Subscribe
Share
Share
Embed
Threat Talks is your cybersecurity knowledge hub. Unpack the latest threats and explore industry trends with top experts as they break down the complexities of cyber threats.
We make complex cybersecurity topics accessible and engaging for everyone, from IT professionals to every day internet users by providing in-depth and first-hand experiences from leading cybersecurity professionals.
Join us for monthly deep dives into the dynamic world of cybersecurity, so you can stay informed, and stay secure!
Could Stuxnet happen again in the maritime industry?
And if it could, would it be as bad?
Time to find out today. Welcome to Threat Talks.
My name is Lieuwe Jan Koning,
and here, from headquarters at ON2IT
we bring you the next episode and
the subject of today is: Before the Mayday.
Let's get on to it.
Welcome to Threat Talks.
Let's delve deep into the dynamic world
of cybersecurity.
I'm really thrilled to introduce
you to our guest of today.
His name is Professor Stephen McCombie,
and he is really an expert
in the cyber maritime industry.
He's been working in cyber for years.
For example, he's been in the
Australian Police for years.
He has been leading IBM's incident
response team, built it up actually,
and he's been an advisor for years for
several different companies, industries.
And today he is the professor of Maritime IT
Security at the NHL Stenden University.
We're going to talk about openness, about
a database he keeps with all the instances.
We're going to learn about real
incidents in the maritime industry
specifically, we're going to
talk about a solution.
So I'm really thrilled you’re here,
mr. Stephen McCombie, welcome.
I'm really curious.
You chose the maritime industry
in recent years.
What is specific in this industry that
you don't find anywhere else in cyber?
I think a lot of things.
One really critical thing about maritime
is global trade is totally dependent
on the maritime sector and our global
economies and global security,
and at the same time, ships, when they're
at sea, are quite remote and quite vulnerable.
And there's great safety issues for a ship
if there's a cyber attack on board,
things you wouldn't have happen if
you're in an office environment, perhaps,
but on a ship, if you're in bad weather,
if you're in very tight navigational conditions,
a cyber attack is a terrible
physical threat to you.
Yeah. There's not necessarily
police around the corner
that can help you out.
No, no.
Or a cybersecurity expert that can come
and help you with what the problem is.
Yeah. Yeah.
We've seen, well, have we seen how
important the maritime sector is?
I mean, if it were to be completely disrupted.
I mean, I remember the ships
being in the canal. Evergiven.
Yeah, Evergiven, indeed.
That was a big disruption of, I mean,
grocery stores were still full for me. Yes.
It was a big problem; the prices
were rising, etcetera.
But that was just a tiny
thing, relatively speaking
what could happen, I think. Yes.
And I think you can look at other cases like
where the Baltimore Bridge was run into.
That caused massive disruption to the
economy of Baltimore and the East Coast of
the United States, it’s a very important
port and it actually blocked off,
a lot of facilities and tugs
and all sorts of things.
So I think the knock on effect from
something like this could be significant.
You talk about the Suez Canal incident.
I think there was something like $1.4 billion
worth of trade each day delayed.
That's a huge number.
That’s amazing, yeah.
And, well, we're going to talk about
whether we do enough to actually protect
this whole sector. And it's a
worldwide problem.
Yes. Yeah. Yeah.
It's truly the most international of
businesses, in terms of cybersecurity.
So I mean, securing a ship
I can imagine that's hard in general.
I mean, we've demonstrated in previous episodes
we'll put a link in the show notes,
the Hack the Boat, for example.
It's actually right, the viewers can’t see it,
but we have it right here, currently
in our environment, where we show
how easy it is to hack into systems
once you have at least a little
bit of foothold in there.
I can imagine that ships, they sometimes, I mean,
a 30 year old ship is not an old ship or anything.
I mean, it's very common
that it happens. Yes.
So it means that we are dealing
with technology that's 30 years old.
Is that a problem?
It is.
And I think the statistic is 50% of ships,
cargo ships are over 20 years old.
So, more than half are over.
And the technology on
them is outdated.
And you’ve got to realize that ships to have the
sort of firmware updates, and software updates,
that doesn't happen automatically over the wire
like we do in an office environment.
So they are very vulnerable.
