Maritime Cyber Security: The Wrong Formula
For many industries, cyber security is about target hardening and perimeter defense. This makes sense, as cyber security is implemented in much the same way that physical security is implemented. We often think of it in terms of the medieval castle design, which translates to defense in depth in modern vernacular. The focus on defense in depth can be explained by a simple equation:
Security = Hardened Target + Perimeter Defense
This formula makes sense, as we can see and touch perimeter defense in physical security. We have seen and are comfortable with things such as fencing, ingress and egress areas (think doors, drives, sidewalks), guard stations and cameras. We like things we can see and touch. In the cyber security world, this translates into firewalls, intrusion prevention systems, intrusion detection system and antivirus software. Target hardening is a bit more obscure, but nonetheless, we can still it in action in our secure facilities. We understand locked doors, escorts, authorized access only signs and visitor badges. For target hardening in cyber security world, we use things such as network segmentation, air gaps and disabling certain features such as USB drive access. Even though we may not be able to physically touch it, we can see it on a network diagram and feel safe.
The maritime system has long been a place where physical security has taken a very high priority. We have gates, fences, restricted access, guards, cameras and signs. We feel safe seeing those. In addition to feeling safe, we also understand that if we violate a security measure, we will face some sort of consequence, ranging from being escorted off of the property to going to prison. So, we have a clear vision of what security is in the physical world, and what happens when we violate that security.
As for cyber security, recognizing the security measures in regards to hardware and network diagrams can be just as simple. The breakdown is with the understanding of the consequences of violating security measures. We have been taught that technology is designed to make work and play more efficient and entertaining. Therefore, we associate technology (i.e cyber) as a mechanism for convenience. I know very few people that would willingly climb a security fence to get from point A to point B, even if it required that they walk an extra mile. The reason is that they physically see the barrier and understand the consequence: climb the fence and risk being arrested. They make a logical decision to walk around using a simple cost benefit analysis. The same cannot be said for cyber security.
According to Vircom (2017), human error was responsible for 52 percent of data and security breaches. Thus, humans are the weakest link in any organizations’ defense-in-depth strategy. For recent noteworthy examples of how humans can wreak havoc, users can turn their attention to the NSA and CIA. The culmination of these malicious insider attacks landed numerous sensitive documents and hacking tools on Wikileaks, which is an organization that publishes news leaks, sensitive information and things alike. If malicious insiders are not enough to get an organization’s attention, think about when an employee who prepares taxes for someone wants to take work home with them via a USB drive, but drops the drive in the parking lot. Accidental insider breaches can cause an organization to lose a tremendous amount of money because of the carelessness of their employees.
The State of Cyber Security
According to the 2017 Verizon Data Breach report, more than 800 breaches that occurred in 2016 were the result of a social attack, such as phishing. Phishing relies on the end user to click a link, download an attachment, or someone disclose data that normally would not be made public. Not only are hackers sending phishing emails to steal passwords, they are packing the emails with malware that can tear through a network undetected. Over half of all breaches in 2016 included malware. In June of 2017, the NotPetya cyberattack hit the Maersk Line, APM Terminals, and Damco. This cyberattack has been estimated to have cost the company up to $300 million. These are the threats companies are taking, and without the proper education, end users will not be equipped with the necessary knowledge needed to help stop such threats.
Actionable Security Awareness
The human security risk is very real, in part because of the lack of education and training about cyber security. This is exacerbated by the lack of perceived consequences for violating cyber security. Cyber security professionals have to keep in mind that typical end users do not see the same consequences in checking personal email or visiting social networking sites that they do when they are faced with the fence. The phrase “out of sight, out of mind” can ring true and have serious consequences if end users are not well educated. Security awareness needs to be brought to their attention in various forms because all end users learn differently. A successful cyber security program must include a strong educational component on proper use, but it must bring about awareness of consequences that are as clear as the fence.
We are taught from a very young age not to accept candy from a stranger, but we continually open emails and attachments from people that we do not know. We understand that the candy could contain poison and make us sick, but we rarely think about the implications of opening the email or attachment from the stranger because we cannot link the consequences to the action. This was exemplified in the Port of Antwerp case, where drug smugglers recruited hackers that used phishing techniques (infected emails) to successfully gain access to the digital tracking systems for the Port of Antwerp. The drug smugglers used this access to locate the shipments within the port and have their own drivers pick them up. According to Trend Micro, this attack could have been much worse if the hackers decided to manipulate Automatic Identification System instead. This could have caused significant physical and economic damage.
Finding the Right Formula
It is evident that the current security formula is inadequate for the future of maritime cyber security. Perhaps a strong cyber security awareness training program that links behavior to consequences might prevent the next NotPetya cyberattack or drug smuggling operation in your organization. Adding that education piece to the definition of security will only strengthen the overall security posture of maritime organizations. In the end, the fence is only useful if people know its purpose.
Security = Hardened Target + Perimeter Defense + Education
References:
- Brooks, Chuck. April 5, 2017. Defining and Addressing the Growing Cyber Insider Threat. Retrieved from https://www.alienvault.com/blogs/security-essentials/defining-and-addressing-the-growing-cyber-insider-threat.
- Verizon Enterprise. 2017. 2017 Data Breach Investigations Report, 10th Edition. Retrieved from http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/.
- MTI Network. Taking Maritime Cyber Security Seriously. Retrieved from http://www.mtinetwork.com/taking-maritime-cyber-security-seriously/.
- Vircom. February, 2017. The Human Factors in Cyber Security and Preventing Errors. Retrieved from: https://www.vircom.com/blog/human-factors-in-cyber-security-preventing-errors/
The Authors
Scott Blough is Executive Director, Center for Cyber Defense & Forensics, at Tiffin University.
Kyle Johnson is the Information Security Officer at Indiana Tech.