In 2018, then-Chairman of the Joint Chiefs of Staff General Joseph F. Dunford described how the changing character of war and strategic landscape have “accelerated the speed and complexity of war” and contributed to a collapsed decision space. This is troubling for a navy in great power competition with potential adversaries who have increasingly capable long-range antiship missiles. This extended range and lethality, combined with the vulnerability of networks and ubiquitous use of communications, means naval forces are increasingly susceptible to adversary targeting. Distributed maritime operations (DMO) strive to counter this with distributed lethality, but  the limiting factor is a commander’s decision cycle. Acknowledging the need for improved decision-making, then-Chief of Naval Operations Admiral John M. Richardson wrote that the competition had shifted “from information superiority to decision superiority.”¹ Great power competition in the age of missiles and information abundance means the ability to translate information superiority into decision superiority will be the decisive factor.

This carries significant implications for naval intelligence and the Information Warfare (IW) Community and requires change at the operational level of war. While DMO aims to complicate adversary targeting and provide commanders with more reliable offensive capability, it also requires greater coordination across the fleet and exquisite intelligence at the fleet level. It also means naval strategist Wayne Hughes’ maxim to “attack effectively first,” traditionally viewed as a tactical principle, now applies to the operational level. In addition, former Pacific Fleet Commander Admiral Scott Swift believes the return of great power competition in the maritime domain means the “basic warfighting element” is now the fleet, and an independently operating carrier strike group no longer brings adequate combat power or can ensure its own security. Not only do operations demand greater shared understanding across the fleet, they must occur in a challenging and vulnerable communications environment. One answer, according to Admiral Swift, is to enable mission command “by providing precise and widely understandable commander’s guidance and intent before communications and networks are put at risk.” This intent must be built on a foundation of solid intelligence though. Naval intelligence must focus on the operational level of war to lead the IW community in enabling decision superiority.

To do this, naval intelligence must embrace integrating the IW community in all fleet maritime operations centers (MOCs) because of IW’s ubiquity in all aspects of the operating environment. Next, to address declining expertise and information overload, artificial intelligence (AI) and information design must be used to develop penetrating insight and improve decision-making. Finally, increasing red team capabilities will improve support to wargaming and reinforce effective learning behaviors that help the fleet outthink the adversary.

Fully Embrace IW Integration at the Fleet Level

Although the “the effect of information warfare (IW)” is recognized as the “fastest-changing trend in naval tactics today,” further integration at the fleet-level is required to fully realize its potential as a warfare discipline.² The Navy has embraced integration at the CSG-level but failed to successfully replicate this across the fleets. In fact, as Chief of Naval Operations Admiral M. Michael Gilday recognized, fleet MOCs must fully integrate IW capabilities to “master fleet-level warfare.” One of the primary applications of IW at the CSG-level is electromagnetic maneuver warfare (EMW), using techniques such as emissions control carefully coordinated with maneuver to complicate adversary targeting efforts.³ Close coordination between IW disciplines is paramount to this process and intelligence is foundational. If the fleet is now truly the basic warfighting element, IW lessons from the CSG-level must be understood and ingrained at the fleet MOCs. Traditionally responsible for creating shared understanding through battlespace awareness, naval intelligence is a natural discipline to lead the integration of IW.

The Need for Penetrating Insight

Developing penetrating insight is critical when intelligence officers are expected to think like the enemy, assessing adversaries from significantly different cultures, while avoiding the pitfalls of mirror-imaging.⁴ Recall the victory at the Battle of Midway in June 1942, made possible by the efforts of Lieutenant Commander Edwin Layton and Commander Joseph Rochefort. As Captain Bill Bray recognized in his Proceedings article, “naval intelligence: Build Regional Experts,” these two were valuable to Admiral Chester Nimitz not only because they knew intelligence and cryptology well, but because their expertise of the Imperial Japanese Navy and the Japanese culture meant their advice carried weight. Since the career path of naval intelligence officers is unlikely to change in the near term, time must be spent more efficiently to develop expertise.

