Marine Cyber Risk Management A Top-Down Holistic Approach AAPA Port Security Seminar & Expo Bellevue Hotel Philadelphia 24 July 2019
Who We Are
• WhoWeAre:
• TrustedBest-in-Classpartners
• Technology/vendoragnostic
• GlobalReach
• WhatWeProvide:
• Enterpriseassessmentapproach-theHACyberLogix
• Tailored cyber threat intelligence-informedby“attackside”
• CustomizedCyberTrainingShip-owners&Operators
Offshore
Ports&TerminalOperators
WatersideFacilities
2
Leveraging Aon Cyber Solutions Helping to protect today and safeguard tomorrow
Solvingyourcyberevents
Identifyingyoursecurityweaknesses
Illuminatingyoursystems’vulnerabilities
Using knowledge to empower
Respond to the incident, create an investigation strategy, contain the incident while preserving evidence, and confidently communicate with your stakeholders
Evaluateandremediateyourvulnerabilities,determineyourreadinesstorespond,andimproveyourorganization’scyberresilience.
Leveragereal-worldtestingandsimulationstohelpyoubetterunderstandyourweaknessesandstrengthenyourdefenses.
Helpprotectyourorganizationbyapplyingtraditionalinvestigativetechniquestothedigitalenvironment.
ProtectorsandProblemSolvers MorethantheSumofTheirParts
§ Forensic computer analysts § Penetration testers § IT security engineers § Information security analysts § Security architects
§ Former CISOs § Fraud examiners § Security risk consultants § Investigators § Criminologists
§ Forensic accountants
§ Governance & risk mgmt. professionals
§ Privacy professionals
§ Formerlawenforcement*§ Formerprosecutors§ AMLaw100formerpartners
§ FormerBig4Professionals§ Actuaries§ Statisticians§ Dataanalysts
Seeyourcompanylikeneverbefore.Findthesmokinggun.
Clearyourwayforpeaceofmind.
.Protect your organization’s brand.
OathTakers
§ Claims advocates § Evidence
Technicians § Brokers § CPAs
SecurityAdvisory
Testing eDiscovery
Strategizeforyourcompany’sfuture.
Optimizingyourtotalcostofrisk
Modelcyberlossscenariosandstresstestyourcurrentinsurancelimitstoenhanceyourriskfinancingstrategies.
Quantification
OurU
niqu
eVa
lue
OurPeo
ple
Securingyourfuture
Protectyourorganizationfromthefinancialimpactofacyberincident.
Knowit’snotonesizefitsall.
BrokingDigital Forensics & Incident Response
Investigations & Intelligence
Avoidingcostlyinefficiencies
Benefitfromprofessionalguidancethrougheverchangingtechnicalandlegalchallenges.
Bringordertothedisorder
*IncludesformerHeadoftheCyberDivisionatFBIHeadquartersandformerfounderoftheFBI’scomputercrimesquadinNewYork
3
Establishing Cyber Risk Context
CarlvonClauswitz(1832)• Warisapolitical,socialandmilitaryphenomenon.
• Asymmetriescandefeattheperceivedsuperiorityofthedefense.
4
JoshuaCorman(2019)• Thephysicsofcyberspacearewhollydifferentfromeveryotherwardomain.
What is “Cybersecurity”?
Cybersecurity is NOT just: • Information Technology (“IT”) • Compliance (e.g. ISO; MTSA; USCG NVICs) • Solved by a “silver bullet” approach
5
Cybersecurity IS: • Enterprise in nature • Sustained risk management • About cultural change and business transformation • Managing financial risk (protecting the Balance Sheet
Cyber Risk Begins with the Human…
• Service-OrientedEcosystems
• Crime-as-a-Service• Targeting-as-a-Service
• Networking/Socialevents• Tactics,techniques,proceduresandstrategiesareshared
• Training/lessons-learned• Brokerecosystems• Nationalteams• “Trenchtime”
6
The Maritime Industry is a Target Because…
Lots of Information.Maritime Stakeholders exchange lots ofinformationacrossdifferentorganizations.DataOverload!
Lotsof legacysystems.Stakeholdershave theirownsystems.Often, thesesystemsareolderandhavenotbeenpatchedorupdatedtothelatestversion.Easytarget!
Lotsofmoney. Maritime stakeholdersoften transferof largeamountsofmoney.(e.g.betweenashipownerandayard,orashippingcompanyandabunkeroperator).
Nexusofglobaltrade.Nationstateadversarieshaveprovenhowsuccessful supply chain attacks are. Cybercriminals are likely tolaunch emerging automated, active-adversary attacks againstsupplychaintargets.