At the same time, the lack of connectivity has probably
saved some things-- They’re airgapped by default.
Yeah, exactly.
Yeah. Not by choice.
Yeah. So that helps.
And that’s the irony, that modern
ships, which have a lot of
connectivity, a lot of stuff's managed on shore.
So there's lots of stuff open.
That creates more opportunities
for threat actors, a much bigger attack
surface for threat actors
and think of like the future.
You know, you think of autonomous ships.
I mean, that's like the next thing.
I mean, you think you got a ship
which is autonomous.
It's completely controlled by
digital systems, and they're compromised.
You know, where are you then?
But in a way, you're saying that more modern ships may be
a bigger problem then. You are more worried about that.
Exactly.
And I know of a case, it wasn’t a cyber attack,
where a particular engine manufacturer
did an update over the wire
on a very modern catamaran
that was carrying passengers and,
basically the ship ran to a halt
because it was the wrong driver,
wasn't the right driver for the engine
they had, and this was done
when it was actually traveling.
So that's, and that was just an accident,
but just shows you the, you know, how
sensitive some of these newer systems are.
And the thing about ships is, no two ships are the same
even in, and we do a lot of work with shipbuilders.
You can have four ships
for the same customer
that have the same specifications
from the customer.
They're all different
because it's all about
the cheapest equipment,
as they’re filling them out. So.
So the idea that somehow,
that these systems are
very integrated in terms of security,
just isn’t the case.
So it's almost like every ship is
an IT organization in itself.
Exactly, exactly.
May use the same software and the same brands
of hardware, same CPU architecture. Yes.
But they are all built from more
or less from the ground up.
Maybe they share some kind of blueprint
once, but... Yes, some commonalities.
But yeah, so in terms of,
because you think about,
like a secure infrastructure,
you know, if you're a bank
or if you're an intelligence agency
or the Defense Department,
there's a whole architecture
you secure yourself, you know,
and where you put things;
that just doesn't happen
automatically for ships because of the
just because of the nature
of the way that they've been
built over long times.
It’s just a historical reality
for the maritime sector.
Now, in the introduction, I mentioned
Stuxnet for a while. Yep.
There's multiple reasons for it.
One is you actually did
a lot of research on this. Yes.
So but there is something to this.
I mean, what Stuxnet did,
you can explain better than me, but,
it is in systems that are controlled
by, IOC type systems, I mean.
And what we're saying today, by the way,
isn't maritime sector specific in many ways,
but there's also very big similarities
with other industries, of course, Stuxnet
being one of them, the industry of
operating a nuclear power plant. Yes.
What are those similarities?
Do you really feel that whatever you
discovered back then, which was
mind boggling to many, and
changing our industry in a way,
how does it apply to
today's maritime industry?
Yes. And you’re absolutely right,
it was a watershed moment
in cybersecurity because never before
had a threat actor, had an
attacker actually caused physical effect.
And for those that don't know
about Stuxnet, basically it was
a nuclear facility run by the Iranians
to develop nuclear weapons.
And basically the US wanted to stop or delay
that development of a nuclear weapon.
And they tried traditional sabotage,
they tried to actually use agents
to try and get, sabotage
equipment in there, that had failed.
And then the NSA had
come up with this idea.
Let's get some malware in there,
which made the centrifuges run really
fast and blow up, but, you know,
in a really random way and actually
send false information to the people
who are actually monitoring them.
So they didn't think there was a problem.
So it was a really clever idea
done by some really clever people.
[ ] get networked, or highly secure.
This is a highly secure facility.
The problem was it got out, people found
out about it, and now it's part of the,
this is in 2008, I think the first attack
happened. So it's all now, it’s,
and obviously other threat actors are
now using that sort of technology.
But I think, an important point
about Stuxnet was, there was a need.
So and that's what we'll have to
remember in cybersecurity,
we can come up with all these incredible
esoteric attacks that can do all this clever stuff.
But is there a threat actor,
do they need to do this.
And if they do, that's
when the problem starts.
I'm like, you look what's happening,
you know, in the war in Ukraine,
And there's all the sort of
cyber stuff happening.
And even before that, 2022,
when it started,
there was lots of cyber activity
against Ukraine,
against their power stations,
that sort of thing.
