The world is different from a year ago. What are the top maritime cyber risks and top recommendations to mitigate these risks?

Geo political changes in the last year has led to an increase in cyber risks. During a recent top meeting in Barcelona top CEO’s in the maritime sector agreed that secure digital communication platforms are essential for fast and efficient information transfer cargo handling in the ports but that at the same time cyberrisk is becoming a hot topic for port communities around the world to avoid operational chaos, business disruption and financial loss. According to the World Economic Forum, economic loss owing to cyber crime is representing 3,4% of global GDP.

Cybercriminals and digital warfare attackers are increasingly searching for the shortest and easiest way to get access to the digital crown jewels in the mainports of the world. They buy userid’s and passwords on the Darkweb, the ‘underworld’ of the internet. They scan computer systems on missing patches to find an easy way to get access to the Crown Jewels of the maritime sector.

The top 3 risks are unavailability of Port infrastructure caused by ransomware. (remember the Maersk incident), or an internet infrastructure which is damaged, or take over of internet of things systems like locks, bridges and or vessels.

The main mitigation actions are multi factor authentication (a second factor besides a password e.g. a code in your smartphone, fingerprint etc), excellent cyber hygiene (e.g. patching procedures, pen testing), prediction of cyber attacks (e.g. Secure Development Life Cycles), Business Continuity Plans (e.g. playbooks) and Top management attention on Cyber Risk Management.

In case of cyber incidents companies and organisations will be asked to explain how this could happen, CEO’s will need to proof that guidelines (e.g. IMO), frameworks (e.g. NIS, ISO27001) were implemented to prevent this kind of incidents. Legal explanations will be requested by the companies who suffered damage.

Companies should not start flying without parachutes. Digital transformation in the Maritime Sector needs to be facilitated by leading frameworks such as ISO27001.

The question is not whether a severe cyber incident will happen, but when it will happen.

To increase protection of your digital systems against cybercrime the services of http://www.Cyber4ce.eu can protect you in an efficient way.

Services we offer vary from Ransomware protection, consultancy, business continuity workshops, Implementation of ISO27001:2022, Internal Audit.

Your first call and our first visit is free contact us

https://smartports.tv/whats-next-in-cibersecurity-at-ports-and-port-facilities

Building trust in the digital world: EU General Data Protection Regulation

Why?

Bruce Schneier – Privacy protects us from abuses by those in power, even if we’re doing nothing wrong at the time of surveillance.”^[1] 

To protect rights of European individuals the EU has agreed on a new EU General Data Protection Regulation. European citizens will get a whole new set of rights:

• the right to be “forgotten”,
• the right to data portability,
• the right to object to profiling and
• a strengthened right to prior notification before data collection

This new EU regulation will assist companies in respecting information of the people they are working with. Organizations will be accountable to incorporate these rights into their daily business practices, if they are not already.

When?

Political agreement on the General Data Protection Ruling was reached on 15 December 2015. It will replace the existing Directive 95/46/EC. It should be formally adopted in 2016 and come into force in 2018.   The agreed text is here.

What?

The new ruling concerns personal data of all citizens of Europe and applies to organizations established in the Europe and also to organizations outside Europe that deal with data of  European citizens.

How?

Companies controlling and processing personal European data must not only comply but also be able to demonstrate they comply, e.g. through the use of policies and privacy impact assessments and compliance to new data security requirements including:

• additional obligations for contracts
• use of encryption,
• back up and security testing

Organizations with more than 250 employees must also appoint a data protection officer.

Data  breaches must be reported to the Supervisory Authority within 72 hours as soon as a company becomes aware of a data breach. Potential impacted individuals also have to be notified.

The sanctions for breach of the General Data Protection Regulation are significant. Regulators can impose fines of up to 4% of total annual worldwide turnover or €20,000,000. This is regardless if you’re a Google or a 1-person consultancy, in both cases violating this law will hurt your business’ bottom line.

So don’t hesitate to prepare implementation, build your policy, start with assessments and protect the personal data in your company.

References

[1] “The Value of Privacy by Bruce Schneier”. Schneier.com. Retrieved 2015-02-09.

[2] The Trouble with European Data Protection Law, Bert-Jaap Koops, Tilburg University, TILT e.j.koops@uvt.nl

Continue reading →

How to create secure e-banking services in an agile world?

Trust

Banks gained the trust of their clients by the delivery of secure banking solutions. Client information and financial transactions are continuously protected against data leakage and cybercrime. But the IT world is changing……

Trends

IT departments adopted ‘Agile’ ways of working. So called ‘devOps’ teams deploy changes to banking solutions continuously. On a daily or monthly base all kind of new features and improvements are added to the banking apps and e-banking solutions.

Why?

Because Agile is faster and less expensive. Focus is on new functionality and the question “is the solution still secure?” comes later and sometimes  too late. Penetration test show vulnerabilities which because of a lack of budget and time are not resolved before the ‘Go Live’. Risks are accepted based on good intentions, which are often not fulfilled due to the focus on new innovations.

How to solve?

The same as for functionality testing, security testing has to become part of the day to day work of a developer. Security Officers have to provide security test tooling (SAST, DAST) so that developers can deliver secure apps based on defensive coding.

At the same time, the backlog should get sufficient attention of Agile Risk Managers. Per feature in the backlog, stakeholders should assess the risks of a new feature. The secure devOps teams should also create (evil) user stories and other controls. In this way business can check concepts and identify risks in a timely way.

Instead of waiting for the results of the Penetration test, it is Continuous integration of risk management and security from backlog to delivery  which will deliver ‘secure user stories’ and ‘secure apps’.

How to apply risk management to IT