7
So What’s Vulnerable? (Hint: Everything)
• SupervisoryControl&DataAcquisition(SCADA)equipmentandIndustrialControlSystems(ICS)forloading/unloadingofbulk/containerizedcargo
• Cargo/TerminalOperatingSystems• DomainAwarenessSystems-RADAR,AIS,VTS/VTMS,GIS
Systems• AnyBusinessSoftwareApplication(e.g.email,financial,humanresources,finance,logistics,businessoperationsThink“ERP”)• AnyOperatingSystem(e.g.Microsoft,Linux)• AnySecuritySystem-CCTV,Access/GateControl• AnyMobilitydeviceandplatform(RFID)• CommunicationsSystems• Employees(insiders)andContractors
8
ThevolumeofIoTattacksremainedhighin2018.Routersandconnectedcameraswerethemostinfecteddevicesandaccountedfor75and15%oftheattacks,respectively.
-Symantec2019InternetSecurityThreatReport
And it’s Getting Worse… Internet of Things Growth Trends
9
High Probability: ERP System Compromises
Enterprise Resource Planning (ERP) Systems offer virtual windows into an organization’s activities as it relates to the movement of people, resources, goods, and money. ERP Systems integrate core business processes and leverage shared databases to support multiple functions used by different business units. Systems affected include: • Financial (re: Fraud, Payment info) • Cargo Handling & Management • Taxes (e.g. VAT) • Customs • Banking • Shipping
10
Threat Ecosystem Convergence The Port of Antwerp Cyber Attack, 2011-2013
• DrugtraffickersrecruitedhackerstobreachITsystems
• Hackingtechniqueinvolvedphysicalaccesstocomputernetworksandinstallationofsnoopingdevices
• Controlledcontainermovementsandlocationinformationover2years
• Drugshiddenamonglegitimatecargo• Enabledtraffickerstostealthecargobeforethelegitimateownersarrived
• Representstransnationalrisk(supplychaindataintegrity)
http://www.portstrategy.com/__data/assets/image/0026/207449/Antwerp-port-is-a-massive-operation-despite-being-50-miles-inland.jpg
11
Maritime Cybersecurity Survey by Jones Walker (Oct 2018)
• 126 Senior executives
• Nearly 80% of large US Maritime industry companies (more than 400 employees) and 38% of all industry respondents reported that cyber attackers targeted their companies within the past year.
• 10% of survey respondents reported that the data breach was successful and 28% reported a thwarted attempt.
• 69% of respondents expressed confidence in the maritime industry's overall cybersecurity readiness.
• 64% indicated their own companies are unprepared
• 100% of large organizations indicated they are prepared vs. 6% for small companies
• 92% of small and 69% of mid-size orgs have no cyber insurance
• 97% of large organizations have cyber insurance
12
Cybersecurity is a Challenge for Everyone
“Wewastedmillionsofdollars.Notonlywereweundisciplinedinourdeploymentofcybersecuritytechnologies,wepossiblycreatedmorevulnerabilitieswithouradhocapproach.Inactivitywasnotanoption,butIamnotsureourresponsessolvedtheproblemsandprotectedshareholdervalue.”
AnonymousFormerSecurityExecutiveGoldmanSachs
NotableCybersecurityFigures:• 2019Budget:USD$600–1billion• WorldwideStaff:3,000+
Commonquestionswegetfromourclientsinclude:• Whatdoweinvestinfirst?• Howmuchdowebudget?• Whatareourpriorities?• Howcanwemeasuretheeffectivenessofourinvestments?
• Areourinvestmentssustainable?
The Challenge: Business Leaders Are Not Getting Informed Answers
14
Who Owns Cyber Risk?
15
Shareholders,PE,Partners,Commissioners
EvaluateandFundRisk(IntermsofInvestmentdecisions)
BoardofDirectors
EvaluateandFundRisk(Minimizelosses;support/protectshareholderequity)
BusinessLeaders(CEOs,MDs)
ManageRisk(ProfitandLoss/BalanceSheet)
Identify,Prevent,Accept,andTransferRisk(Insurance;AgreementsandContractsintermsofandrisktoProfitandLossandBalanceSheet)
RiskLeadership(Counsel,RiskMgr.)
ValidateRisk,AllocateResources(IntermsofcyberrisktooperationsandProfitandLoss)
SecurityLeadership
CommunicateNeeds,Solutions(Intermsofcyberrisktooperationsthatsupportscashflowandprofitandloss)
SecurityPractioners
Re-Thinking Cyber Risk Management
16
ü Considercyberriskintermsofmoneyü Thecyber-risk-to-moneyintersectionoffersmeasurablevalueto
informresourceprioritizationü Financialgroundingtranslatescyberriskintocommonlanguageü Empowersdecision-makerswithrelevantcontextandinputssoasto
makeinformeddecisionsoncyberrisk
A CASE FOR CYBERSECURITY CAPABILITY MATURITY
17
What is Cybersecurity Capability Maturity?