I think that's what we’ll
have to keep in mind.
And you think about the maritime
sector, the importance to the West.
And we've seen directed attacks
against ships bringing material
to Ukraine, from Russian
hacktivist groups.
So I think that's the whole thing
you need to think about.
You need to have good
intelligence about what
the threats actually are
and who the threat actors are.
And that helps you understand
what's likely to happen,
because otherwise you just get bogged down
in this constant thing of, oh,
there's always some sort of technical
vulnerability or some technical way in
what's likely to happen, what's, in intelligence they
talk about most likely action of an adversary,
and that's something
we need to think about.
So if I read you correctly,
what you're saying is the
types of Stuxnet, I mean,
Stuxnet was a very
sophisticated thing.
More lines of code than word.
Yeah, yeah. At the time. True.
Yeah. Indeed. So no normal... No.
It takes a state actor to do this.
And therefore many people will say;
I'm not a state, I'm not a nuclear power plant,
so why should I bother?
But what you made clear earlier, is that
to disrupt the global supply chain..
In cyber, if we ever talk about
cyber supply chain, we're
talking about different things,
like contracts with your SaaS vendor.
But no, I actually mean... The actual supply chain.
The actual supply chain.
It can be so disruptive, the whole sector
as a whole must be a target.
You've done research on this.
Certainly. But again, it ties back to
so what a threat actor’s
trying to do right now.
And it's as much about geopolitics
as it is about cybersecurity.
It's about, you know, what's
happening in Ukraine,
what's happening in the Gulf, what's
happening in the South China Sea.
It's all playing out in cyber space.
And that's the thing, and sort of back
to your thing about Stuxnet
being very advanced, obviously NSA,
incredible capabilities.
And they also worked
with the Israeli’s, right?
Yeah. I think they leaked
the source code in the end.
And that's why we know it, isn't it?
I don't know, did they leak
the source code? Yeah, part of it.
Yeah, I think, how we know about it is basically,
they tried, they were having trouble in
getting the infection level they wanted,
and they changed the code a little bit.
And then it just got outside
of the environment.
And, all sorts of companies, Iran had it.
And a Belarussian antivirus company
was reported to, and they actually started pulling
it apart and Symantec started pulling it apart.
And that's how...
So they're a little bit, they assumed
that they’d keep it secret.
But like anything they just
pushed a little bit hard.
Yeah.
Yeah.
But yeah so, back to
that point about the NSA.
The reality is, it's old equipment really,
you know, this is 18 years ago now.
So, there are kits.
So the Russians have a thing called
Black Energy, which is a power thing.
Power, electrical grids.
And it's a modular software.
So you can basically get it to do
all sorts of different things with ICS
SCADA systems, you know,
and they've built the code.
So then, and it's out there now.
So there's a lot of capability
just even in private hands in terms
of SCADA and ICS and
all these systems
which run all sorts of
really critical technologies.
But again, it comes back to
what's the intent?
What do they want to do?
How are they going to achieve their aims?
You know, I mean, you need
to tie the two together.
How would you answer that question?
What is the threat to the maritime
industry at the moment?
What's the biggest?
I think one of the great
problems is there's a
very low level of awareness,
and that means that
the decision makers
aren't thinking about cybersecurity
in a way that perhaps in
other industries they are.
And that means that, you know, they're
waiting for something big to happen,
I suppose that's what's happening.
And that's one of the reasons,
we'll talk it about in a second,
but, you know, while we
developed our database,
and that's one of the real
challenges. That just leads to
right through organizations, people
not thinking about cybersecurity.
And, you know, in incidents, you know,
things not being diagnosed properly.
So the threat actors are there,
the vulnerabilities are there, disaster
waiting to happen? Yeah, yeah.
Vulnerable equipment. And we’ve got
a low level of awareness.
So, it's a perfect storm.
So we should start getting to work.
So you you talked about,
you said the MCATs right? Yes.
It’s the Maritime Cyber Attack Database.
Database. Yeah, yeah.
Because you believe in openness. Yes.
I’m fully in agreement with you.
Everybody should explain how they got attacked,
how they did it, etc., so we can learn from it.
Can you tell a little bit
about that database.
