Maersk’s chief information security officer shares how the company changed after falling victim to the NotPetya attack
AP Møller-Maersk was perhaps the highest-profile casualty of the 2017 NotPetya malware, with a negative impact on the company’s revenue to the tune of nearly US$250M.
Chief information security officer Andy Powell spoke about how Maersk has implemented the lessons it learned as a result of this at the Maritime Cyber Risk Management Forum in London on Tuesday 25 June.
“The state-sponsored investment in some of these weapons is beyond the capability even of global companies like ours to defeat [and] you will not stop every attack,” he said.
“What you have to develop is your ability to respond,” he added, noting that the maritime sector excels at such contingency management and planning what to do should an attack succeed in getting through, rather than focusing solely on prevention, is essential.
Communication is a key element of this, and Mr Powell noted. Maersk prioritised informing customers of what had happened openly. While in the short-term this impacted Maersk’s share price, this recovered and customers appreciated the company’s transparency.
He noted that even if conventional communications systems, such as IP-based phones, are put out of action, there are other avenues of communication that can be leveraged. Social media such as WhatsApp played a key role in Maersk’s recovery, with groups being set up within minutes to enable the company to continue to function. Aspects of Maersk’s contingency planning are now based around making use of such tools, Mr Powell said.
He noted that using online-based backup is no guarantee of security as this too can be targeted in attacks. “There is no such thing as online backup any more, offline backup and a regime to ensure offline backups work is absolutely critical.”
The only reason Maersk was able to recover was due to having an offline backup in place in Lagos due to Nigeria suffering power outages. “We were lucky,” Mr Powell added, noting that this backup enabled the company’s systems to be back up and running in nine days.
Lost revenue, extraordinary operational costs and expenditure on additional IT capabilities required to rebuild endpoints from scratch all formed part of the financial impact, and while the final figure may seem small in comparison to Maersk’s annual turnover, there were fears the costs could have been much greater, said Mr Powell. He added “At one point during those nine days, it was an extinction-level event.”
In total, more than 40,000 endpoints were taken out, along with 3,000 servers and more than 1,000 applications rendered totally unrecoverable, he said.
While he declined to comment on whether the company’s cyber insurance paid out, Mr Powell emphasised the need to be aware of what cyber cover does and does not cover, noting “A force majeur-type attack, which this was, is a very difficult thing to justify.”
“The collateral damage from a state-sponsored attack can hit anybody,” said Mr Powell. Chinese, Russian and Iranian state actors are all developing weapons that may be intended to target governments but that can have a wider impact, and this is a growing trend, he added. He also highlighted that weapons are increasingly using several attack vectors, which is particularly relevant given the increasing levels of digitalisation and OT in maritime.
“What I would like to see in maritime is what we have learned being applied across the sector,” said Mr Powell, emphasising five key operating principles Maersk implemented in the wake of the attack: