Expanding Treat Landscape
Recent statistics from KnowBe4 say there are 13 attacks every second against critical infrastructure, a year over year increase of 30%. What we’re seeing is a continued expansion in the number of transnational criminal and nation state actors and attacks because too many governments are inviting that behavior by not effectively focusing on counter-attack measures. On top of it, the digitalization that is happening across the sector means that these cyber-attacks are going to be more effective against a broader spectrum of the maritime community. There are numerous reasons for those challenges as outlined in the diagram below.
While some attacks are very similar, or the same, for maritime organizations around the world, others are experiencing very different attacks. The following are some examples:
• Attacks against shipping that were previously somewhat protected because of their limited bandwidth at sea, fragile satellite communication connection links, etc. are going to be more and more common and successful. These attacks sometimes failed because of the infrastructure in place. However, a side effect of improved underway communications / bandwidth at sea will be that these attacks may no longer fail.
• Some credential harvesting, ransomware, DDoS, and other campaigns seen across multiple organizations are launched as part of a campaign by a singular threat actor. These are broad campaigns that are regularly seen and reported on. Sometimes they are even common across critical infrastructure sectors because they are attacks of opportunity.
• Other attacks are targeted by specific criminal and nation state actors. There are cases where the Maritime Transportation System Information Sharing and Analysis Center (MTS-ISAC) analyzed threat activity and saw things where a nation state threat actor was targeting the maritime industry in a way that was not being seen by any other critical infrastructure sector. There’s plenty of publicly reported cases out there of smugglers, traffickers, and espionage efforts that have targeted port communities and terminal operators as a means to support their objectives.
• More and more, attackers are leveraging ransomware/malware-as-a-service, and those services continue to evolve and streamline their attack kits. They can also leverage large language models and AI tools to make attacks more credible and quicker to launch. Like any enterprise, the quality control teams for these attackers improve over time. We’re going to continue to see the growth of those attacks in the coming years.
Role of Industry to Protect Themselves
Maritime public and private sector organizations have limited resources and need to focus on cyber risk management activities that enable improved resiliency. Where possible, they need to integrate more automation in their cyber defense efforts, as there are simply too many attacks for teams to react to everything in anything less than a more automated way with the security tools and services they have invested in. Along with trying to limit their attack surface to the extent possible, quickly identifying and responding to attacks is what can make the difference between resilient supply chains and major disruptions to their operations. In this regard, they need to know what threats to focus their attention on.
This is where trusted, anonymized, threat information shared across maritime stakeholders can provide near-real time warning of attacks and industry led and formed organizations like the MTS-ISAC share that actionable, relevant and timely information. ISACs and similar non-governmental organizations share information far quicker than government agencies and often support automated means of sharing information directly to various security devices and tools. This can allow organizations to quickly defend against an attack that is seen by any organization in their trusted community. If ports and others aren’t engaged with their peers to share in an anonymized fashion, then they are having to fight the battle within a silo. Collective defense is far more efficient and effective. From an operational perspective, organizations should want to know what threats are specifically targeting their industry community. Even if you compete with other companies or ports from a business perspective, the supply chains are so interdependent now that a cyber disruption to another entity is going to negatively impact the system of systems. Cyber defense should not be an area of competition, but rather collaboration and we see that collaboration within the MTS-ISAC community.
Role of Government in Security
In terms of the role of governments, industry doesn’t need yet another .pdf guide on how an organization should apply cyber security. There are more than enough frameworks, guidelines, and other information available on cybersecurity best practices for teams to work off to figure out their implementations. Worse yet is when these documents and guidance are not aligned between government agencies. However, what we do need is for government agencies to fulfill one of their principal responsibilities to society, providing security to their citizens and businesses. Every government resource that is dedicated to creating yet another guidance document is one less they can dedicate to countering the threat actors. As a result, the pressure and onus are being placed by governments on individual, local public and private sector essential services or critical infrastructure stakeholders. Ports, vessel operators, etc. absolutely need to take reasonable measures to limit their attack surface and make sure their operations are resilient, but it shouldn’t be an astronomically greater challenge in the cyber realm than it is in the physical realm. For example, we don’t ask ports to defend themselves against an attacking aircraft carrier, but that is exactly the equivalent of what we are asking them to do in the cyber realm by single handedly defending against nationally resourced military and intelligence threat actors. This strategic approach is inconsistent and overly burdensome. Nation state and transnational criminal threat actors are a real concern, and it is unrealistic to believe the supply chain will not suffer disruptions if we continue using our current counteroffensive model. Countries need to counter and interdict nation state cyber actors rather than placing the burden on each individual critical infrastructure entity to defend itself against those threat actors.
We Need Concerted Efforts Across the Maritime Sector
On the industry side, executive teams need to be bought into the fact that they currently have an outsized role to play in managing cyber risks to supply chains. Government efforts to counter threat actors aren’t going to change overnight, so for the foreseeable future the burden will remain on industry to keep things moving. Thus, organizations understanding their risk profiles and ensuring that risks are addressed as needed is their responsibility. This may even mean addressing risks that lie outside of regulatory or compliance regimes ahead of those regulatory requirements which may not actually address the risks posed by attacks. This is usually not how efforts are prioritized, but defending against known attack patterns should be a top priority. Industry knows best how their operations work and there needs to be trust on both sides to prioritize the resiliency of essential services. Organizations need to maintain situational awareness of the relevant threat landscape and focus limited resources on specific operational risks rather than trying to boil the ocean of regulatory compliance regimes which are being released.
Meanwhile, the public sector should step up their efforts to combat cyber threat activity. The challenges are real and complex, but we need agency leaders to actually be national and international leaders. This means acting for the greater good ahead of acting for specific agency or political interests. Asking for and fighting for resources that will detract from the counter-cyber mission should not be the first priority. Until those functions are fully resourced and functioning effectively, acknowledge that other government programs may need to take a back seat. Instead of asking for more resources to fund those lower-level priorities of creating yet another guidance document, first align, harmonize, and effectively apply the existing resources. As an example, perhaps we could eliminate redundant reporting requirements which in turn require additional industry resources and instead streamline those reporting requirements and regulations. Drawing resources away from actual risk management efforts to meet additional check the box requirements will actually decrease critical infrastructure resiliency, not improve it.
Risk management is a never-ending task. Collaboration and focusing on getting supply chain risks which could cause disruptions to within acceptable limits should be the priority. Perfection is sometimes the enemy of progress in this regard, so understanding when to say, “that’s good enough” and moving onto the next high-risk item is important. This will take everyone’s efforts, but we really do need to rebalance and realign the priorities.
Comments