Because it's, everybody can look at it.
We'll put a link in the show notes.
Yeah. Everybody can go to it.
So yeah it's, and we've got an Apple
and an Android app you can download.
It's free, you don't even have to register.
It's really about the openness,
as you say, it was born
out of my early experiences talking
to the maritime industry and people,
they would say to me also,
how big is the problem?
And I'm thinking, well, I'm not sure.
And I sort of looked at what research
had been done and very limited research
had been done in terms of identifying
what incidents actually occurred
and information about them.
I think there was one paper that maybe
described maybe 30 or 40 incidents.
So I thought we could just
build a collection.
And my idea was use
public source information.
And that way we're not telling anything
that hasn't already been reported,
but we're just doing it
in a more structured way
that makes it easier
for people to identify it.
So that’s what it was born of
because, the great challenge
always in cybersecurity
generally with incidences
y’know, victims don't want to be identified.
That leads to sort of
that reluctance to report
or at least to have it public.
And then other people don't learn.
I'm a great believer in that,
you know, the best education
for a company in terms of what the threats
it faces is, is the same company
that it competes with down the road,
and when they get hit. That,
that's going to educate them so much,
then they’ll get concerned about it.
But no one wants to share. That's the
boundary you have to show. Yeah.
There shouldn't be a penalty for
showing where you went wrong.
I know, and I sort of originally started
this like as a bit of an awareness for
maritime companies,
but I met one of the, a
naval officer from the US who's in
the Annapolis Military Academy.
He teaches cybersecurity.
He uses the database with all the
students, like to teach them that.
I talked to some guys
from Lloyd's of London.
They use it for insurance.
I talked to some guys in
Singapore that are involved
in, there's a fusion center there,
and they put intelligence products
out to countries about threats.
They use it.
And one of the reasons all those people use it is
because public sourcing mentions they can share it as well.
Like the great challenge in,
I know in intelligence circles,
it's all the classified information, it’s difficult
moving it around. Particularly in the US.
That's one big problem
they have in the US.
And all this fantastic information
that's all classified.
So they can't share it with almost anyone.
Yeah.
No, we actually use it also. Before we met,
I knew about the database. Okay.
There are gems in there
to learn, could you? It's a bit...
Yeah. As a cybersecurity professional,
I hate to say, it's a bit fun. Yeah. It's not,
of course, not fun at all.
But could you pick out
a few examples of what -
Yes. - happened, what are
in those databases?
Yeah. I've got a few of those
that are my particular favorites
that I'm always happy to talk about.
One was in, 2012 and it was
actually involved at the US Navy.
They had a system that they
use for various purposes.
There was a compromise. And data was stolen.
PII was stolen from it.
And the NCIS, which is these guys
on TV, they investigated it
because they investigate criminal matters
in the Navy, and they worked out.
Hang on.
This traffic's coming from an
aircraft carrier in the Atlantic.
It's one of ours, the USS Harry S. Truman.
So NCIS being NCIS, they flew on
board this aircraft carrier incognito.
And started their investigation.
And they worked out that
the guy behind it, he was a systems
administrator on board.
He was a sailor.
And, he had all this access, and basically,
they set up a trap for him to
a system, like a honeypot,
to a system that was vulnerable.
And he hacked into it while they
were actually monitoring him,
and they arrested him,
and he went to jail.
And guess what?
It was an inside job in this case.
It was an inside job,
classic insider.
I don't like to talk about [ ]
because that's important.
But do you know what area of the nuclear
aircraft carrier he was responsible for?
No clue. The nuclear reactor.
Oh. So yeah.
Something you really want to protect.
Exactly. So that, there you go.
You think, because people often think,
oh, you know, Navy, people are cleared.
They're all, you know, tight discipline.
You know, if an insider attack can happen
in that environment, it can happen anyway.
So and maritime’s, you think about
just not just, crew
but you have passengers,
you have all sorts of people
that work on ships, contractors
and things.
Especially when they get more digital
and digital, they're a lot [ ]
[ ] more different contractors.
And that's why,
and then they're not even coming
on board, they're actually just [ ] digitally.
So that's the thing I think insider
tech's always a big problem.
You know, you think about, you know, Snowden
and Manning and all these sort of people.