One such opportunity is to decrease the level of effort devoted to developing a common operational picture (COP). The COP is fed largely by operational intelligence (OpIntel), which is the all-source intelligence process used at the tactical and operational levels to provide near-real-time locations and assessments of potential adversary activity. Operational intelligence and OpIntel are not synonymous and, all too often, OpIntel comes at a cost of conducting the true operational intelligence tasks required at the theater-level. Admiral Swift recognized the resources of intelligence teams are largely devoted to development of the perfect COP, at an opportunity cost to conducting predictive analysis, and recommended a fleet commander’s window of focus should really be no fewer than 96 hours and perhaps as far as 90 days in the future. This means if naval intelligence is to influence fleet decision-making, it must stop focusing on the here and develop penetrating insight of the adversary.

Integrate Artificial Intelligence into the Process

Providing “quality over quantity” is a challenge when faced with an overabundance of information. A 2016 Intelligence and National Security article examining intelligence tasks of the future found the number of words an analyst must read per day was ten times greater than 20 years prior, which is more than would be possible in a day, assuming no other tasks were accomplished. This influx of data is staggering and the implications are troubling. While intelligence will always remain a very human-centered process, the relationship with information and technology must change.

By embracing the power of AI, naval intelligence can leverage technology to automate many of the processes associated with current intelligence, allowing more time to develop the penetrating insight required to enable decision superiority. AI will allow analysts “to move away from questions of ‘situational awareness’–the compilation, processing and repackaging of data,” such as COP development, and toward the development of anticipatory intelligence useful to a fleet commander. This has significant implications for OpIntel, where the central effort is to generate and test a hypothesis that results in an estimation many refer to as the “so what.” Although hypothesis generation is not yet algorithmic and therefore not possible with AI, hypothesis testing can be subjected to data and is thus algorithmic. Therefore, it is possible for an informed analyst to create a hypothesis, recognize which pertinent data to include, and use AI to run possibilities. As former Pacific Fleet director for intelligence Captain Dale Rielage asserted, the use of AI in OpIntel “is a great example of where human-machine teams could be a game changer. Not only would this create more time to develop expertise, it would likely improve the accuracy of OpIntel assessments.

Mind the (Information) Gap

Significant effort also continues to be expended finding methods to communicate the right intelligence in the right medium to rapidly impart meaning to the commander, which requires an understanding of the customer and information design. Studies across the military and intelligence community found that “information needs to be designed” because as consumers become more “digital savvy,” their expectation for visualization increases. This should come as no surprise with the amount of thoughtfully designed information available at the fingertips of anyone operating a smart phone. The effective depiction of information reduces mental load and maximizes the potential for understanding, retention, and recall along with improving receptivity while decreasing the likelihood of “mind-set and information overload.” The cost of not designing information effectively can be tremendous.

The attacks on Pearl Harbor and the World Trade Center are poignant examples of how, despite the intelligence system arguably blinking red, policy makers who suffered from mirror imaging and lack of receptivity remained unconvinced by reports. Although these particular failures lacked a specific, tactical-level warning and clues may have been lost in background noise, a third explanation is possible.⁵ Decision-makers were not presented information in a manner that enabled an effective decision. This is referred to as information-gap theory, which describes the gap between what someone knows and what someone needs to know to make good decisions. Naval intelligence must design intelligence effectively to communicate what the commander needs to know for decision superiority.

Investing in a Red Team is a Win-Win

Robert Rubel recalled the phrase, “the medium is the message,” to emphasize the meaningful influence of wargaming and how it nurtured critical thinking in participants. While official wargames are often thought of occurring at the high-operational and strategic levels, they can occur in many fashions, such as exercises or during staff discussions, and help to create the shared understanding across a staff necessary to achieve decision advantage. Some of the broad objectives of wargaming are to test concepts and plans, experience the consequences of decisions and to analyze the decision behavior of leaders, but it also tests the signals that are produced by actions and how inputs, such as information, impact decisions. Greater participation in wargaming will allow naval intelligence officers to refine assessments of adversary reactions, potentially augmented with AI, and experiment with alternative forms of information “designed” for decision-makers.

