image_750x_5f07d7a764ac3.jpg

Nippon Kaiji Kyokai (“ClassNK”) joined the Maritime Transportation System Information Sharing and Analysis Center (MTS-ISAC) as part of a growing list of maritime community partners. This is an innovative relationship between the two nonprofit organizations aimed at strengthening vessel and shoreside cyber risk management. The partnership provides ClassNK with actionable insights from community-sourced cyber threat intelligence to reinforce ClassNK’s Cyber Security Guidelines to help prevent cyber incidents from negatively impacting the safety and security of maritime operations. ClassNK is the first classification society and the first non-U.S. organization to formally join the MTS-ISAC, helping broaden the reach of the MTS-ISAC’s efforts to support the maritime community.

Both vessel and shoreside cybersecurity efforts will be under increasing scrutiny starting in 2021. The International Maritime Organization (IMO) has a deadline of January 1, 2021 for Maritime Cyber Risk Management to be addressed in Safety Management Systems. Meanwhile, the U.S. Coast Guard will be inspecting Maritime Transportation Security Act of 2002 regulated facilities for cyber risk management efforts for the first time starting with annual inspections occurring on or after October 1, 2021. Both of these organizational efforts have signaled to maritime stakeholders that cybersecurity is a priority that must be addressed to ensure safe and secure MTS operations.

Hirofumi Takano, Executive Vice President at ClassNK, explains, “We have been working with the International Association of Classification Societies (IACS), maritime stakeholders and cyber security professionals to understand and promote cybersecurity best practices across the maritime transportation system (MTS). By joining the MTS-ISAC, we will have increased visibility to current, real-world examples of cyber threats targeting MTS stakeholders. This provides us an opportunity to reinforce how, and periodically update, ClassNK’s Cyber Security standards to provide our stakeholders with the latest security recommendations to protect their assets from cyber threats. With IMO 2021 right around the corner, this relationship is perfectly timed to add increasing value to our stakeholders, and we are excited to be a part of the active and growing MTS-ISAC community. We hope ClassNK stakeholders will quickly understand the value of this partnership.”

“We are excited that ClassNK is bringing a proactive, classification society perspective into the MTS-ISAC community,” adds Scott Dickerson, the MTS-ISAC’s Executive Director. “The MTS community’s resiliency is improved when we can quickly address cyber risks with meaningful cybersecurity controls. ClassNK joining the MTS-ISAC is a perfect example of how community partnerships provide win-win situations while reinforcing to stakeholders how the implementation of guidelines and recommended security controls can reduce their exposure to risks the community is actively seeing. The MTS-ISAC’s Board of Directors understands the importance of cyber risk prevention efforts and are supportive of the inclusion of class societies into our information sharing ecosystem as a key component to building a stronger culture of community cybersecurity.”

The MTS-ISAC, which was formed in February of this year, has seen rapid adoption of its Cybersecurity Information Sharing Services, and has produced a number of maritime cybersecurity advisories sourced from member shared information. The MTS-ISAC strives to incorporate best practices into their intelligence products so that MTS critical infrastructure stakeholders can be better protected. While ClassNK is the ISAC’s first international member, it anticipates additional international stakeholders to be joining the community.

Source:
hellenicshippingnews.com

port-of-singapore.523023.jpg

LONDONJuly 15, 2020 /PRNewswire/ — Since rolling out in May 2018, there have been 340 GDPR fines issued by European data protection authorities. Every one of the 28 EU nations, plus the United Kingdom, has issued at least one GDPR fine.

GDPR tracking dashboard from PrivacyAffairs displays official data from national data protection bodies to monitor the status of GDPR fines.

Whilst GDPR sets out the regulatory framework that all EU countries must follow, each member state legislates independently and is permitted to interpret the regulations differently and impose their own penalties to organisations that break the law.

Nations with the highest fines:

  • France: €51,100,000
  • Italy: €39,452,000
  • Germany: €26,492,925
  • Austria: €18,070,100
  • Sweden: €7,085,430
  • Spain: €3,306,771
  • Bulgaria: €3,238,850
  • Netherlands: €3,490,000
  • Poland: €1,162,648
  • Norway: €985,400

Nations with the most fines:

  • Spain: 99
  • Hungary: 32
  • Romania: 29
  • Germany: 28
  • Bulgaria: 21
  • Czech Republic: 13
  • Belgium: 12
  • Italy: 11
  • Norway: 9
  • Cyprus: 8

The second-highest number of fines comes from Hungary. The National Authority for Data Protection and Freedom of Information has issued 32 fines to date. The largest being €288,000 issued to an ISP for improper and non-secure storage of customers’ personal data.