That's the whole thing,
someone with an ax to grind
with the access and knowledge, you know,
they're the really dangerous actors.
Yeah.
I hear that a lot in the maritime industry
because jurisdiction isn't really a thing.
Right.
Well, it's a thing, but I mean, a ship has
many nationalities on board typically.
Yeah. So it's relatively easy
for a state to try to infiltrate.
So. But what can you do?
I mean, if you're the sysadmin of that ship,
of the nuclear, how I mean, screening,
that is the compliance thing is
‘we'll screen our staff’.
Yes, yes.
But like you said, if the military
cannot pull that off, who can?
Right.
I think it's also being alive to the
possibility, don't you think?
I'm sure the US Navy
are a lot more careful
now about their systems
administrators on ships.
But I think we just don't, we're not
creative enough with our thinking.
So I think that's one of the beauties
of an open source database, is
you can learn from other people's mistakes.
Yeah. And be smart. Raise awareness.
Exactly. Yeah.
More examples, please.
So some really interesting stuff’s
happen in terms of navigation.
Like obviously ships rely
on satellite for navigation.
There's been a couple of cases, really interesting
cases where that's been compromised.
And there was one in 2019
involving the Steno Impero,
which was a British flagged
oil tanker in the Gulf.
And basically it was traveling
international waters
and it was intercepted by
Iranian Revolutionary Guard,
who told it to turn around and
effectively go into Iranian waters.
And there was, fortunately,
there was a British ship there
at the same time, that was
actually looking after them
and that was saying, do not turn you,
it’s international waters,
they can't tell you to do that.
And so it kept going.
The next thing they knew,
there was what we call a GPS
spoofing attack, which basically
meant their true location
was no longer what was
reflected on their charts.
It was actually showing
a false location.
They managed to confuse them enough
that they ended up in Iranian waters,
and the Iranians dropped
commandos off a helicopter.
And they took the ship over
and took it hostage.
And to sort of go back, why they did that is, two weeks
earlier, a British ship had sorry, an Iranian ship
had been boarded by the British Navy
of Gibraltar for breaking sanctions.
And it was a payback.
And, MI6 looked at this, and they determined
that the technology had come from Russia.
So the Russians had actually helped
the Iranians do this in 2019.
And we've seen lots of cases
of this type of thing happening.
Another more recent one in 2021, before
the recent conflict in Ukraine, a British ship,
the HMS Defender, was traveling
in the Black Sea and basically,
the Russian Coast Guard and
Russian Navy and Russian Air
Force told it, you know, to stop
traveling the way it was going.
That sort of went on for a little while
and then went into port in Odessa,
same town as a Netherlands vessel,
Netherlands Navy vessel with it.
And basically, their locations
on AIS, which is this,
system which basically tells
other ships where they are,
showed them going into Sebastopol.
And this was a provocation
by the Russian military intelligence.
In fact, they never left the port.
So it's a really good example of how
these sort of technologies are being used
sort of hand in hand with physical attacks.
But it's like it’s another way that, you know,
by nation sites, in this case,
another way they can use it.
We've actually used this,
this particular sample,
of the AIS system in a
previous presentation.
Yeah.
But what you're laying out here
is that those threat actors
are really, really powerful. Yeah.
And you may think that you're
not a target, but you are
for the simple reason of retaliation.
Yes. Exactly.
You're up against a huge, mighty enemy.
It is a good example of it. Yes.
Okay. We have time for one more example. Could..
I mean, all sorts of things happened on
in the maritime sector
that you might not expect,
just things which you might not expect.
Someone set up an internet camera
in a change room on a cruise ship and
took pictures of women and children,
who were going swimming like that.
So, the types of attacks we have on
land, we have have at sea as well.
And that's what you need to understand.
And the same sort of people that commit
cyber crimes on land; also on ships.
Yeah. So it's more than a regular ... it’s just.
Yes. A different world extra.
It's not like... Yes. Just specific. Yeah.
It's about time we talk about solutions to this
because you made us all very scared.
Of course.
But before we do, I have a
treasure hunt for the audience.
So for those who know, you can win a T shirt, and
some of you have actually won all of them.