While the utility of wargaming is proven, its effectiveness is limited by the accuracy of the adversary portrayed, typically referred to as red, and although naval intelligence is integral to the wargaming effort, it does not have a sufficient capability writ large. Several Proceedings articles have sounded the alarm, and Rielage has urged, “to fully exploit the value that war gaming can bring to the Navy, a deliberate effort to build our red is required.”

The critical issue is making this a deliberate and formal function at the operational level of war. Pacific Fleet was successful in this endeavor and established a red team in 2014, referred to as the Pacific Naval Aggressor Team, which assumes the role of adversary decision-makers in wargames and, as Admiral Swift found, not only does this improve wargaming and exercise efforts, it ultimately improves the quality of intelligence analysis. Wargaming benefits intelligence personnel in helping them gain a greater understanding of the adversary, while also gaining a greater understanding of the decision-makers they support.

Naval intelligence must focus on initiatives at the operational level of war to achieve the decision superiority necessary to enable the fleet to “attack effectively first.” The full integration of IW at the fleet MOCs; focusing on the decision timeframe relevant to a fleet commander, along with leveraging the power of AI; and institutionalizing red team support to wargaming will allow fleet intelligence to enable decision superiority and win the future fight.

Lieutenant Commander Hoadley is a naval intelligence officer and member of the Information Warfare Community. He is a 2007 graduate of the U.S. Naval Academy and a 2020 graduate of the U.S. Naval War College. His career has included tours at SEAL Team Two, Naval Mine and Anti-Submarine Warfare Command (NMAWC), Sixth Fleet (CTF-69), and on board the USS Ronald Reagan (CVN-76). He is currently the OIC of Joint Reserve Intelligence Center (JRIC) Denver.

SHIP IP LTD – Remote internal/external Vulnerability &

Penetration Testing

TRUST OUR NETWORK – WE GUARANTEE BEST PRICES!

READ MORE

Maritime Vulnerability and Penetration Testing

Source: usni

Last year, we were faced with one of the biggest threats to our homeland: the COVID-19 pandemic. And there is the potential for even bigger crises than this. While some may consider this disease to have changed the threat landscape, we would argue that in fact this threat has existed all along – for any point on the spectrum from governments, to businesses, to individuals. Public health is now, and has always been, an underlying and vital component of any crisis, big or small. If we are to find any positive aspects of COVID-19, it is that it has shed new light on the importance of public health – public health has finally entered the much-needed spotlight.

The current state of the world – with climate change, social injustice, widespread mistrust, and reliance on social media rather than experts – means that crises will be exacerbated, and so too will the public health impact of these crises. Leaders now must immediately incorporate public health thinking into all of their activities. COVID-19 has touched every aspect of life – and this is how deep public health thinking must go. In 2020 we experienced firsthand the importance of a healthy workforce, of personal health, of solid health policy, of consistent health messaging. Accomplishing these goals requires intentional thought and work toward public health.

With that in mind, for leaders both in government and business to incorporate public health measures into their future planning and operations, public health experts must be consulted. The idea of a Public Health Officer or advisor is a new and exciting way to realize these ambitions. Public health experts, with experience and knowledge in areas such as infection control, social determinants of health, health initiatives, and policy, are primed for these positions. A Public Health Officer would require a voice at the highest management levels to provide insight and guidance for how to ensure a healthy workforce and population. They can step into many different industries and scenarios and provide the much-needed expertise to help people regain control of their health.

Economic hardships will admittedly present a challenge in the hiring of a new executive. But think about what might happen if you don’t. Ongoing COVID-19 could leave your workforce susceptible to extended time out of work. Without advisors on health and safety measures, returning to in-person work could be drawn out and expensive. Uncoordinated vaccine administration could leave part of the workforce still vulnerable to communicable diseases. Wary individuals could stop frequenting your business if they perceive inadequate health measures. Sedentary lifestyles could leave your company paying for more chronic illnesses through employer-sponsored insurance. These pressing problems, and many more, could be easily managed through Public Health Officers or advisors. They will ensure that your organization, and the people you care about, are prepared for any unexpected event and can remain healthy for whatever may be on the horizon.

