Cybersecurity: Eight Tenets to Consider

Cybersecurity risks to the nation's critical infrastructure, now defined as 17 sectors including the transportation and maritime sector, are growing exponentially. 

The maritime sector is a cornerstone of our national and economic security. The United Nations Conference on Trade and Development (UNCTAD) has stated  that “80 percent of global trade by volume and more than 70 per cent of its value being carried on board ships and handled by seaports worldwide,” which represents a staggering role in the global economy. 

Nations around the world, including the U.S., have made it clear that cybersecurity is both a priority and a mainstream national, homeland and economic security concern. The Trump Administration recently issued Presidential Executive Order (EO) 13800, "Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure" reinforces that as have the U.S. Congress and the Executive Branch.

Perhaps as a reminder of the fragility of our global infrastructure, the day after EO 13800 was issued, nearly 100 nations and numerous critical infrastructure sectors around the globe were hit by the WannaCry ransomware attack. Then again in early July, a second wave of global cybersecurity attacks (known as the Petya/non-Petya malware) hit multiple sectors, including the transportation and maritime sectors. 

Maersk, the largest container ship operator in the world was hit hard, shutting down terminals at ports around the world and bringing its systems to a near standstill, lasting for weeks. Importers around the world stated that their operations had been impacted by the supply chain disruption caused by the delay. It should be noted that the key to the Maersk incident was a basic exploitation of a known vulnerability in old software that Microsoft had indicated years ago that it would no longer support, an issue that could have been mitigated by upgrading these systems.

The digitization of the maritime sector has brought about a technological revolution with great efficiencies to the overall operations and global supply chain. Unfortunately ensuring that there is security embedded on the front end is still not the norm. This leaves new and old legacy in a systems cobbled together in a patchwork of structures. 

At the same time, the sector is debating the potential use of autonomous ships; however,  discussions around cybersecurity protections are still not part of the underlying debate. It should be clear to all that cyberattacks and associated risks represent a clear and present danger.  Nation states, non-state actors, criminals, and 21st century pirates are using cybersecurity as a tool to steal and disrupt the system. 

The “call to action” around the cybersecurity risk has been a steady drumbeat for many years and the sector’s cybersecurity ecosystem must be evaluated and the associated risks quickly addressed now (or quickly). Whether it was from 2013 with the issuance of Presidential Cybersecurity Executive Order 13636 in 2013; the U.S. Coast Guard first cybersecurity strategy in 2015 or the U.S. Coast Guard updated “guidance” in December 2016 that stated that cybersecurity risk is covered under the Maritime Transportation Security Act (MTSA), the cyber-risk is self-evident.  

The IMO has been working to address cyber risk. It was only after the Maersk attack that the IMO issued more solid guidelines for maritime security risk management. Cybersecurity attacks have been documented on ships, ports, and more recently. Of particular note are alerts about GPS and satellite spoofing in the Black Sea bring great cause for alarm.

Here are eight basic tenets for the sector to consider: 

1. The maritime domain is a complex and increasingly automated one. As a result, cybersecurity attacks can potentially impact the health and safety of people as well as the safety and security of goods, bringing significant regulatory and legal implications to the corporate ecosystem, whether it includes passenger or cargo operations.

2. There are common misconceptions that cybersecurity risks are solely a technology problem. It is not, it requires an enterprise risk management holistic approach that includes the C-Suite, senior leadership, risk officers, legal, regulatory, security, information technology and other departments in the overall process.

3. Cyber attackers have varied motives, which include stealing, disrupting and potentially destroying assets. Shutting down a port or a similar Maersk-like attack can have reverberating impacts on the global economy.

4. Remember that a privacy policy is not a cybersecurity policy. Cyber risks have significant operational impacts in the maritime domain and need different underlying policies and structures to manage that risk. 

5. Expect U.S. and global regulators to continue to double down on cybersecurity risk within the entire maritime ecosystem. 

6. To understand cyber risk in the industry, breakdown the maritime domain into its respective parts, identify the cyber risk within each domain as well as from cross-sector risk.  Create a comprehensive plan to manage, mitigate, respond and recover to cyber-attacks which must be a living document that is constantly tested.

7. Traditional risk transfer mechanisms like insurance and other tools are invaluable but will not ever completely cover cyber risk.

8. Increasing use of and innovation around technology should be embraced but must also include security and cybersecurity at the front end.

Norma Krayem is Senior Policy Advisor & Co-Chair, Cybersecurity and Privacy Team, Holland and Knight and Former Deputy Chief of Staff, U.S. Department of Transportation.