Very, very,... yeah. It's a craftmanship to get
that done actually. But if you want one as well,
send the following code to
code@threat-talks.com, please.
The number is 260016.
So solutions to this.
We already talked about
MCAT for openness. Yes.
That really helps because
then people can learn.
But this is not the only thing
in learning that you advocate.
You've become really great
at exercises of all kinds.
Could you explain a little bit?
Yes. So I've been very lucky to be involved
in cyber exercises for a very long time.
Back in 2007, I was involved in
a thing called CyberStorm 2,
which was run by the US government
and had like thousands of participants.
And it really convinced me of how
what a fantastic educational tool
running exercise is, because you can,
if you're designing the exercise,
you can actually think about,
what are the sort of messages
or key messages about cybersecurity
I want people to learn?
It might be about having better
capability in cybersecurity.
It might be having legislative
powers in cybersecurity.
It might be having, formal relations
with organizations that can help you.
You can tweak that out and tease
that out by running an exercise.
And it's much better, much more effective
than just trying to, you know,
show a whole bunch of slides and try
and convince them on the merits of it.
You give a decision maker a decision
under stress in a cyber
situation, even in an exercise
people still get pretty
stressed in that situation,
even though it's safe.
And typically the sort of decisions you're
making is between two things,
neither which are good.
One is probably slightly
better than the other.
And that's the nature
of these types of incidents.
And that's a great teacher
to make them think, how can I avoid
that scenario coming out of
[ ] bad choices.
I never want to make that choice.
More options. Exactly.
And who should do those those exercises?
Who do you teach this to?
We do it to all sorts of people,
but it's particularly effective with
boards and with senior leaders, because
they’re making these sort of decisions.
And you think about crisis management,
not just cyber, all sorts of crisis
management, senior executives
are on the spot to make a decision.
And often it's not even their domain.
Like, you know, CEOs are asked questions
about some major cyber event
and they're not cyber people.
So in a way that's a great audience.
But at the same time, you know,
we love working with operational people,
you know, people that work in SOCs.
You know, we work with mariners,
obviously in our work.
So I think it's got
a very wide application
because it really crystallizes
the threats and
the challenge of cybersecurity in a way
that I think is very clear for all of us.
And in a short period of time.
Yeah, yeah. And what about making sure that
the boards and CISOs and CEOs understand
what needs to be done? Because
often I see, and this is not unique
to the maritime industry,
but everywhere actually.
Cyber risks are often really hard
to, to quantify. Quantify. Yeah.
And therefore it's easy to, yeah, more
or less ignore them or, if you're unsure
about a certain risk, it's also hard
to put it in the right order.
Yes. And that's a burden
we all have in cyber. Yes.
Because I mean, yes, of course
we have to as examples.
But there's so many examples.
Apparently that doesn't work.
I mean, you open to news
and there's a cyber incident.
Go to the MCAT database.
There's many, many things.
Yeah.
It doesn't necessarily automatically mean that
people say, oh that could happen to me. Yes.
So somehow we need to educate or explain...
Yes.
Because if you're in the cybersecurity field,
it’s obvious what needs to happen,
it’s obvious that it's really important
that more steps need to be taken.
Do those exercises also help in that, for example?
Could that be an ingredient?
I think so, and it's all about people understanding that
they have got a responsibility in terms of cybersecurity.
I remember talking
to a CEO of a big retailer,
and basically we were talking about some of the incidents
that have happened and how they played out.
And he said to me, so who
would be accountable for this?
I said, well, you would be. Like he,
despite being the CEO of a company,
he didn't feel somehow
it was his responsibility.
And I think that's the problem people aren't
thinking of it as being their responsibility.
You know, if they think someone else
is looking after it, and a classic thing
in the maritime sector,
when we're talking to,
heads of maritime
companies and we're saying, oh, well,
and talking about the issues
and that's a, well, my IT
people would look after that and we go,
well, but it's your responsibility.
It's your business process.
It's your core.
So it's also not the CISO then?
No. It actually [ ]
What is the role of the CISO?
Well, I think I think the CISO needs
to be the expert on cybersecurity
for the organization to be
able to crystallize to the
leadership what's going on and build
the strategy, build the strategy with,
you know, obviously with
the approval of the board,
but like build a strategy that
actually secures the organization.