SHIP IP LTD – Remote internal/external Vulnerability &

Penetration Testing

TRUST OUR NETWORK – WE GUARANTEE BEST PRICES!

READ MORE

Maritime Vulnerability and Penetration Testing

Source: hstoday

In recent years, cruise liners and their associated infrastructure rely more heavily on the interconnectivity of IT systems and operational technology (OT) systems, creating a robust digital environment to successfully execute their missions.

However, as ships become “smarter” and more interconnected, the risks of cyber attacks increase, which can negatively impact the business. The U.K. Government’s Transportation Department recently issued a warning in the “Cyber Security for Ships” code of practice in 2017 regarding the growing vulnerabilities in the maritime industry. It stated that computer system hacks could, at worst, endanger human life. If the hack were a terrorist motive, this could certainly threaten lives.

SHIP IP LTD – Remote internal/external Vulnerability &

Penetration Testing

TRUST OUR NETWORK – WE GUARANTEE BEST PRICES!

READ MORE

Maritime Vulnerability and Penetration Testing

Source: fortressinfosec

In many ways the global marketplace has once again become akin to the Wild West. And the bad guys seem to have the advantage.

Manufacturing is under attack. Health providers are under attack. Now, global supply chains are under attack. Specifically, the French maritime transport and logistics giant CMA CGM, recently disclosed a malware attack affecting servers on the edge of its network. The attack forced CMA CGM’s IT teams to cut Internet access to some applications to block the malware from spreading to other network devices.

According to Andrea Carcano, co-founder of IT/OT security provider Nozomi Networks, transportation organizations are rapidly evolving to improve their service levels and efficiency. As the same time, safety has never been more important, as risks from cyber threats increase. “Indeed, the World Economic Forum cites cyberattacks on critical infrastructure, including transportation, as the world’s fifth highest risk in 2020. The maritime industry in particular transports 90% of the world’s trade, and like other industries, is becoming increasingly connected, automated and remotely monitored,” says Carcano. “The level of system visibility and cybersecurity maturity in this sector is relatively low. Many ships contain devices and systems that their operators aren’t even aware of. Crews are not typically trained to identify phishing emails or manage network access control. While dramatic situations like a vessel being capsized via hacking are not out of the realm of possibility, they are still unlikely. Crew constantly observe ship behavior and have the ability to employ manual or safety systems to correct performance that is out of normal range. Driven by the needs to reduce risk, comply with international shipping standards, and meet insurer requirements, shipping companies are investing in cyber resiliency.

An important capability lies in identifying maritime assets and their communications, explains Carcano. “Networks should be monitored for vulnerabilities, threats, and unusual behavior that could indicate a cyberattack. Just as water always flows downhill, cybercriminals will always attack at the weakest part of a system,” he says. “The best defense has multiple reinforcing layers. The people using the system are oftentimes the weakest element, opting to click a link in an email that says URGENT or voluntarily giving up their credentials when somebody named IT Support asks nicely.  Make people aware of the threat of phishing attacks by training them to recognize suspicious messages.  Implement two-factor authentication whenever possible to minimize the risk of stolen credentials. Finally, be sure to have a robust response plan in place to contain and sanitize incidents as soon as possible should they happen.”

Armis CISO Curtis Simpson tells IndustryWeek, What makes Ragnar Locker ransomware stand out is that it is purpose built to first find and exfiltrate data accessible by the attackers, followed by encrypting and demanding a ransom for the stolen and encrypted data.

“Victims are notified that failure to pay ransoms will result in data being leaked online and to show that the threat is real, a subset of stolen information is typically posted online as proof. A recent example of such an attack is the CWT ransomware event from earlier this year, which also involved the Ragnar Locker ransomware. Due to the widespread impact and potential for stolen information being leaked if ransoms were not paid, CWT paid $4.5 million in ransom to recover their data and prevent the leak,” says Simpson. “Exfiltrating data and/or compromising devices such as those in our OT/ICS networks as part of a ransomware attack are modern techniques used by attacks to increase the likelihood of their ransom being paid, at least in part.”

