Cyber Insider: Hi David. Your background in Cyber Security spans a diverse range of sectors – how has this experience informed your understanding of Cyber Security, and what is it that drives your interest in the field?
David: First of all, I have always seen security in general as being essential to society, perhaps because my parents and other family members went through World War 2, my father in British military intelligence, his elder brother in the French Resistance and my mother in the Jewish underground in Hungary. I’ve also served in both the British and Israeli armies. As far as cyber is concerned, I already had a background in programming from school, although it was very primitive code on punch cards. But years later, when I was a journalist with AP, I helped the technicians to set up the first computers in our office, very naughtily gave myself super-user access, and then was able to read all sorts of confidential stuff, including the traffic of other correspondents using the AP system: I even managed to get an important political scoop out of that. After that, I learned how to hack X25 communication networks from my home PC, and went on from there, learning from experience and my contacts with the hacker community about everything from the first viruses to the misuse of social networks. So what drove me was a combination of curiosity, my inbuilt understanding that the confidentiality and availability of information were really important, and what I learned over time about how insecure computers and networks really were. And then, a few years later, I was invited to become the first professional adviser to the Israeli government committee on Internet and information infrastructure, which naturally brought me into direct contact with an intensely security-conscious organisation that was completely unaccustomed to sharing information with the outside world – in fact, rather opposed to the idea even though it understood the need to modernise public services – so I had to become involved in a lot of these cybersecurity problems, even if we didn’t yet use that term. I was also involved from my experience of living in Israel, including my army reserve service, in the whole problem of terrorism, and I was also professionally involved in the issues of financial crime, especially money laundering and terror financing. So it became clear to me that cyber weapons could be used for terrorism as well as crime and general mischief. As a result, perhaps unlike most people in the cybersecurity field, who have a more technical background, I looked at this domain from the point of view of threat actors and how they would want to exploit not only the vulnerabilities of our IT infrastructure but also out psychological, organisational and political vulnerabilities.
What this means is that I am more of a generalist than most cybersecurity people. However, I have been focused over the last few years on the financial industry, not least because I was the victim of a fairly large fraud that was at least facilitated by cyber factors, and on other critical infrastructure industries such as power generation, aviation and shipping. I have also had the great privilege of working together with Chatham House on two fascinating workshops they ran, one on the cybersecurity of space and the other on the cybersecurity of nuclear weapons.
Cyber Insider: You regularly speak on the subject of Shipping in Cyber Security – What are the main threats facing Shipping from a Cyber Security perspective and what can be done about these threats?
David: The problem with the shipping industry, in broad terms, is that it is a very ancient and traditional industry that has been forced by circumstances, including economic pressures, to become very highly automated and computerised, but faster than it is able to understand and manage the risks. We’re talking about pretty well everything that makes a ship run, from the engine management and monitoring systems to radar to navigation to freight handling. I just read this morning about a bulk cargo ship that was potentially in danger of sinking in port because the computer that was managing its physical balance in the water was not programmed correctly; and that is just one of many things that can go wrong. Ships can be hacked easily through the satellite data links through which they are receiving software and navigation chart updates, through the networks, again mainly via satellite, used for e-mail and crew or passenger entertainment, or indeed through Wifi links to shore when they are in port. The many electronic systems on a ship’s bridge can easily be supplied with insecure software code or even processing units, because the companies that sell them have only recently woken up, just like ship owners, to the fact that shipping is a huge and very tempting target for hackers. And crew members, who are usually completely untrained on cyber risk, can and do stupid things like plugging their cell phones into a USB socket on the bridge to recharge them: in one case, this completely wiped out the ship’s navigation console.
