Cyber Incident Response for the Resilient Organization
Even prior to NotPetya, regulatory bodies, insurers, P&I clubs, port authorities, and other segments of the maritime industry started taking steps to minimize the industry’s exposure to cyberattacks.
The maritime industry has had an awakening. We have awoken to the fact that digitalization has woven its threads throughout the industry, and we have greatly benefited from being able to operate in an interconnected cyber environment. Likewise, being able to transmit shipboard machinery diagnostic information to shore-side operations centers, having the ability to navigate in restricted waters using position and navigation data originating from space, and being able to provide crews the luxury of streaming video from the web while at sea introduces significant risk to the overall industry and to interconnected segments of the economy in general. The NotPetya attack in 2017 was a watershed moment that forced the industry to assess its cybersecurity posture. Clearly, if a global company like Maersk can be significantly impacted, then every other maritime company can be attacked. At best an attack will result in a financial loss, at worse, an attack could possibly force a company to cease operations indefinitely.
Even prior to NotPetya, regulatory bodies, insurers, P&I clubs, port authorities, and other segments of the maritime industry started taking steps to minimize the industry’s exposure to cyberattacks. The U.S. Coast Guard released a draft Navigation and Vessel Inspection Circular 05-17, Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA) regulated facilities, to introduce the idea of creating a cyber risk framework for the maritime industry based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Shipping associations such as BIMCO and ABS have released their own cybersecurity guidelines, and countless other organizations and groups have released best practices to mitigate cyber risk in the maritime industry. Although the industry generally realizes “something must be done,” the progress made to mitigate cyber risks within the industry are as varied as the industry is diverse. The variety in cyber risk mitigation in the industry is based on the varying levels of resources available from one organization to another, the systems and technologies being used, and the differences in risk management governance models between organizations and companies. Additionally, subtle but also significant differences in cybersecurity requirements and regulatory bodies between the shipping industry, port and terminal operators, port authorities, and other agencies, companies, and organizations that make up the “maritime industry” add an additional layer of complexity can slow the adoption of comprehensive cyber risk management plans industry wide.
Post Cyberattack Actions. Given the immediate need to understand what must be done to limit the damage and protect systems from a cyberattack, the maritime industry also needs to answer the question, “What must we do after we experience a cyberattack?” To answer this question, the following question must be asked, “What do we do to prepare for a cyberattack?” In this case, the maritime industry has the pedigree to address this question and can pull from existing regulations, best practices, and experiences gained from responding to physical incidents such as oil spills, search and rescue response, terrorist threats, and actions needed to ensure continuity of operations due to a major storm or other physical threats.
Cyber Incident Response and Incident Handling (IR/IH) implies pre-determined action plans, tabletop exercises, and IR/IH resources are pre-staged in order to minimize damage to the maritime and port operations. These activities aim to minimize the negative impacts to commerce, the environment, and safety of life at sea or on and about the water. Additionally, no different than a major environmental disaster response, the industry must be prepared to address all aspects of a cyber-incident response including the development of a well thought out public, stakeholder, and investor relations engagement plan.
Pre-determined Action Plans. No different than other disasters, catastrophes, or emergency situations, prudent organizations will have a cyber incident response plan in place to exercise pre-determined action plans when a cyber incident occurs. Unfortunately, a recent study by the Ponemon Institute and IBM found that 77 percent of its respondents do not have a formal cyber incident response plan applied consistently across their organization. Response plans would, at minimum, need to include action plans responding to ransomware, Distributed Denial of Service (DDOS) attacks, infiltration of a network, and introduction of malware in an organization’s network. Underway or mobile assets must also include actions that take into account other scenarios such as losing Global Positioning System (GPS) or other Position, Navigation, and Timing (PNT) systems, impact to a vessel’s steering or machinery control system, and loss or manipulation of electronic navigation systems. In most of these underway scenarios, contingency plans are already in place for these scenarios caused by other means, but there may be additional response requirements to the nature of the attack.
Once developed, these action plans must be exercised on a regular basis. This is no different than other required drills. Many organizations have incorporated cyber incidents in tabletop exercises or have created cyber incident specific tabletop exercise to see how well their action plans work.
Attack in Progress. Being able to identify and understand that an attack is in progress must be incorporated into an organization’s training programs. Likewise, hardware and/or software solutions will need to be configured or acquired to help employees and crews determine whether a cyberattack is taking place. Depending on the type of attack, the characteristics of the attack may be obvious, but not always.
How an organization communicates the nature of the attack and how they respond externally to a cyber incident is just as critical as the technical and engineering actions taken to manage an attack internally within the organization’s systems. Organizations need to develop a communications and public relations action plan to ensure confidence among customers, investors, partners, other stakeholders, and the public that the organization can effectively respond to a cyber incident while minimizing disruption to operations and commerce.
Post Incident Analysis. Depending on the nature of the attack, an organization can expect law enforcement to treat a cyber incident as a crime, thereby making the systems and network that were attacked a crime scene. Therefore, to identify the origins of an attack, an organization should also implement procedures to preserve evidence during and after an attack. This requires putting in place a chain of custody procedure, digital evidence handling procedures, potentially performing internal digital forensics activities, and having a Continuity of Operations Plan, which may include using a backup system during an investigation.
Post incident analysis will need to include a post-mortem to determine how to prevent similar attacks in the future. Much like implementing cybersecurity safeguards, identifying and taking action on the lessons learned from a cyberattack must be driven from the top down.
Reconstitution. In most cases, organizations have a systematic process for reconstituting operations. These processes will need to be extended to include post-cyberattack incidents. Organizations will need to determine how expeditiously they can return to full operational capacity. Organizational leadership must continue to communicate with all their stakeholders what steps are being taken to return to a fully operational status.
Preparation for a cyberattack is a critical component for maritime organizations to ensure that environmental, commercial, and safety impacts are kept to a minimum. Fortunately, the industry has existing response plans for other types of catastrophic events that can be used as a model for preparing and responding to cyberattacks.
(As published in the April 2018 edition of Maritime Reporter & Engineering News)