SHIP IP LTD – Remote internal/external Vulnerability &

Penetration Testing

TRUST OUR NETWORK – WE GUARANTEE BEST PRICES!

READ MORE

Maritime Vulnerability and Penetration Testing

Source: industryweek

The present competition for coastal and maritime space triggered by human activities, as well as climate change effects and both natural and manmade hazards, impact coastal and marine environment, resources and ecosystems. The physical characteristics, especially the shallowness and its semi-enclosed nature, make the Adriatic and Ionian Sea even more vulnerable to these threats. This situation points out the compelling need in the Adriatic-Ionian Region for a transnational integrated and efficient planning and management of coastal and marine spaces and uses at macroregional level, able to avoid potential conflicts, create synergies and to secure a sustainable growth whilst allowing the preservation of coastal and marine ecosystems for future generations. Such effort requires fit for purpose knowledge and tools. In full compliance with the Integrated Coastal Zone Management (ICZM) and Maritime Spatial Planning (MSP) principles and policies and supporting concretely the implementation of the EUSAIR Action Plan, PORTODIMARE project aims at creating a common platform (Geoportal) for data, information and decision support tools focused on coastal and marine areas of the Adriatic-Ionian Region. The Geoportal integrates and further develops existing databases, portals and tools developed within previous EU projects by local and national administrations and by other initiatives. Through this approach, most of the available knowledge and resources will be efficiently organized and made accessible through a single virtual space, thus supporting coordinated, regionally / transnationally coherent and transparent decision-making processes, with the perspective of remaining operative and being expanded well beyond the project conclusion. The Geoportal will use, feed and support transnational cooperation networks in all the phases of its creation, from the design, to the development, to its testing phase, enabling public authorities and stakeholders to apply a coordinated, integrated and trans-boundary approach. In this view, PORTODIMARE project will test the use of the Geoportal as a concrete support for the development, in four demonstration areas, of strategies and action plans that couple environmental protection and sustainable development of sea/coast uses, within the regional and transnational framework established by Directive 2014/89/EU and EUSAIR Action Plan. More concretely, the PORTODIMARE Geoportal aims at becoming a daily working tool for decision-makers, public and private managers, practitioners, marine scientists and stakeholders in general, thus promoting and boosting sustainable blue growth in the Adriatic and Ionian Region.

SHIP IP LTD – Remote internal/external Vulnerability &

Penetration Testing

TRUST OUR NETWORK – WE GUARANTEE BEST PRICES!

READ MORE

Maritime Vulnerability and Penetration Testing

Source: portodimare

Pen Test Partners were able to penetrate leading ECDIS models swiftly and easily simulating what real hackers could achieve

In June, Pen Test Partners were tasked with penetrating multiple makes and models of ECDIS and the results in their own words were shocking. The ethical hackers found high level issues in most ECDIS tested.

Pen Test Partners senior partner and ethical hacker Ken Munro said the most significant issue was that most ECDIS ran on very old Microsoft operating systems, including Windows XP, 7 and Windows NT. This means the majority of ECDIS are not supported by Microsoft and thus, do not have regularly updated security.

“It was therefore trivially easy to completely compromise every ECDIS,” said Mr Munro. “Complete control could be gained over the network interfaces and USB,” he told Marine Electronics & Communications.

Even if the host operating system was up-to-date and secure, most ECDIS offered network services that were vulnerable. These were usually present to allow communication with other operational technology on a ship’s bridge.

Pen Test Partners found exposed configuration interfaces over these networks. “We could boot up the ECDIS from a USB key, locate the encrypted passwords for these services, crack them and then reconfigure the ECDIS,” said Mr Munro.

In addition, the penetrators discovered that these passwords were rarely changed and in many cases, the vendors’ documentation made no mention of changing network service passwords, just the host operating system passwords.

They were also able to cause issues with ECDIS models by sending unexpected network traffic. “In some cases, this led to remote-code execution, whereby we could compromise the ECDIS even if the software was up-to-date,” said Mr Munro.

