One year ago, HANSA showed the strategy and background of the CSO Alliance,
a project for gathering information in order to get prepared for cyber attacks. Since then,
it has made a lot of progress. Michael Meyer takes another look
A brief look back: the CSO Alliance relies on tried and tested forces from the fight against piracy in a[ds_preview] new guise. It aims at a worldwide network of information and informants. It mainly consists of Chief Security Officers (CSO) of companies and organizations, but it should not stay that way from the start.
Marc Sutcliffe, Managing Director of the UK-based CSO Alliance, strikes a positive first balance although simultaneously he knows that there is still a lot to do. »We are steadily growing and evolving the business,« he tells HANSA. As one step in this process, instead of selling information directly to ship owners, the alliance now has licensing agreements, for example with Norwegian War Risk. CSO Alliance members can make best use of the infrastructure in the alliance’s »private group«.
Key supporters like DNV GL, North P&I and the Marshall Island flag registry are still on board. New partners might be added, Sutcliffe reveals, »as we roll out the licensing model.« Another very important step was the launch of the partnership with aviation giant Airbus which is supposed to enter a second phase in 2018 still. Airbus supports the alliance with workshops and expertise. »They have over 700 people in the cyber division and as we shape up our reporting and structures, more resource can flow. They are looking at investing in some new online tools in both CSO Alliance and Cyber Alliance to help CSO & CISOs,« Sutcliff adds.
Privacy and infrastructure are two of the most crucial points behind the whole idea and the work of the project. Especially with regard to the expected digitization wave in the industry, the awareness is steadily growing. According to Sutcliffe, the awareness is in fact improving, »but we do need a single source to collect and support and that is what the MCERT will do by adding industrial horsepower.« MCERTS is the UK Environment Agency’s »Monitoring Certification Scheme.« Certainly, the malware incident Maersk/Petya last year seems to have focused a few maritime minds.
The concept of the Alliance is as simple as effective: members report cyber-attacks that have been committed, prevented or that are potentially pending. The information is recorded, evaluated, if necessary analyzed and passed on. In this way, authors, criminal networks and procedures can be identified and responded to by appropriate countermeasures or protective measures. Observers of the maritime security sector are by no means unfamiliar with this approach: this remedy is also used to combat modern pirates. One example is the Southeast Asian cooperation agreement ReCAAP. Initially smiled at, it has now become a success story. Because individual national authorities are much more aware of pirate attacks, strategies, and operational areas, many abuses can be prevented in advance. A key argument for stronger cooperation is the sophisticated system the project is based on so that it does not fall victim to cyber criminals itself.
So far, no attack on the network itself has been discovered. But the system has been fully penetration tested and corrective actions have been taken.
At least as important is the feature of anonymous, encrypted reports. A portal is designed to provide information on attacks, recommendations for action and live statistics just hours after a report has been made. In a secure forum, a direct exchange is also possible. A driver of the alliance’s structure was and still is the phenomenon of under-reporting. Many sufferers still refrain from giving information or even reporting it. They fear loss of reputation among potential customers, rising insurance premiums or protracted investigations by the police and the judiciary.
As HANSA learned, within the CSO community there is some 20% more crime reporting than at other international reporting centres. One reason might be that many of these reporting centres do not list incidents unless they are reported directly by a vessel’s master or CSO. In contrast, the alliance includes verified reports from other agencies and reporting bodies. »We believe that only by collating all incidents you can get a realistic picture of the problem,« Sutcliffe emphasizes. He is convinced that a major cyber attack can be prevented: »The virus takes around four days to travel around the world, so there is plenty of time to share. As we have both human and automatic reporting it gets easier to track and analyse.«
Once an attack is analysed, the alliance may contact the authorities. As it is based in the UK, the leaders meet and talk with »Govt Cyber resource«. The new director Chris Gibson of the MCERT used to run the UK CERT. Sutcliffe sees more synergies to explore. »We’ve also spoken with the UK’s National Cyber Security Centre, who have been supportive,« he adds.
With regard to the experience made so far, a focus of the project is on cyber attacks on ports. In recent years there have been attacks, among others, in Genoa, Rotterdam, Dubai, Antwerp and Vancouver. This is an explicit part of the concept, so port CSOs are also involved. Sutcliffe, however, still sees potential: »We are working on and talking with port contacts for five years about a PFSO Alliance so that we can create security process efficiencies between our CSOs and PFSOs (port and facility security officers).« Only a couple of days ago, he was speaking at a special »port event« at IMO. According to him, this was the first time all the ports met at the U.N. maritime body.
Last but not least, the shipping industry gains an overview of what can happen and how to detect an attack through the portal. The gateway to internal networks can be traversed in various ways, such as USB sticks containing malicious software, when updating electronic nautical charts (see pp. 36-37) or through spam e-mails. Experts believe this happens in shipping every day, but there is a lack of concrete information and of the »criminal footprint« of cyber attackers. The crucial, admittedly hypothetical question is: can the industry afford not to share information? No, Sutcliffe and his colleagues say.
Michael Meyer
