In the face of rising levels of malicious cyber activity by both state and non-state actors, the British Government and the National Cyber Security Centre want to foster a risk-aware and well-protected maritime sector
As the former director of incident management at the UK’s National Cyber Security Centre (NCSC), John Noble is a man whose views on cyber security are worth listening to. Speaking at a cyber security workshop in London organised by Templar Executives, he outlined the UK Government’s cyber security strategy, how NCSC fits into this, and what this means for the maritime sector.
There are two quite worrying trends in cyber security, noted Mr Noble. First is that tools used for cyber attacks are becoming cheaper and more widely available via the dark web. Second is that more and more countries are utilising cyber, whether for disruptive attacks or for espionage and to spread influence. Predicting that we will see more and more disruptive attacks, Mr Noble noted that the maritime sector is a key part of national infrastructure and that a cyber attack on it would have a major economic impact.
In order to provide a bulwark against this sort of threat, then-chancellor George Osborne established the NCSC in 2016 as part of GCHQ, the UK’s signals intelligence service based in Cheltenham, to provide an authoritative hub of cyber expertise. The NCSC has four main goals, said Mr Noble.
The first is to understand the threat. For the maritime sector, this means understanding what state actors may be interested in carrying out attacks and why. Information generated by looking into this can then be shared with interested parties.
The second goal is to mitigate the impact of attacks – to share knowledge and help vicitims of cyber attacks to recover from the attacks themselves and from the knock-on consequences of the attacks.
The third goal is to create partnerships between industry and the government. To this end, the NCSC has a transport sector lead whose role is to share best practice information with industry.
And fourth, the NCSC wants to grow the UK’s cyber security capability. This means making sure there is an available, diverse pool of talent to draw from, as well as improving resilience by encouraging the “secure by design” philosophy, which encourages developing software with security integral to its design right from the start and not as a bolt-on added later.
Mr Noble explained that NCSC sees eight main reasons why companies’ cyber security is being compromised, with reference to the maritime sector.
First is how companies make risk-related decisions. “Time and time again we go to a company who’ve been compromised and discover that they have made basic decisions, often at board level, about accepting risk that they really didn’t understand,” said Mr Noble. With increasing shipboard use of the internet of things, many countries have issued guidance on how to factor in cyber risk. In the UK, the Department for Transport published a code of practice for maritime cyber security providing advice to organisations on assessing cyber security, managing risk and handling incidents. The code can be used alongside a similar document produced for ports. The US Coast Guard has produced a similar guide to provide advice too, so governments can provide support to organisations in assessing cyber risk.
Second is getting the basics wrong. Mr Noble estimates 80% of cyber attacks could be avoided by taking care of the basics, for example ensuring that software is kept up-to-date with the latest patches, and incorporating two-factor authentication.
Third is network complexity. Organisations may have networks so complex they do not understand what they are trying to protect. A way around this is to assess what equipment really needs to be network, and what could be compartmentalised.
Fourth is use of legacy equipment that no longer receives software updates. Mr Noble said that a lot of the time when NCSC detects malicious activity on an organisation’s network and warns them of this, the weak point is a piece of such legacy equipment. This is especially an issue in the maritime sector, he added, noting that again, if you can’t afford to replace unsupported equipment you should at least assess whether it can be compartmentalised.
Fifth is the supply chain, which Mr Noble noted has been a big factor in recent months, particularly in attacks originating from state actors. “If you have connectivity with someone who has failed to use basic cyber hygiene you’ll inherit their risks,” he added.
Sixth is M&A. “Every time you make a merger or acquisition you will be bolting on cyber risk,” said Mr Noble, noting that while financial and operational risk form part of due diligence processes, cyber is rarely a factor.
Seventh is outsourcing, where again poor cyber hygiene on the part of the supplier can provide an entry point for cyber attacks. A lot of companies outsource to the cheapest provider without factoring in cyber security, said Mr Noble, but “if something goes wrong with one of your suppliers, you will be the one that suffers reputational damage.”
And eighth is the human factor. This can be issues such as the competence level of people responsible for cyber security and what sort of training is provided to foster a good level of cyber hygiene at all levels of the company.
In terms of what the industry as a whole can do, collaboration is essential, said Mr Noble. “Sharing in a highly competitive industry may not feel the right thing to do but it absolutely is,” he said. If one company gets hit it is highly likely that others in the sector will also be at risk, so a way must be found to share threat information and best practices, he said.
“The opposition are very good – they’re agile and they can move quickly when they identify a vulnerable company.”
Riviera Maritime Media’s European Maritime Cyber Risk Management Summit took place in London on 15 June, 2018 with the theme Maritime Cyber Security: People, Processes and Products.
John Noble CBE
John Noble CBE has worked in the UK’s public sector for more than 35 years. Since July 2018 he has been a non-executive director on the board of NHS Digital, leading on information and cyber security and chairing the Information and Cyber Security Committee. He also works as a senior advisor at management consultancy McKinsey & Company. From 2016-2018 he was director of incident management at the UK’s National Cyber Security Centre, leading responses to more than 800 major incidents during his tenure. From 2012-2016 he was a counsellor at the British Embassy in Washington DC. In 2012, he was awarded a CBE in recognition of work he carried out to create effective partnerships in the run-up to the London Olympics.