Last month, Gnostech introduced a five-part blog post series to highlight key considerations for a cybersecurity incident response plan. In this post, we will focus on the first phase of the incident response life cycle: preparation.
Everyone has heard the saying “a good offense is a strong defense.” This could not be truer when it comes to responding to a cyber incident in the port and maritime environment. Every discussion surrounding this topic usually starts with “it is not a matter of if, but a matter of when.” Not preparing for a cyber incident greatly increases the risk of commerce being disrupted in a port and negatively impacting maritime operations.
Last year, Maersk was attacked with ransomware that resulted in the replacement of 4,000 servers, 45,000 PCs and 2,500 applications. To their credit, Maersk accomplished this feat in a mere 10 days. So, if hackers can get to a maritime conglomerate like Maersk, it is logical that any port or maritime organization is a potential target. You must be prepared for a potential cyber incident. Shipping giant Cosco’s operations in the United States were hit by a ransomware attack in late July; however, it was able to effectively respond due to lessons learned from the Maersk incident.
In many cases, port and maritime organizations do not know what needs protection, or what is essential to business operations and what is not. The first step in preparing for a cyber incident is a Business Impact Assessment (BIA). The BIA asks: “What do you need to meet your business goals? In what priority? What is the most important?”
The next step is to determine reasonable investments that need to be made to protect the assets that are critical to port and maritime operations. Keep in mind, it may not make sense to spend a lot of money protecting an inexpensive device unless you determine that the value of the information and data it stores or processes is operationally critical. The cost of protecting the file server is not just the cost of replacement or repair or the cost of backup and restoration and resources to maintain it, such as personnel and software licensing, but also the opportunity cost to your organization if you do not have this information and data.
An often-neglected preparation is training. The primary method of gaining access to your infrastructure is through social engineering. Malicious code can be introduced through media transfer or as part of email or website links. Educating your users against these threats is your best safeguard. Annual IT security training along with newsletters, posters, and email reminders keep users mindful of about possible threats. In addition, ensure that your users are made aware of the lessons learned following a cyber incident. A small investment in user training can turn into significant savings for your organization when a threat is avoided by an educated user.
Users should also learn how to report unusual cyber activity. A point of contact and notification process should be established. Build a Cyber Emergency Response Team (CERT) so you are prepared to respond if an event occurs. Decide now who is in charge if an event happens and let everyone know. The first line of defense are your personnel.
Organizations should also take part in risk assessment to learn about the threats various cyber risks pose and how to mitigate their threats. Frequent risk assessments of systems and applications also help to identify your vital resources and how to prioritize them during a cyber incident.
Organizations should have some sort of communication mechanism in preparation for a cyberattack or breach. According to the National Institute of Standards and Technology (NIST), forms of communication and coordination that are important and should be planned prior to an incident include, but are not limited to: contact information, on-call information, incident reporting mechanisms, issue tracking systems, smartphones, encryption software, a war room, and a secure storage facility.
An organization should also consider obtaining incident analysis hardware and software. NIST recommends digital forensic workstations, laptops, blank removable media, and a portable printer, among others, as viable options in order to be prepared to analyze a possible future cyber incident. An organization should also consider making a jump kit, which is a “portable case that contains materials that may be needed during an investigation.” A jump kit often contains incident analysis materials, like a laptop and those specific to digital forensics.
Now that you know what needs protection and how to protect it, write it down. Put a preparation plan in place to protect your organization in the future. If you find a deficiency, fix it; If you realize you left something out, add it.
About Gnostech Inc.:
Gnostech Inc. is an applied engineering and consulting company with expertise in information assurance and cybersecurity engineering, and major combat and space systems development and integration. For more information, visit www.gnostech.com or stay connected by following us on LinkedIn or @GnostechInc in Twitter.