From an online questionnaire to white-hat hackers, Wärtsilä’s Cyber Assessment Service is the first step that companies in the marine and energy industries can take to mitigate the risks of a major cyber-attack.
The costly NotPetyavirus cyber-attack in 2017 was a wake-up call for Maersk and the marine industry on the whole. The energy industry was not far behind in realising that a successful cyber-attack could cause a major accident leading to loss of life, damage to assets and a lasting impact on a company’s reputation.
This was (and is) primarily because the long life-cycles of equipment and assets in these sectors mean that the software programs that run them often do not receive security updates from their suppliers. And since the systems were never designed to be part of a connected smart ecosystem, they become easy targets as soon as they are connected to the internet.
“We can see an increasing amount of targeting. Basically, it is a constant cyberwar, and cybersecurity should be on the agenda of any company when they look at their risks," says Kim Eklund, Director of Cyber-as-a-Service at Wärtsilä.
Luckily, Wärtsilä’s newly launched Cyber Assessment Service is here to help companies explore and reveal the threats and risks in their environment.
The new service begins with Wärtsilä’s cyber security experts meeting the customer and understanding their operational environment, requirements and needs. If the customer’s aim is limited to meeting regulations, then the team will carry out a compliance assessment by studying the documentation, rules, procedures and technologies in place. A cyber assessment can either be a general assessment against best practices - a specific one looking at compliance with a particular regulation - or a customised assessment checking cyber security setup against several standards, frameworks and regulations.
“Usually, you want to look at things first from more of a helicopter view, and then look into the key concerns and threat vectors,” Eklund says.
It helps that regulations too are reiterating the importance of cybersecurity. In the power sector in the US, for instance, power generators have been complying with cyber amendments to the North American Electric Reliability Corporation’s Critical Infrastructure Protection (NERC-CIP) norms for a decade, already.
NERC is a non-profit international regulatory authority whose responsibility is to safeguard the reliability of the North American bulk power systems and power system operators in the United States of America, Canada and a part of Baja California in Mexico to meet these security standards.
Last year in Europe, the network and information systems (NIS) cyber security regulations, which were voluntary guidelines until then, were incorporated into national law - making it the first piece of EU-wide legislation on cybersecurity.
Regulations for the marine industry are catching up too. By 2021, the International Maritime Organisation expects ship owners and managers to incorporate cyber risk into their ship safety programs.
The NIS Directive will mean that attacks such as the NotPetya will have to be made public. “Critical infrastructure owners or operators cannot any more decide not to report incidents, they need to be reported,” says Eklund. “And thus, you talk about credibility and public relations.”
“Compliance is usually a strong incentive because few firms want to operate out of compliance,” says Eklund.
Minimising the risk of such an attack requires a thorough vulnerability assessment. “It's a fair assumption that you will discover vulnerabilities,” says Eklund.
Once a cyber assessment has identified the systems that represent the greatest risk, operationally, Wärtsilä can thoroughly test its vulnerabilities by deploying ethical, white-hat hackers.
Tuomas Aura, a professor of computer science at Aalto University, believes even the most intensive probe will miss important vulnerabilities though.
“It is quite useful to have hacker types who can think of all the evil things, and think like the attacker and the criminal,” he says. “But doing that assessment once will not be enough. It has to be a continuous process.”
Maersk was infected with NotPetya because a single finance executive in Odessa convinced the IT department to install a Ukrainian accounting program on to his computer. The computer virus knocked out Maersk’s entire IT infrastructure, costing the company around USD 300 million and forcing the company to replace 45,000 computers and 4,000 servers and re-install 2,500 applications.
It is near impossible for the IT department of large international businesses to know for certain that there is not a similarly compromised computer somewhere on their network.
This is why Wärtsilä sees the journey through its Cyber modules – Cyber assessment, Cyber foundation, Cyber protection, and Cyber recovery. It is a circular process which can never be completed. Cyber Assessment, although, is the first step.