Robert Hayes

Senior Director
Microsoft Global Cyber Security & Data Protection Group

Presentation Objectives
Introductions
Cyber security context

Cyber security in the maritime sector

Developing cybersecurity maturity
What does success look like?

Characteristics of Successful Organisations

Quick wins

Introductions

Context
Organisations cannot ignore the potential
benefits of emerging technologies
Efficiency savings & effectiveness gains
Dynamic data driven decision making
Context specific data to myriad of devices
Optimise business processes
Understand & predict behaviour

Innovate or go out of business

Context
However, using these technologies changes
your security environment
A new security model is needed
Concept of perimeter changes

Detection & Response becomes as importance

as Defence
Security exists within and enables an agreed
organizational risk model

Context
Cyber-attacks are growing in scale, scope,
and sophistication
Hardware & software are targeted, often in
the supply chain
Attackers range from disaffected
employees, single-issue activists, hobbyhackers, criminals, terrorists, and nation
states
It is safe to assume that you are a target

Context
Getting it wrong is expensive & can kill your
business
5 % of business-related privacy and security
breaches result in more $20 million in direct
costs and damages
Those costs include legal expenses and legal
settlements, business interruption costs,
investigating and remediating problems, as
well as possibly paying for crisis
communications and other specialized services
Aon Corp

Context
Just having insurance isnt enough
The average cost for a breach is $7 million.
Yet, the average portion of that cost borne by
cyber-risk insurance is just $3 million
If you consider all revenue classes, only 8
percent (of U.S. businesses) buy cyber
coverage

Aon Corp

Context
This isnt just a data protection & privacy
issue
What harm could an attacker do if they
chose to disrupt your infrastructure?
Manipulate your connected equipment?
Disrupt GPS & navigation systems
Remotely change the mixing formula in your
suppliers factory?

Cyber Security in the Maritime Sector

The maritime sector is particularly
vulnerable to a successful cyber attack
Reliance on complex embedded systems
Complex hardware & software supply chain
with dependence on remote management
Challenges of achieving skilled 1st, 2nd & 3rd
line support
Lack of proximate third party or emergency
support

Impact Assessment
Regulators, Markets & Media will judge your
organization based on:
How long it took to detect a breach
How long the attacker had been in the system
& level of access obtained
The quality of control, monitoring & cyber
hygiene measures in place & supported by
policy
The effectiveness of the response plan
The time taken to resume key services
The effectiveness & speed of the post breach
communication

Impact Assessment
An increasing number of governments,
insurance companies & enterprises are
establishing minimum standards of cyber
security if your organization is to be part of
their supply chain or to seek insurance
Only 1 in 3 supply chain vendor contracts
contain security provisions
Only 1 in 3 supply chain vendors have any
security certification or accreditation

Developing Cybersecurity Maturity

The key here is to strike the right balance
enabling your organization to exploit the
potential of emerging technologies
effectively & securely?
Most organizations lack the skills at board
level to do this effectively & in-house IT
alone is not enough

Who is advising you?

Developing Cybersecurity Maturity

Organizations which regularly review cyber
threat & response planning at Board level
are subject to fewer successful attacks, and
respond more effectively when attacked
This is not a technology issue, it is a
business change issue driven by strategic
risk & organizational imperatives

It has to be enshrined in policy & process to

succeed

Cyber Economics
Goal: increase attacker costs

Attackers ROI = (G x T) (CV + CW)

Characteristics of Successful Organisations

Assume Breach is the operating principle
& systems are tested against this
Situational awareness & assessment inform
strategy & operational decision making
Supply chain & dependencies are
understood & mapped
Coherent & rehearsed dynamic response
plan
Enshrined in policy, training, and process
Owned & reviewed at Board level

Quick Wins
Reduce the number of privileged admin
accounts to the absolute minimum, reduce
the scope of the ones left, and use multifactor authentication
Patch & Update promptly
Cyberkeel Maritime Sector survey April 2015
37% failure rate

Control physical access to your network &

devices and establish gateway identity &
health checks for network connections

Quick Wins
Application whitelist
Baseline normal activity on your network
& look for outlier behaviour
Have an alternative communication system
ready for when you are attacked
Understand who will help you on tactical &
strategic recovery & have the relationship
in place. Have 24/7 contact numbers for
key personnel & vendors

Quick Wins
Most attacks require some user interaction.
Writing clear policy, training & educating
staff, combined with visible sanctions for
breaching policy works!

Conclusion
The maritime sector is particularly
vulnerable to cyber attack, and the
consequences of a successful attack could
be more severe than other domains
Organisations in the maritime sector should
be treating this as a high priority
The processes of Protect, Detect, Respond
are mature in other sectors & will work
equally effectively in the maritime sector.

Robert Hayes
Microsoft Global Cyber Security Group
robert.hayes@microsoft.com

The difficulty lies not in the new ideas,

but in escaping from the old ones
John Maynard Keynes
1883 - 1946