How big is the risk? Something like 90 percent of all international trade is carried by sea, to a total value of trillions of dollars every year: basically, the entire global economy depends on the shipping industry functioning undisturbed, Some of this huge volume of trade is carried by oil and gas tankers, or bulk carriers transporting coal, metal ores or grain such as rice or wheat; but most of it is in 20- or 40-foot metal containers, many of which now have temperature humidity and ambient gas sensors built in to facilitate the shipping of perishable food, or pharmaceuticals, or other valuable cargo. But when the biggest container ships today can each carry more than 20,000 containers, these sensors are producing enormous amounts of data that is needed to maintain the cargo in optimum condition, and also needs to be uploaded to the shipping company’s data centre. So if a hacker can interfere with the sensors’ functioning, he can cause tremendous damage to the cargo itself; and if he can turn these sensors into an IoT botnet, he can use it to attack other systems, whether on that ship or even elsewhere. Similarly, he can change the identity information of the containers themselves, so that after being unloaded they all get sent off by land, or another ship, to the wrong destinations. All this is on top of a threat that has already been experienced in the port of Antwerp, where containers full of hard drugs were smuggled out of port without being inspected by customs, because the container management system had been hacked. GPS systems of about 20 ships in the Black Sea were also made to produce false position data, apparently by a Russian GPS jamming system on land that was intended to make enemy cruise missiles misnavigate.
What needs to be done is a combination of far better training and awareness, which is very slowly beginning to happen; but more importantly, cybersecurity technology needs to be used at sea as it is on land. This means doing white-hat hacking on ships and port systems in order to map and understand their vulnerabilities. It means making sure that the operating systems, which unfortunately are typically Windows XP, are constantly patched, and preferably modernised to the latest, more secure versions; and the same goes for every bit of software or firmware. It also means installing the same kinds of firewalls, anti-malware, e-mail filtering and so on as is done on land; but also adding security solutions that are designed to protect operating technologies, whether engine control software or steering gear or ballast pumps or container-handling cranes. Similarly, IoT networks that monitor containers and also the mass of sensors needed to keep ships running properly need to be secured: this means, first of all, implementing security by design in these networks, with no use of default passwords.
There are also three key elements of maritime cybersecurity that require a lot of organisational efforts. The first, which is already beginning to happen, is for the classification societies such as Lloyds Register, which effectively carry out safety checks for the shipping industry – MoT tests for ships, if you like – to include cybersecurity requirements in their design and testing rules for ships, and incidentally also oil and gas drilling rigs. The second is to set up a properly designed maritime industry ISAC (Intelligence Sharing and Analysis Centre) that can gather information on cyber-attacks, in real time, from the cybersecurity systems on ships and in ports, preferably automatically and without human involvement, so that it can be analysed and shared with other shipping companies and ships’ masters, in order to warn them of what new threats are out there, and also to collate data that at the moment isn’t available, mainly because cyber-attacks on ships are either not really noticed, or hidden by the crews and owners because they don’t want to admit to being insecure. The third, which depends on the previous two, is for the marine insurance industry to offer policies as a matter of course that don’t have the standard exclusion for damage caused by cyber-attacks. This is hugely important for the industry, because if a very large container ship sinks with a full load of high-value cargo as the result of a hack, the owner or charterer might be at risk for a billion pounds or so; and if a very large crude oil or liquefied natural gas tanker runs onto a reef and its cargo escapes, especially if a gas tanker explodes, then the shipping company could end up with multiple billions of pounds in claims for environmental and other damage. Since the world shipping industry is in bad shape financially, it’s extremely important to transfer this risk to the insurance industry, especially as insurers are now increasingly involved in actual risk management.
Cyber Insider: With the ever-connected nature of modern technology, in particular with the advent of IoT technology, the physical world and the cyber world are becoming more and more intertwined. What are the implications of this for Cyber Security professionals? Do you think there will be an increase in demand for Cyber Security as a result of this trend?
David: There seems to be no doubt that the demand for cyber security professionals is constantly rising, both because the risks are becoming bigger and because the governments and companies that own the risk are increasingly aware of their responsibilities, thanks in great part to much tougher regulation. I’m sure this demand will continue to grow, although I think some of it can be moderated and made more affordable by giving everybody in the organisation better training, especially on the relatively simple risks such as malicious payloads or links in e-mail, the use of personal devices, and social media risks. And in addition, CISOs and other cybersecurity professionals need to be much more aware of the specific risks in the industries or professions where they are working: technical skills are certainly transferable, but if you move from retail to, say, nuclear power, the systems, the data and the culture are all very different.
Cyber Insider: What industries do you predict will be most impacted by the increasing ability of Cybercriminals to impact the physical world? With ransomware attacks already causing tremendous disruptions, as seen with the Petya attack’s effects on Maersk amongst others, what do you see in the future?
David: Well, since I am very focused on maritime and also know that the threat actors can read, and do research, I would say with little doubt that there are likely to be more attacks on this domain. And we should all bear in mind that ships don’t only carry our cars, new cell phones and children’s toys, but also our global food and energy supplies, the impact on the physical world could be very serious if any of the eight major maritime choke points – such as the Panama Canal or the Malacca Straits – gets blocked by a ship collision. Bear in mind that the United Kingdom’s economy and welfare are totally dependent on open and secure shipping lanes, because the country only has a few days of strategic food reserves.
Ransomware could start to reach the scale of hundreds of millions of pounds for a single attack against critical infrastructure, such as energy production or aviation, or simply high-value targets such as cruise ships. What we have already seen in cyber-attacks on critical infrastructure in Ukraine, apparently carried out by Russian state or proxy actors, suggests that there will be more such attacks, more politically than financially motivated. And with rising political tension surrounding both North Korea and Iran, countries with very serious cyber capabilities that actually exceed their conventional war-fighting power, I am very concerned that we will start to see more and bigger attacks on the critical infrastructures of these countries’ foes, whether South Korea and the USA or Israel and Saudi Arabia. And, of course, apart from deniability, Iran and especially North Korea have much less sophisticated IT infrastructures against which one can mount a really damaging counter-attack.
Cyber Insider: Cyber Security is far from just an office problem – it can affect industrial processes at all levels, including oil rigs, mining operations and many more – what can you tell us about Industrial Control Systems and the work being done to ensure serious environment, ecological and economical damage is not done in this manner?
David: Well, I have already touched on this problem. But to go into more detail: one problem with industrial control systems is that they are less standardised than computer operating systems, so even understanding their vulnerabilities requires more expertise. There are also far more legacy systems in industrial controls, most of them designed before anyone had thought about cyber risk. And unlike banking systems, where the worst thing that can happen is that customers will lose so much money from a hack that the bank is forced out of business and perhaps the government has to mount a financial rescue operation; hacks against industrial infrastructure such as oil refineries, chemical factories or pharmaceutical production lines can kill a lot of people, to say nothing of pollution and economic damage. Fortunately, there is much more awareness of the risks, more cybersecurity professionals are now specialising in ICS, and more technological solutions are being developed by both well-established companies and start-ups: these include automated white-hack testing systems, firewalls designed to inspect data packets specific to ICS, intrusion protection, honeypots and so on. And there is a growing network of ISACs, whether specifically for Industrial Control Systems or more generically for industries such as aviation and water supply, to help share and analyse information on attacks and known technology vulnerabilities.
Cyber Insider: In the ever increasing tech-integrated world of work, the amount of software involved in these services is often an overlooked aspect of Cyber Security for companies. How much consideration should a business give to the component parts of its technological supply chain, be it hardware or software, and what more can be done to help simplify this process?
David: This is one of the relatively concealed risks affecting the entire business world. Some of us remember the case of Oracle shipping business-critical software on CD-ROM that had been infected with malware during the production process. But in reality, both operating system and application software and the hardware on which it runs can be vulnerable. This is partly because an operating system can have a hundred million lines of code, any of which can be badly written; and the same is broadly true for the micro-code in processors. It’s partly because skilled hackers can discover and exploit these vulnerabilities. It’s also because so many users do not install operating system and software patches as soon as they are released, or because they are still using Windows XP, for which there are basically no patches available. But there is also a lot of negligence, especially technology companies not doing proper code auditing with tools that already exist; and it seems to me that even standard operating systems such as Windows should have to go through external security certification in the same way as new aircraft have to be approved by national and international regulators before they are allowed to carry passengers, or pharmaceuticals need to be approved by the FDA or the European regulator before they can be sold to the public. And one other absolutely essential part of improving the security of the technology we lose is that governments should simply start banning the restrictive clauses in software licence agreements that basically absolve the manufacturers, whether Microsoft or Adobe or whoever, of legal responsibility for any damage or less caused by using their products. We don’t accept such restrictions on the responsibility of auto manufacturers or pharmaceutical companies, and we absolutely shouldn’t in the case of information technology.