We're actually going to talk to a CISO,
for our next episode of... Yes. Very good.
Mr. Hans Quivooij, CISO of Damen Shipyards.
It's going to be exciting.
We're going to talk about
autonomous vessels.
We're going to ask him
this question as well then. Okay.
So that's, but then in the end, it's
not necessarily the responsibility
of the CISO itself or the CIO, but
the business owners, more or less.
I think that's where they should feel
more responsibility there.
And what we do is like, I think there's
a couple of fantastic examples,
like with Target when they had a breach.
I can't think of a name,
other companies,
but basically where the CIO
and the CEO both went, as a result.
So people lose their jobs. Yeah Target
is the first time the CEO got fired
over a cyber incident.
Yeah.
There's been plenty since.
And Uber, the CISO went to jail.
Yeah.
So there’s very severe consequences on executives
that they just don't necessarily understand.
And an exercise, like you mentioned -
Yes.
- would be a very good way
of making it really tangible.
Yeah. It's very tangible.
It makes you realize, I need to know more about..
I need to empower my CISO to educate me more, for example.
And the other thing which I love when they say it,
they say, could this actually happen?
And we go, yeah, here it is.
Sure.
Yeah, it's already happened for many companies,
I have a whole database. Exactly. Exactly.
And that's the nice thing, if you’re
talking about real incidents that
have happened, it's much better.
Like if you start talking
about some esoteric attack
that has never happened,
but that is possible.
You know, you lose people's interest
but if you can go, well, like,
this actually happened to this
organization very much like yours.
You must be happy about the NIS2 directive then,
because it prescribes board
members to be trained on cyber,
whatever that may mean. Yes.
That still has to be hashed out. Yes.
I think it's an important step.
I think that the problem with any sort of
regulatory framework that supports cybersecurity,
it's also far behind the times,
like it just takes, the time
it takes from someone to coming up
with the idea, we need this,
we need this in place
to make it more secure,
and actually being in effect is
so long, that there’s this great gap
and you sort of mentioned, we were talking
about Target before, Target is a classic example,
they got their credit card,
PCI certification
and basically I think a week later
they got compromised.
Yeah. So it was great when they
came up with the idea of it,
but it just wasn't really up
to the modern threats
when... Yeah, Target is a classic example,
they had massive budget,
they had a security operations center,
they had [ ]
Yeah. In hindsight, yes.
But they ticked it at the time.
[ ], because of overload of events,
yeah it’s classic, classic cybersecurity.
Yeah.
Prevention.
It's also, I mean, our job here at ON2IT
is always to do everything
prevent, prevent, because prevention
is actually preventing stuff. Yes.
So that's hard, right?
Yes, yes.
But I think there's a lot that can
be done in terms of, you know,
when we're talking
about vessels, segmentation,
the ability to keep systems up to date.
So, they're not low hanging fruit.
I mean, cybersecurity is very challenging
because, you know, threat actors
can do all sorts of clever stuff,
but you've got to at least protect,
you know, that cyber
hygiene is so important.
And if that's something
the industry can take on,
that shipbuilders can take on,
shipping companies can take on-
[ ] in your network, authentication...
All that basic stuff, you know, like
and we went on to a ship,
with some students, we do
as part of our courses, we actually,
have pentesting students and we
get them to try and break into a ship.
And, I see, this is a brand new ship.
There's passwords posted all around.
Yeah, on a brand new ship.
So, the latest technology, but, like,
there's really fundamental mistakes.
A lot to do there as well.
Before we run out of time.
there's one other thing that you've been
working on that I'd like to know more about,
you call it a Ship Honeynet.
Yes.
What is that?
So basically, the Ship Honeynet
is a trap for hackers
who were trying to look
at what they think is a ship.
And it's really borne out of MCAT,
which is on historical events,
but without a lot of technical detail.
What we wanted to do was
to add to it and say, okay,
what are hackers doing right now, and
what are they doing at the packet level?
Like that very micro level in terms of, you know,
what sort of systems they're trying to get into,
what sort of vulnerabilities are they
trying to compromise, you know,
so we built this environment
which basically to a hacker
looks like a ship
with a digital connection.