Some ECDIS models had integrated security software, such as antivirus and firewalls. These were effective for what Mr Munro called “low-grade attacks” but made little difference to higher skill attackers. “We found significant security flaws in the ECDIS software itself, which allowed us to bypass the security software,” he explained.

GPS spoofing

Cyber attacks on ECDIS may not be a direct penetration. Mr Munro’s team were also able to reconfigure ECDIS to believe its GPS receiver was at the other end of the vessel, therefore introducing a 300 m offset.

“Then, through further reconfiguration, we changed the profile of the vessel to be 1 km² square, for an offset of 1,000 m,” he said. Even further offsets could be introduced by tampering with the US National Marine Electronics Association 0183 serial data being sent to the ECDIS from the GPS receiver.

“Having compromised the ECDIS, we had control over the serial COM ports through which the GPS communicated its position and could tamper with that position data also,” said Mr Munro. Identical offsets could be introduced to radar, meaning a watch officer could not use that method to check for position discrepancies.

Pen Test Partners also demonstrated that automatic identification system (AIS) information could be tampered with. For example, a hacker could create a 1 km² floating island in a shipping lane. “Every ship ECDIS would be alerted to the phantom blockage and collision potential,” Mr Munro said.

This could cause confusion on ship bridges and potential course alterations that in congested waters could lead to collisions. Hackers could use these techniques to steal money, manipulate ship movements for financial gain or cause vessel groundings or collisions, said Mr Munro.

ECDIS security issues

• Out-of-date software.
• Insecure configuration interfaces.
• Unstable network stacks.
• Vulnerabilities in software.
• GPS spoofing and jamming.
• ENC denial.
• False AIS.

SHIP IP LTD – Remote internal/external Vulnerability &

Penetration Testing

TRUST OUR NETWORK – WE GUARANTEE BEST PRICES!

READ MORE

Maritime Vulnerability and Penetration Testing

Source: rivieramm

Executives and staff at the agency responsible for protecting the health of the U.S. domestic maritime industry are vulnerable to cyber hacking that could cause the agency “serious public embarrassment,” a government watchdog has found.

A report made public today (July 26) by the U.S. Department of Transportation Inspector General (DOT OIG) revealed that “malicious attackers” could have obtained records and stolen the identities from 13 executives and staff who recently joined the U.S. Maritime Administration (MarAd), potentially costing the agency $103 million in credit monitoring fees.

The report outlines how OIG auditors were able to gain unauthorized access to MarAd’s network, in part because the agency did not have a government-recommended alert system able to detect intruders. “We also gained access to records containing PII [personally identifiable information], the report states. “While DOT policy requires the use of encryption to protect sensitive data, these records and other data we obtained were not encrypted.”

The OIG report notes that a DOT official could not explain why employees did not encrypt sensitive information given that the information security awareness training they received included a section on the protection of sensitive information. “This official also could not explain why administrators had not applied least privilege controls to the MarAd service account we accessed,” according to the report.

“The same official acknowledged that users were not following DOT policy and security awareness training to adequately protect passwords. The official informed us that [DOT’s Office of the Secretary] is transitioning to the use of personal identification verification cards for network and facility access. MarAd’s lack of adherence to DOT policy on encryption, use of least privilege, protection of PII, and password storage creates a risk for unauthorized access to MarAd” and other information, the report affirmed.

SHIP IP LTD – Remote internal/external Vulnerability &

Penetration Testing

TRUST OUR NETWORK – WE GUARANTEE BEST PRICES!

READ MORE

Maritime Vulnerability and Penetration Testing

Source: freightwaves

Maritime transport is a vital backbone of today’s global and complex supply chains. Unfortunately, the specific vulnerability of maritime supply chains has not been widely researched. This paper by Øyvind Berle, Bjørn Egil Asbjørnslett and James B Rice puts it right and presents a Formal Vulnerability Assessment of a maritime transportation system. This is not the first maritime paper that Asbjørnslett has contributed to on this blog, and he keeps up the good work he started in 2007, when he presented Coping with risk in maritime logistics at ESREL 2007.

