Presentation on theme: "Cyber and Maritime Infrastructure Threat, Risk and Response CAPT Fred Turner, USN."— Presentation transcript:
Cyber and Maritime Infrastructure Threat, Risk and Response CAPT Fred Turner, USN
The Process Acknowledge a “cyber” threat to maritime infrastructure exists Assess the “cyber” risk to maritime infrastructure Address the “cyber” issue to secure our maritime infrastructure…but it must be a “team sport” – Industry – industry partnerships – Industry – law enforcement – military - government – International – regional – national partnerships Cyber is not really a “threat,” “risk” or the “issue”…it is the medium/domain/terrain that interconnects with the maritime domain…and is the means by which an actor may threaten maritime infrastructure We are here
Threat & Vulnerability Emerging cyber threat vs. critical infrastructure – Targets…face similar delivery methods & payloads Government organizations (civilian & military) Defense industries Energy sector Communications sector Financial sector Maritime sector next? – Evolving threat…web site defacement, DDoS, data destruction, ICS/SCADA/HM&E manipulation – Motives…state & non-state…exploitation, theft, attack Network/communications infrastructure vulnerabilities – Network vulnerabilities; information assurance, removable media, wireless access – The users; insider threat and negligent users – Supply chain Network infrastructure is directly tied into the maritime infrastructure… a system of systems which can effect port operations, ships at sea, etc.
Assessing the Risk Cyber Risk to Maritime Infrastructure = – Threat = Capability + Intent -> – Vulnerability -> – Consequences Challenges – Lack of common, understandable terminology – Lack of understanding of our networks and how they connect to maritime infrastructure; need “maps” – Deficiency in including cyber in maritime infrastructure risk assessments…must integrate into current processes – How do we calculate real vs theoretical risk? Potential impact on maritime operations and cost? – Lack of understanding of “red lines;” ours and “theirs” We are all connected and are thus only as strong as our weakest link…so to a large degree, we share each other’s risk Terminal operating system Business network M/V Line operations & maintenance network Adversary Compromised network
Securing Maritime Infrastructure Utilizing cyber risk assessment to enhance maritime security – Guidance; strategies, policies & plans – Training; for users but also to develop cyber expertise – Resource allocation; fix priority vulnerabilities in existing architectures and networks…and build security into new ones Cyber security cooperation & collaboration – Information sharing (e.g., threat, vulnerabilities, incidents & response, lessons, best practices, training) – Training; collaboration in curricula & sharing experts – Agreements; informal/voluntary OK but formal better – Organization; virtual group or regional cyber threat center All stakeholders must participate…industry, law enforcement, military, government departments/ministries…at all levels…national, regional & international
U.S. Government Accountability Office, Maritime Critical Infrastructure Protection, June 2014 (Washington, DC: GAO ), 43.