A SHIP is in serious distress near the Strait of Malacca as an unfamiliar voice declares to the master and seafarers they are under attack from pirates. Yet the pirates are nowhere near the ship; they sit in a landlocked basement with smart-devices and not only have they got one ship under their control but an entire fleet whilst disrupting an entire global shipping operation. Elsewhere ships are being capsized, containers are exploding and ports around the world are being disrupted.
This futuristic scenario could be what security researcher “x0rz” refers to as “Somalian pirates 2.0”. Perhaps the ship is autonomous, and the crew are also not physically near the incident. Ideally, it is just a well-drilled cybersecurity simulation exercise but what it most certainly is not – is entirely unrealistic.
Witness the Fourth Industrial Revolution, the digital arms race and the pursuit of an almost inconceivable array of advantages that will continue to be realised and you might pause for thought on just where this might be all heading. As both a consultant and researcher I spend a great deal of time addressing the main areas of innovation (and disruption) confronting shipping, logistics and transport industries. Be it the Internet of Things (IoT) through to blockchain, there is enormous potential. In such industries, the pursuit of physical and digital convergence is an obvious domain for both the innovator and the hacker. I also spend even more time researching and addressing vulnerabilities in organisations. What is clear to me is that whilst ‘smart industries’ are very exciting they are also extremely vulnerable.
Perhaps like asking an economist about interest rates, asking cybersecurity experts what “cybersecurity” is will elicit as many possible answers as there are experts. Many people might be surprised to learn that so-called cyberattacks are by no means a modern phenomenon. The Marconi Wireless Telegraph system was ‘hacked’ early last century (circa 1903) and under some definitions meets the criteria for a ‘cyberattack’. The roots of modern computing maliciousness can probably be found in the late 80s but what is certain is the evolution has been exponential.
Consider the ability for hackers to control GPS, load plans and to cause global port disruptions and it should become apparent how vulnerable industry is. One of 2017’s more high-profile examples involved Maersk suffering a Petya attack that resulted in up to $300 million dollars being felt at the company’s bottom line. Despite some vulnerabilities discovered in BAPLIE possibly being overstated, the fact remains that vulnerabilities in legacy systems are clear and present dangers for the industry. Multiple reported incidents and ‘cyber-simulations’ have proven the vulnerability of such systems. By now many readers would be aware that one of the world’s largest providers of shipping services, Clarksons, suffered a serious breach. Industrial control systems remain huge targets for malicious agents.
Outside of shipping, global corporations from the big-four (Deloitte) to consumer credit reporting agencies (Equifax) have been hit. Uber has been all over the news recently; not only for revelations of mass data breaches in its organisation but also condemnation for the cover-ups that have followed.
It’s also not only the direct cost to business from any successful cyberattack that should be of concern. In Australia, any successful data breach will now be of immediate concern, if it wasn’t already, as the Federal Government has introduced the Privacy Amendment (Notifiable Data Breaches) Bill coming into effect in early 2018.
In summary, under these new laws where an organisation fails to report data breaches they could be faced with penalties including fines of up to $360,000 for individuals and $1.8 million for organisations. Per breach. One day of data breaches and cyberattacks could conceivably cripple an organisation. Ignorance will be costly.
So how are organisations to plan, prevent and respond to cybersecurity issues? I recently caught up with my friend, colleague and cybersecutity expert, Connie da Cunha, to talk all things cyber and security. It may be somewhat surprising that this conversation didn’t just focus on malware, deep web attacks and/or denial-of-service attacks. As important as the technological components of cybersecurity are (and they are), Ms da Cunha reminded me that any company that fails to embed cybersecurity as a daily organisational matter (think OH&S as a simpler comparison) won’t have a fighting chance despite the level of technology available.
“As someone who advises many organisations and governments on this, one of the first things I look at is the culture of a given organisation because cybersecurity can really be thought of in three components and these are; people, process and technology,” Ms da Cunha discussed. “No matter what type of cybersecurity challenges are presenting themselves, how an organisation responds will be determined by that entity’s culture, as any technological response.”
“Obviously technology is involved in preparing for and responding to cyberattacks; but it’s vitally important that the organisation is adequately equipped to manage these issues at both a micro and macro level, it’s at that individual level of any organisation that remains crucial.”
It is very easy to quote cybersecurity statistics; such as digital extortion via ransomware or systems breach being one of the most prominent threats to consumers and businesses, per IBM’s latest report. We can (and do) monitor Deep Web attack trends whilst also tracking “old-school” cyberweapons such as trojans, worms or malware using port (servers) and IP addresses involving Telnet, SQL, Brute force and more. These attacks continue to be common within the retail industry, such as credit card fraud. The top five attack vectors; Shellshock, SQL injection, brute force, fingerprinting, and backdoors, accounted for around 74% of attack activity targeting the retail sector.
Yet, what are even more alarming statistics are those found in a UK Axelos report showing 75% of organisations suffered staff-related security breaches in 2015. This report also reveals that very few senior cybersecurity professionals in large organisations consider their employers, employees, officials and/or contractors “cyber-aware” enough to respond to any attack at the organisational level.
Whilst cybersecurity statistics, trends and simulations are all important it’s cybersecurity experts such as Ms Connie da Cunha who remind us all that despite technological sophistication, cybersecurity also comes down to “cyber-awareness” at the individual level of any organisation.
“It is hypothesised that Edward Snowden walked out of one of the most covert cyber organisations the world has ever known, with a USB stick hidden inside a Rubik’s Cube,” Ms da Cunha reminds with a wry smile. “So, in addressing cybersecurity issues across any organisation, I’m always very careful to express the fact that it’s as much about an internal organisational matter as it is about any external breach of a cyber-kind.”
In a digital world it remains the case that the ‘human-factor’ is just as important as ever.
* Ben Scott has worked as a risk management and business consultant in global supply chains. He has experience working in several locations across the Asia-Pacific, Africa and North America. With particular interest in higher education and emerging technology in the shipping and logistics industry he holds degree qualifications in science and technology fields. He is currently a post-graduate student at the Australian Maritime College.
From the print edition December 14, 2017