Cybersecurity Capability Maturity analysis definesanorganization’scyberecosystem, identifies thedepthandbreadthofdeployedcapabilities,establishesbenchmarkstosupport long-termmeasurement,andservesastheprimarymechanism for sustaining the organization’s cybersecuritystrategyandinvestments.
18
Why it’s Important: Driving Enterprise Cyber Risk Reduction
INVEST IN CYBER CAPABILITIES!
SUSTAIN CAPABILITY & INVEST IN INSURANCE!
Image Courtesy of Axio
Resilience,Compliance&Insurability
TheCyberRiskReductionCurveInvestingintherightcombinationoftechnologyandinsurancemaximizesriskreduction.1. TechnologyRisk
Reduction2. InsuranceRiskReduction
19
CybersecurityCapability
Risk
Cyber Losses Continue to Increase
TorstenJeworrek,MemberofMunichRe’sBoardofManagement
“The economic costs of large-scale cyber attacks already exceed lossescausedbynatural disasters. Where small andmedium-sized enterprisesare affected, such attacks can soon threaten their very existence. Thebiggest cyber-relatedeconomic losses todatehavebeen those causedbyRansomware andmalware, especiallyWannaCry andNotPetya– attacksthataffectedthemarinesector.”
20
CyberRisk 21
There may be no greater risk to the marine industry including commercial ports than cyber
insecurity.
The question is, what should ports - and those that lead and manage
them- be doing right now to prepare?
Pre-Breach (1)
Beforeabreachoccurs:– Establishanactionable,up-to-dateincidentresponse(IR)plan• IdentifykeystakeholdersforIR
– Conducttabletopexercises,atleastannually
– WorkingwithIT,developdetaileddatalossprevention(DLP),disasterrecovery(DR)andbusinesscontinuityplans(BCP)
22
Pre-Breach (2)
IdentifyyourPartners:
• NegotiateanIRretaineragreementwithaforensicprovider,gettoknowthem
• Selectalawfirmpartner
• EstablisharelationshipwithaPRfirm
• Gettoknowlawenforcement
23
Pre-Breach (3)
SecureCyberInsurance!
– Greatresourceforsupporttocreatecyberresilience
– Oftenresultsinlowerhourlyrateforbreachresponse
24
Pre-Breach (4)
BuildAwareness
• Trainyourselfandouremployeesonhowtobecomemoreresilienttocyberattacks– Phishingcampaigns– USBkeydrops– Onlineandin-persontrainingmodules
• Createaculturewhereeveryoneunderstandsthatsecurityisanenterprise-widecorevalueandeachindividualplaysarole
25
RiskAssessmentandMitigationHudsonCyber(AONpartner)HACyberLogix– CybersecurityAssessment/DecisionSupportSystemProvidesCyberSecuritycomplianceelementsspecifictoVesselOperators
• Diagnostic: CyberResiliencyReportCard• DecisionSupport: HighestImpactforLowestCostRecommendations
LossMitigationandIncidentResponseStrozFriedberg(anAONcompany)
LeadingCyberSecurity,DigitalForensicsandIncidentResponsecompany
RiskTransferAON
• Cost-effectiverisktransfersolutionbasedonRiskAssessmentandIncidentResponse
• TobeplacedwithaconsortiumofunderwritersfromtheMarineandCybermarkets.
• Toincludestandardcyberandmarinerelatedcoverages.
Aon’s Global Marine Cyber Strategy
26
3535TravisStreetSuite105Dallas,TX75204t+1.214.377.4566m+1.214.971.3352john.ansbach@strozfriedberg.comwww.strozfriedberg.com
FerryTerminalBuilding2AquariumDrive,Suite300Camden,NJ08103Office:+1.856.342.7500Mobile:+1.301.922.5618Email:[email protected]
MaxBobysVicePresident
27
PatrickO’NeillSeniorVicePresident
NationalHull&LiabilityPracticeLeader
JohnAnsbachVicePresidentEngagementManagement
AonRiskSolutionsAonBrokingMarineOneLibertyPlaza165Broadway,Suite3201NewYork,[email protected]
Thank You!
1150ConnecticutAve.NWSuite700Washington,DCt+1.202.534.3292m+1.202.389.7890Heidi.wachs@strozfriedberg.comwww.strozfriedberg.com
HeidiWachsVicePresidentEngagementManagement