Originally we were using an older satellite connection, but
now we're using Starlink, which is obviously very popular.
That’s convenient that you can distinguish it
from a real ship because it's the same
satellite range. Exactly, exactly.
The same IP address.
And we're in the same range. Exactly.
And so far, I think last month
we had 5 million hits on it.
So it gets a lot of activity;
some of it's just blind scanning.
But there are intelligent stuff
going on, going after very maritime
vulnerabilities, which wouldn't
be in any other environment.
And that's the interesting stuff for us.
And then you can do
forensic analysis on that.
See who’s there.
Yeah. Exactly. Yeah. Yeah.
So, build cyber threat intelligence out of that.
So that's something we really,
you know, we been working
on, and we're really excited
to, as an addition to MCAT,
like as another part of that, knowing
what's actually happening
in the environment.
Can shipowners or shipbuilders
benefit from this in some way?
Of course. It's interesting to
see what they are doing.
So, you know the threat actor a little bit
more on the technical level. Yes.
On any other... I mean, we kind
of mentioned that indeed
you have like these, block lists
of IPs, or you have...
Yeah. Yeah.
We're more than happy to share all this information
with, you know, people in the industry.
Even, like, that’s the nice thing about
the Ship Honeynet, I mean, there’s,
we can make lots of them, and we can
put them in all sorts of environments.
And, we're even looking at,
you know, some,
shipping companies want us to
put one in their environment.
So it's within their range.
It looks like a ship.
So they're treating it a bit like,
forgotten the expression, but .. canary.
Like a canary, a canary system.
To test if someone's in there.
If you would build this virtual ship more
or less, and then put it in your fleet. Yes.
And then just look at all the traffic
that is trying to get in there.
And then cross-reference it with all the
others that you know, when the others
are under attack. Exactly.
That’s a very simple.. Very simple to do also.
Yeah, yeah.
And people often say, well,
if you're building this trap and you're
trying to trick people,
why are you talking about it?
But of course, talking about our Ship
Honeynet is a deception in itself,
because if I'm a hacker and
I go on a system and hear [ ]
can’t be talking about our thing,
is this a Honeynet?
Is this a real ship? Is it a honeynet?
They don't know.
So you’re actually adding to the deception.
And the more they're out there, the better.
Have you seen any deception
technology trying to detect
that it's not an actual ship?
Like latency detectors, I can imagine.
No, no. Yeah. Because you’re
using Starlink now. Yeah.
So it's really.. Exactly.
Well, I mean, I'll be honest, because ships
are very unique in a way, in terms
of like the sort of traffic you'd see
on the networks and that sort of thing,
but we're still sort of
working our way up to that.
So, some sort of track.
There’s systems, you can actually
cross-reference ships, obviously,
marine traffic and things like that.
And we're trying to build all that into it.
But, I think there's a lot
of good intelligence
coming out of it already, but I think
we can improve it over time,
and we can make it any type of ship
in any location we want.
And multiple ones.
So, it's a really exciting area,
and I think a lot of good intelligence
will come out of it for shipbuilders,
for shipping companies,
you know, for the whole
cybersecurity community.
Wonderful.
Well, in one of our next episodes, we're actually going to talk about
autonomous ships and how that.. which is the future. Right?
So if it wasn't scary enough already. Yes.
It’s even becoming worse.
So, well, we need to talk more
about this and we will, so.
So thank you very much
for being on Threat Talks today
and for all your insights.
It's been an eye opener.
And hopefully we gave a little bit
of hope to people who
are in the maritime sector or in general
in the protection business of IoT systems.
At least you have given a lot of pointers.
And we'll put in the show notes,
some of the, like the education stuff.
So, for everybody to benefit.
And to our viewers, thank you
very much for tuning in today.
If you liked this episode, please like it.
It will help us spread the word further.
And right next to this button,
there’s a subscribe button,
and then you will not miss this
next episode that we just talked about.
Hope to see you again.
Thank you very much. Bye bye.
Thank you for listening to Threat Talks,
a podcast by ON2IT cybersecurity and AMS-IX.
Did you like what you heard?
Do you want to learn more?
Follow Threat Talks to stay up to date
on the topic of cybersecurity.