UK organisations have been issued just seven fines, totalling over €640,000, by the Information Commissioner. The average penalty within the UK is €160,000. This does not include the potentially massive fines for Marriott International and British Airways that are still under review.

British Airways could face a fine of €204,600,000 for a data breach in 2019 that resulted in the loss of personal data of 500,000 customers.

Similarly, Marriott International suffered a breach that exposed 339 million people’s data. The hotel group faces a fine of €110,390,200.

The largest GDPR fine to date was issued by French authorities to Google in January 2019. The €50 million was issued on the basis of “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation.”

Highest fines issued to Private individuals:

  • €20,000 issued to an individual in Spain for unlawful video surveillance of employees.
  • €11,000 issued to a soccer coach in Austria who was found to be secretly filming female players while they were taking showers.
  • €9,000 issued to another individual in Spain for unlawful video surveillance of employees.
  • €2,500 issued to a person in Germany who sent emails to several recipients, where each could see the other recipients’ email addresses. Over 130 email addresses were visible.
  • €2,200 issued to a person in Austria for having unlawfully filmed public areas using a private CCTV system. The system filmed parking lots, sidewalks, a garden area of a nearby property, and it also filmed the neighbours going in and out of their homes

For questions regarding the research or more information about the team behind the report, contact Joe Robinson at joe@privacyaffairs.com or visit PrivacyAffairs.


suphanatadobestock-113005.jpg

Maritime Cyber Security experts, Epsco Ra are proud to announce RaEDR (RA Endpoint Detection and Remediation) a comprehensive cybersecurity monitoring and defense solution.

Inspired by the necessity for remote working brought about by the COVID 19 pandemic and the resulting huge worldwide increase in cyber-attacks, Epsco Ra have developed a new next-generation solution in the form of a cloud-hosted application which functions as an agent on each computer in a network (or on a UTM when possible).

Epsco Ra’s solution is easily installed on any vessel or office network, without any requirement for hardware and with no disruption to existing network or system installations.

The agents provide in-depth visibility of the system’s security posture, offering security monitoring, intrusion & threat detection, file integrity monitoring, vulnerability assessment, and incident response.

The system includes Compliance alignment with controls allowing full configuration with Governance frameworks inclusive of but not limited to NIST and GDPR.

This is all managed via an extensive user-customizable dashboard with reporting and alerting tools.

RaEDR gives our clients peace of mind in the knowledge that they have their own professional cybersecurity team without the cost of employing an in-house team.

Epsco Ra’s RaEDR service offers our clients 3rd party assurance from as little as US$25.00 per month per vessel.
Source: maritimecyprus


Maritime-Cyber-Blog-SMM-1440x900-1200x750.jpg

Shipmanager Anglo-Eastern has inked a Memorandum of Understanding with Naval Dome for the provision of cyber security research and consultancy services, aimed at ensuring the continued cyber resilience of its fleet of more than 650 vessels.

Naval Dome will carry out an evaluation of the company’s cyber position, perform penetration testing and make recommendations, where necessary, on how systems can be better protected.

“Cyber threats are amongst the most serious challenges the global shipping industry faces and we share Naval Dome’s view that the industry at large must do more to protect itself,” said Capt. Bjorn Hojgaard, CEO of Anglo-Eastern.

“The MoU we have signed aims not only to enhance the level of security across our fleet, but to also encourage system providers to retrofit systems installed aboard the global fleet with more advanced cyber protection.”

As part of the agreement, Anglo-Eastern will also engage Naval Dome to collaborate with equipment manufacturers and technology service providers and push them to incorporate more effective security systems into shipboard equipment.

“We are delighted to sign this cooperation agreement with Anglo-Eastern,” said Naval Dome CEO Itai Sela.

“All ships must operate with equipment capable of preventing the most sophisticated of attacks from penetrating critical systems. As such, we believe that all players – ship owners, ship managers, offshore operators, and OEMS – need to collaborate more on how best to cost-effectively eradicate the problem once and for all. We hope equipment suppliers will step up to the challenge.”


cybership.jpg

Maritime Cyber Security – Naval Dome CEO Itai Sela says that while it is true that the inadvertent downloading of a computer virus from the internet or a memory stick is a serious cyber security issue for shipping companies, the industry should be wary of attributing system breaches to human error.