Maritime transport – a forgotten part of supply chains?

I guess it is true that maritime transport or sea transport is an overlooked part of supply chains, even on this blog. In my more than 500 posts the word “maritime only occurs in 20 of them. Well, perhaps not so forgotten, but maybe such an obvious part of today’s supply chains that it is not looked at specifically, and just assumed to be part of the wider picture. Considering Norway’s maritime and seafaring tradition, it is not surprising to see Norwegian researchers taking up this particular question. One of the authors, Asbjørnslett,  is part of the Marine System Design research group at the Department of Marine Technology at NTNU in Trondheim, Norway, where he among other topics is involved in research related to risk taxonomies in maritime transport systems, risk assessment in fleet scheduling, and studies of vessel accident data for improved maritime risk assessment.

The invisble risk?

It is interesting to see what starting point the authors use in their introduction, namely the 2008 Global Risk Report by  the World Economic Forum. In my post on Supply Chain Vulnerability – the invisible global risk I highlighted that report, which listed the hyper-optimization of supply chains as one of four emerging threats at that time, and as the authors put it:

[…] risks in long and complex supply chains are obscured by the sheer degree of coupling and interaction between sources, stakeholders and processes within and outside of the system; disruptions are inevitable, management and preparation are therefore difficult […]

Akin to the infamous “Butterfly effect”, even a minor local disruption in my supply chain could have major and global implications not just on the company directly linked to the supply chain, i.e. me, but also on other businesses. Or conversely, some other company’s disruption may affect me severely, even though I in no (business) way am connected to said company.

Issues and questions

With that in mind the authors set out to address these particular issues they found in their preliminary observations:

I1—respondents have an operational focus; in this, they spend their efforts on frequent minor disruptions rather than the larger accidental events.

I2—stakeholders do know that larger events do happen, and they know that these are very costly, yet they do not prepare systematically to restore the system.

I3—maritime transportation stakeholders find their systems unique. As a consequence, they consider that little may be learnt from benchmarking other maritime transportation system’s efforts in improving vulnerability reduction efforts.

I4—there seems to be little visibility throughout the maritime transportation system.

which led them to to propose these research questions:

RQ1—what would be a suitable framework for addressing maritime transportation system vulnerability to disruption risks?

RQ2—which tools and methods are needed for increasing the ability of operators and dependents of maritime transportation to understand disruption risks, to withstand such risk, and to prepare to restore the functionality of the transportation system after a disruption has occurred?

I like this introduction, clearly identifying a direction and purpose of the paper.

SHIP IP LTD – Remote internal/external Vulnerability &

Penetration Testing

TRUST OUR NETWORK – WE GUARANTEE BEST PRICES!

READ MORE

Maritime Vulnerability and Penetration Testing

SHIP IP LTD – Remote internal/external Vulnerability &

Penetration Testing

TRUST OUR NETWORK – WE GUARANTEE BEST PRICES!

READ MORE

Maritime Vulnerability and Penetration Testing

Source: husdal

UPDATED ClassNK, the ship classification organization, has revised its guidelines for bolstering oceangoing vessels’ cybersecurity during their design and construction.

The Tokyo-based non-profit has updated the framework for evaluating and mitigating cyber risks in line with the ISA/IEC 62443 industrial control systems standard and the latest recommendation on cyber resilience for new ships from the International Association of Classification Societies (IACS).

The second edition of the ‘Guidelines for Designing Cyber Security Onboard Ships’, which supersedes the first version published in March 2019, also introduces a ‘CybR-G’ certification and associated audit requirements, according to a press release issued earlier this month.

The guidelines are aimed at anyone responsible for implementing security controls for network-connected, on-board systems.

The recommendations reflect growing concern within the maritime industry that the increasing connectivity of seafaring systems, combined with aging, unmanaged networks, is fuelling a rise in disruptive cyber-attacks against the sector.

Cyber-attacks against the industry’s operational technology (OT) systems have soared by 900% over the last three years, with 2020 set to be another record-breaking year, according to research from Israeli security firm Naval Dome.

