Hacktivism is not a recent phenomenon. The first reference of malicious hacking was during the 1960s and since then digitalization has exploded and along with it the number of threats and attacks. This threat has also changed over the years, becoming more targeted and destructive. Cyberattacks targeting industries, businesses, and countries are regular headlines, and we can observe the impact firsthand.
An entire industry has evolved as a result of these threats. Companies can spend thousands of dollars on defensive software and hardware to protect themselves from cyberattacks, although this defensive mindset has not penetrated all industries. Yet they ignore the simplest solutions, patching and staying current with cyber technology. History has shown these attacks are made on known and exploitable vulnerabilities. As a business, hardware and software designers are constantly updating their wares to close those vulnerabilities. However, as we have learned by recent events involving ransomware, individuals, businesses and even countries are not updating their end of life hardware or maintaining software patches and fixes.
According to Futurenautics, 90% of maritime companies spend less than 20% of their IT budget on cybersecurity and resilience, 70% spend under 10% of their budget and 10% spend nothing at all. It is understandable that the cost of replacing End of Life (EOL) hardware and software requires a dedicated financial investment. Realistically those systems should not be public facing and need to be behind a modern, patched and monitored infrastructure. Also, limiting internal access to those systems for only those with a bonified need reduces the insider threat.
In some areas, the maritime industry continues to rely on legacy systems using old software and aging operational technology. On the other end of the spectrum, there is a growing dependence on information systems with the development of new technologies. Either way, compromised systems could trigger physical harm, loss of sensitive information, or criminal activity. Cyber hygiene among maritime workforces also plays a role.
Results from the 2017 IHS Fairplay cybersecurity survey are in and the results, for the most part, were not encouraging. Asked whether their company had experienced a cyberattack within the last 12 months, 34% of respondents answered “yes,” which is a 21% increase from last year’s survey. The level of cyber risk awareness within employee groups was just as troubling with 13% and 9% of company executives and onshore managers, respectively, answering that they “did not know” if their organization had experienced a cyberattack within the last 12 months. Among crew members, 37% answered the same way. When asked if they knew whether their company had an IT security policy, 67% and 79% of company executives and onshore managers, respectively, responded “yes”, compared with only 37% among crew members.
What are the lessons here? Gnostech has a few:
- Patching all computers, servers, and network appliances is critical to protecting a company’s organizational network.
- Not all attacks can prevent your systems from being attacked or breached, but keeping systems patched increases your security posture.
- Limit user access to system administrator tools.
- Develop an incident response plan if a company is attacked and breached by malware.
- Create plans to ensure computers and other systems meet strict engineering configuration management compliance requirements.
- Supply Chain Risk Management (SCRM) and interconnectivity to IT infrastructure are critical risk management components.
If you allow your users to access the internet with hardware which has reached EOL or with unpatched software, you have unlocked the front door to your business. The only reason you have not been attacked yet is because the criminals have not tried to open the door yet. Or, they already unlocked a back door to your system and you have not noticed yet. Maritime companies should never let that happen.
About Gnostech Inc.:
Gnostech Inc. is an applied engineering and consulting company with expertise in information assurance and cybersecurity engineering, and major combat and space systems development and integration. For more information, visit www.gnostech.com, or stay connected by following us on LinkedIn or @GnostechInc on Twitter.