There is a common misconception that cybersecurity fundamentally relates to the implementation and management of technical and non-technical control measures - installing firewalls, doing pen tests and implementing security awareness programmes. Whilst all of these are valid activities, much like any business activity cybersecurity is really about understanding the risks your business faces and putting mitigations in place to reduce that level of risk to an acceptable level.
Within the cybersecurity industry assessing risk is (hopefully!) a natural first step that then drives all other activities. However, we see that it is something that doesn’t necessarily come naturally and that it is something that needs continually promotion in the wider industry.
The first step is to be able to define what risk is. More generally, the risk is “the effect of uncertainty on objectives” (ISO 31000) - i.e. you have something you’re trying to achieve, like building a bridge, but despite all the surveys you cannot be certain you’re not going to hit unfavourable soil conditions when you start digging. Of course, the effect of uncertainty can be a positive thing too, and you may be able to complete the project under time/budget. Within cybersecurity we narrow the definition slightly, so risk becomes “a measure of the extent to which an entity is threatened by a potential circumstance or event”, but really we can think of it in the same way. We have a business objective to achieve, such as transferring data to a third party, and we want to make sure that any “uncertainty”, or things outside our control such as someone trying to read the data as it flows on the wire, is mitigated to an appropriate extent.
One of the things dealing with COVID-19 over the last eighteen months has shown is that people’s reaction to risk varies widely. Given the same set of data, recommendations and guidelines some people adopt a very risk-averse posture, whereas others prioritise continuing their normal activities. Much like cybersecurity, it can be difficult to judge the right path to follow when faced with mixed messages, marketing and peer pressure! Humans are not great at judging risk, we tend to be unconsciously biased in many ways, and this is rooted in our psychology. For example, if you are doing something voluntarily - like playing sports - you’ll accept a much higher level of risk than when doing something you cannot control, like the air quality around you.
The reactions to risk in business tend to be one of two extremes: either becoming ossified and unable to evolve or becoming incredibly lax with ever-increasing complexity. We all know of, or have heard of, large organisations where getting anything done is a huge challenge, with staff working around processes and procedures to complete their work - introducing risk in the process. Likewise, as complexity grows the organisation and its technology becomes incomprehensible, again with associated risk.
In our experience, identifying and mitigating risk is something that all organisations have had to grapple with, but it is never easy. Here are some observations based on our experiences helping companies in the maritime space, for whom much of this is relatively new as far as it's applied to cybersecurity:
1. All companies are technology companies
Historically, a technology company would be one developing new products or technologies to launch into the market - equipment manufacturers perhaps. However, this is becoming the case less and less. The reliance of companies on accurate and timely data about their operations is continually growing - for example through the complexity of logistics operations, or the proliferation of sensing systems. The reliance of companies on the technology they use can especially be seen through the impact that ransomware has been having over the last five years: through denial of access to technology companies have had to pause or even cease their operations. Having an accurate view of your reliance on technology is essential to being able to accurately understand the risks you might face.
2. Identifying risk needs to be up-front
At Nettitude, we are often asked to assess the security of products or systems as the final step before they are deployed. In a recent case, we were asked to assess a network product after it had been fully developed and was launched on the market. During our assessment, we found - as is often the case - a mix of high and low-risk issues. Although the product vendor was able to fix the major issues, the minor issues required hardware changes or major changes to the way the product is architected. This would have been simple and easy to do during the development phase but was not cost-effective to do after the fact. By ensuring that risk is assessed at the start of a project costly mistakes can be avoided.
3. Mitigations need to be in-depth
Nettitude spends a lot of time carrying out ‘Red-teaming’ exercises, where we emulate an adversary targeting an organisation and attempt to gain access to a critical system or data. The team is often highly successful, but there is never one vulnerability that is responsible for this. Instead, a chain of smaller vulnerabilities is found and chained together to move from outside the organisation to the target.
In the previous example, although the ‘high’ risk vulnerabilities were mitigated, the ‘low’ risk vulnerabilities remained. To adequately mitigate risks you identify they need to be considered in a holistic context and not individually. For example, an item that is low risk on its own may become a higher risk in the presence of other risks. Mitigations, therefore, need to be applied in-depth - something which is only cost-effective is risk identification is done at the start of the project.
4. Assessment needs to be continuous
We often find that the understanding of a system or its implementation diverges from the real-world situation. For example, we’ll visit a vessel with a network diagram and find a situation on board that has had extra components added or upgraded. Likewise, asking even a simple question like ‘how many computers do you have?’ can yield wildly different answers depending on whether you ask the team managing the hardware, the network or the anti-virus.
Likewise, the industry’s understanding of the risks posed by different technologies evolves. The clearest example of this is in cryptography, where new attacks on cryptographic cyphers and advances in hardware mean that recommended best practices that were sufficient ten years ago may now no longer be adequate.
All of this adds up to risk assessment needing to be something that is carried out at the start of a project - but then iterated throughout the life of the system, project or business venture. This is something that cannot necessarily scale to be delivered by people alone - and here at Nettitude, we are working on ways of doing this using artificial intelligence and other automation techniques to help our customers achieve this.
In conclusion
Most attacks on organisations are not directly targeted. Unless the attacker is trying to get access to something unique to you - such as intellectual property - they are typically trying to extract maximum profit for minimum effort (much like any business!). Attackers are going after the weakest target they can easily find - for example, someone running vulnerable software. At the moment, this doesn’t appear to be specific to the technology used solely by the maritime industry, but the wider industry is starting to raise the costs for attackers. This means that the maritime industry needs to be similarly raising the bar for potential attackers to ensure they don’t become the next target of attacks.
How is Nettitude able to assist?
We provide independent assurance and threat led maritime cybersecurity services to marine and offshore organizations around the globe. Find out more about our services here
This was originally presented as a talk at the Plymouth University Cyber-SHIP Lab Annual Symposium 2021