Security breaches have crippled operations at a US maritime facility, shipping company MSC, and Iran’s Shahid Rajee port this year.

Control measures framework

The new guidelines state that system integrators must perform a risk assessment on a ship’s on-board systems and propose and implement security controls to remediate risks.

These control measures can include fixing security vulnerabilities, network segmentation, and isolating critical systems in “essential network security zones” that block “unwanted communications”.

The observations of one leading shipping security expert suggest that initiatives to make ships secure by design are long overdue.

“Ships are highly complex OT and IT environments featuring technology from suppliers with a highly varied approach to security,” Ken Munro, founder and partner at UK security outfit Pen Test Partners, told The Daily Swig.

“Integrated bridge systems with unchangeable, simple passwords on network services are not uncommon. Unmanaged remote access by engine and other tech providers is also not uncommon.”

RELATED Maritime telecoms giant patches SQL vulnerability

Integrators are also instructed to diagrammatically map all network connections and evaluate the criticality of all on-board hardware and software.

The CybR-G notation is subject to passing an initial audit, annual audits thereafter, and additional audits when a system is damaged or modified.

First covered by The Daily Swig in 2018, the guidelines and certification scheme, along with separate advice focused on software and cybersecurity management, have emerged from ClassNK’s Cyber Security Approach (PDF), which prescribes a layered approach to cybersecurity.

The most important changes to the guidelines in terms of improving the cybersecurity posture of seafaring vessels are the cybersecurity notation, which was introduced in response to demand from shipowners, and the incorporation of IEC62443 requirements, a spokesperson for ClassNK told The Daily Swig.

“ClassNK envisages ships’ cybersecurity, at the application of information technology utilizing cyberspace on operation technology of ships, as ensuring [that] navigational safety is not hindered by [a lack of] cyber resilience of [the] onboard equipment, onboard network, and cybersecurity management system,” they added.

Skills gap

But Munro, who has previously demonstrated the pitfalls of out-of-band management in the maritime sector and how to take control of a ship’s satellite communications system, feels the guidelines will be undermined by a dearth of maritime-specific cyber skills.

“It’s great to see standards emerging around vessel cybersecurity,” he said. “However, there’s a significant lack of skills in this space, so any assessment is likely to be checklist-based.

READ MORE Spanish state railway company Adif hit by REvil ransomware attack

“We’ve tested vessels fresh out of the yard and found their security to be much better than those in service for a few years, but still not secure enough that we couldn’t compromise them. Checklists won’t find the variety of issues we keep finding – they might resolve casual attacks, but more targeted attackers are likely to succeed.”

He also thinks a checklist-based approach is too simplistic.

“Typically, a ship either meets class society rules or it doesn’t – either ‘in’ or ‘out’ of class,” he explains. “Cyber is more about shades of grey.

“This also presents issues for maritime insurance,” he adds, because “cyber security isn’t binary – a ship is never ‘secure’, so how should the underwriter assess risk meaningfully?

“I don’t think it will be long before we see a ‘cyber’ certified vessel being compromised.”

SHIP IP LTD – Remote internal/external Vulnerability &

Penetration Testing

TRUST OUR NETWORK – WE GUARANTEE BEST PRICES!

READ MORE

Maritime Vulnerability and Penetration Testing

Source: portswigger

Rapid developments in technology have brought on benefits to many industries, including the shipping industry.

With these improvements come increased usage of cyber technologies that are critical and essential to the management and operations of many systems and processes onboard. Not to mention, cyber technologies also keep the crew, cargo and the ship itself safe and secure.

Thanks to the integration of IT (informational technologies) and OT (operational technologies) onboard from these technologies, ships are connected through connectivity and networking to the Internet. While these technologies and systems provide efficiency gains for the maritime industry, they also present various risks to critical processes and systems that are directly linked to the operation of systems that are critical for shipping.

SHIP IP LTD – Remote internal/external Vulnerability &

Penetration Testing

TRUST OUR NETWORK – WE GUARANTEE BEST PRICES!

READ MORE

Maritime Vulnerability and Penetration Testing

Source: adv-polymer