In agreement with comments made yesterday in Dubai during a Cyber Risk and Data Theft seminar, that cyber security is still considered by shipping companies and terminal operators as an after-thought, Sela does not agree that better cyber awareness, crew training or the implementation of crew guidelines alone will have a lasting positive effect.

“When the cyber-criminal will always need the unwitting assistance of an unsuspecting crew member, technician or employee to activate or spread the virus, irrespective of the level of their cyber training or awareness, it is not enough to put it under the ‘human factor’ umbrella or apportion individual blame when a critical system has been breached.

“A cyber incident happens because systems are not protected, and hackers will continue to develop innovative ways and sophisticated solutions intended to take advantage of any weak spots in human nature. The implication, therefore, is that any cyber awareness training is a waste of time and money.”

The sophisticated methods hackers use is evident by the deployment of a new, previously unknown malware trojan called xHunt, which researchers at Palo Alto Networks’ Unit 42 say is being used to specifically target the shipping industry. It is alleged that xHunt and Hisoka – a backdoor used to facilitate trojan delivery – were successful in infiltrating the networks of two shipping companies operating out of Kuwait.

“The attackers have added some fun capabilities to Hisoka and its associated toolset. The attackers are aware of probable security measures in place at their targets and have attempted to develop ways to get in undetected,” Ryan Olson, Vice President of threat intelligence at Unit 42, told ZDNet.

Given that hackers will always find a way in, Sela believes attributing blame to individuals is pointless. It is also problematic because of the potential legal proceedings envisioned should a virus result in damage to the ship, its systems, personnel or the environment.

Maritime Cyber Security !

“It would be very easy to point the finger at an individual crew member, technician or employee for inadvertently spreading malware or other viruses, but this would not prevent further system breaches. What it will do is create unnecessary friction between employers and employees.”

He adds that limiting crew members’ access to the internet, social media or mobile phone charging facilities will also create problems.

“Prohibiting internet access is not the answer. This is now considered a basic human right and with many seafarers away from loved ones for months at a time, if they are unable to maintain regular contact with those at home, then not only could it adversely affect their well-being but deter others from a maritime career.”

Sela says the maritime sector – shipping companies and port operators – needs to adopt technical solutions to prevent system hacking, rather than simply implementing a culture change.

Recalling incident where a Mobile Offshore Drilling Unit lost control of its Dynamic Positioning system while drilling in the Gulf of Mexico, Sela says the investigation found that various crew members introduced malware when they plugged in their smart phones, and other devices.

“Would this have been considered human error if the DP and associated OT systems were adequately protected and the hack thwarted? I doubt it. If cyber-crime continues to be designated a human factor event, then the industry does not fully grasp the cyber problem.”
Source: Naval Dome


2018-03-09_14h38_45.png

cyber security in maritime

Cyber security is on the boardroom agenda as organisations worldwide seek to improve their resilience against a backdrop of high-profile, and increasingly sophisticated cyber-attacks. The number of breaches is up an average 27.4% year on year1 and 86% of companies around the world reported experiencing at least one cyber incident in 2017.

Founded in 2003, Nettitude is an award-winning provider of cyber security, compliance, infrastructure and managed security services to organisations worldwide and employs 140 cyber security specialists globally.

The acquisition strengthens LR’s existing broad portfolio of cyber security services spanning certification, compliance, training, auditing and security consulting to now include penetration testing, information security consulting, managed security services and incident response. Together, Nettitude and LR now provide a complete suite of cyber security assurance services to help clients identify, protect, detect, respond and recover from cyber threats.

cyber security in maritime

The need for cyber security solutions and growth in cyber security is driven by three broad areas:

  • Industry 4.0 [IR4]
    • As we move towards a more automated, integrated and interdependent, data driven economy, the risk of cyber-attack increases.
  • Cyber-attacks are non-discriminatory
    • Cyber-attacks are now targeting a broader spectrum of industries and companies – irrespective of their size and geographical location.
  • Regulatory
    • The regulatory focus on cyber security is increasing, with wide-ranging compliance requirements against standards, schemes and local legislation.

Alastair Marsh, Chief Executive Officer, Lloyd’s Register commented: “This is an important acquisition for Lloyd’s Register to enhance our capability in assuring the increasingly complex supply chains in which we operate.  Information and operational technology security is a key concern for our clients across all sectors, as we see increasing dependencies on technology and challenges created by Industry 4.0.”

 

SOURCE : LLOYD’S REGISTER – CLICK TO READ VIEW ARTICLE