cybersecurity incident
• Regularly review arrangements to verify procedures and policies being followed
• Use reasonable efforts to ensure third-party compliance with contract
• Promptly notify other party of breach
Clause permits parties to limit total liability to the other
Default amount if none specified: $100,000
© 2019 Jones Walker LLP
Takeaways from survey
joneswalker.com | 26
© 2019 Jones Walker LLP
Cyber-secure companies do these things:
joneswalker.com | 27
• Appoint empowered information security officers, with well-defined roles and responsibilities
• Train their workforce in cybersecurity procedures
• Participate in threat assessments and share information
• Obtain or re-evaluate cyber risk insurance
• Include cybersecurity as part of their OT and strategic plans
• Devote budget to cyber-readiness like their company’s reputation depends on it
• Develop and maintain disaster recovery, business continuity, and other contingency plans
• Document and implement cybersecurity policies and procedures
© 2019 Jones Walker LLP
Thank you!
Andrew R. Lee Ford Woganwww.joneswalker.com
joneswalker.com | 28