This document proposes a project to create educational materials about maritime cyber security risks. It aims to educate non-technical maritime industry employees through videos and guides. A working group of industry experts will identify common risks and vulnerabilities and distill technical knowledge into practical advice. Their findings will be given to creative specialists to develop engaging media. The goal is to widely disseminate knowledge to help detect, prevent, and respond to cyber threats and reduce companies' exposure. The project seeks funding and industry partners to collaborate and share the production costs.
The Essentials | Privileged Access ManagementRyan Gallavin
SSH is nearly ubiquitous in today’s enterprises, and is the predominant tool for managing unix and linux servers, and the applications and data that they host. Poor practices around the deployment and management of the SSH infrastructure could easily leave your enterprise vulnerable to a breach. Are you in control?
AWS Webcast - High Availability with Route 53 DNS FailoverAmazon Web Services
This webinar will be discussing how to use DNS Failover to a range of high-availability architectures, from a simple backup website to advanced multi-region architectures.
The CQRS pattern enables you to build highly scalable, distributed and event-driven applications. Microsoft Azure contains all the serverless building blocks you need to take advantage of the CQRS pattern. In this session, we’re going to transform a monolithic web app into a modern cloud application, that easily handles peak loads and offers great flexibility. Expect architectural guidance, cost-effective designs and live demo’s.
Session 3 - i4Trust components for Identity Management and Access Control i4T...FIWARE
This session consists of two parts. The first part of the session will introduce you to i4Trust IAM components in detail while the second will introduce i4Trust Marketplace Services. Technical session for Local Experts in Data Sharing (LEBDs)
AWS Fargate is a technology for Amazon ECS and EKS* that allows you to run containers without having to manage servers or clusters. Join us to learn more about how Fargate works, why we built it, and how you can get started using it to run containers today.
The Essentials | Privileged Access ManagementRyan Gallavin
SSH is nearly ubiquitous in today’s enterprises, and is the predominant tool for managing unix and linux servers, and the applications and data that they host. Poor practices around the deployment and management of the SSH infrastructure could easily leave your enterprise vulnerable to a breach. Are you in control?
AWS Webcast - High Availability with Route 53 DNS FailoverAmazon Web Services
This webinar will be discussing how to use DNS Failover to a range of high-availability architectures, from a simple backup website to advanced multi-region architectures.
The CQRS pattern enables you to build highly scalable, distributed and event-driven applications. Microsoft Azure contains all the serverless building blocks you need to take advantage of the CQRS pattern. In this session, we’re going to transform a monolithic web app into a modern cloud application, that easily handles peak loads and offers great flexibility. Expect architectural guidance, cost-effective designs and live demo’s.
Session 3 - i4Trust components for Identity Management and Access Control i4T...FIWARE
This session consists of two parts. The first part of the session will introduce you to i4Trust IAM components in detail while the second will introduce i4Trust Marketplace Services. Technical session for Local Experts in Data Sharing (LEBDs)
AWS Fargate is a technology for Amazon ECS and EKS* that allows you to run containers without having to manage servers or clusters. Join us to learn more about how Fargate works, why we built it, and how you can get started using it to run containers today.
"What if weather or any other major event prevents a large number of your users from coming into the office? Does your VPN or remote connectivity solution scale?
Deploying solutions in AWS gives you access to agility, cost savings, elasticity, breadth of functionality, and the ability to deploy globally in minutes. With access to these benefits through the AWS platform, administrators can launch global, scalable and resilient VPN solutions to support your business at a moments notice.
In this session, learn how to build a flexible, elastic, highly secure VPN infrastructure by using Amazon Route 53, Amazon EC2, Auto Scaling, and 3rd party solutions to allow hundreds or thousands of users to work remotely as soon as the first snowflakes begin to fall.
To attend this session it is suggested that attendees have a working knowledge of VPC, EC2, general networking and an understanding of routing protocols."
Build real-time streaming data pipelines to AWS with Confluentconfluent
Traditional data pipelines often face scalability issues and challenges related to cost, their monolithic design, and reliance on batch data processing. They also typically operate under the premise that all data needs to be stored in a single centralized data source before it's put to practical use. Confluent Cloud on Amazon Web Services (AWS) provides a fully managed cloud-native platform that helps you simplify the way you build real-time data flows using streaming data pipelines and Apache Kafka.
금융 서비스 패러다임의 전환 가속화 시대, 신한금융투자의 Cloud First 전략 - 신중훈 AWS 솔루션즈 아키텍트 / 최성봉 클라우...Amazon Web Services Korea
신한금융투자는 급변하는 금융 환경에 민첩하게 대응하기 위해 디지털 트랜스포메이션 마스터플랜을 수립하고, 2021년 상반기 본격적인 서비스 시작을 앞두고 있습니다. 비즈니스와 서비스의 중심을 클라우드 기반으로 전환하는 Cloud First 전략을 추진 중입니다. Cloud First 전략의 일환으로 데이터 & 고객 중심의 Seamless 서비스를 위해 클라우드 기반의 데이터 분석 플랫폼, 인공지능 컨택센터 구축에 착수하였으며, 이번 발표에서는 서비스 구축 과정에서 당사가 고민했던, Why Cloud, What and How to do에 대해 공유하고자 합니다.
1. The document discusses how to configure a Network Load Balancer (NLB) with a PrivateLink endpoint to provide private access to services within a VPC.
2. Key steps include creating an Elastic Network Interface (ENI) in each Availability Zone, associating the ENIs to the NLB, and specifying the PrivateLink endpoint DNS name to route traffic privately.
3. PrivateLink allows networking interfaces and resources to be accessed privately without an internet gateway, NAT device, VPN connection or AWS Direct Connect.
Swift 7.2 & Customer Security: Providing choice, flexibility and control. Nancy Hernandez
Meeting Swift 7.2 & Customer Security Deadlines: Practical strategies for success.
Presented by Patricia Hines, Senior Celent Analyst and Head of Swift Services, B. Venkat from PayCommerce.
2016 06 - design your api management strategy - axway - Api ManagementSmartWave
David Soulalioux, API Gateway pre-sales engineer at Axway illustrated, among others, a concrete use case of cloud API management at a worldwide energy industry leader. The presentation depicted the exposition of customer’s “Fuel Market” intranets website existing APIs to the outside world. This integration outlined the added value of the API Gateway as authentication layer, security and Quality Of Service (QoS) enforcement point. Also, the retained cloud infrastructure enabled for a scalable and reliable solution, allowing developers to focus on services instead of worrying about the infrastructure.
The document provides an overview and implementation guide for ISO 27001:2013, an internationally recognized standard for information security management systems (ISMS). It discusses key principles like risk-based thinking, process-based audits, and the PDCA (Plan-Do-Check-Act) cycle. The benefits of ISO 27001 certification include commercial advantages, more robust operational security, and peace of mind. The guide then covers each clause of the ISO 27001 standard in detail to help organizations successfully implement an ISMS.
Architecture Patterns for Multi-Region Active-Active Applications (ARC209-R2)...Amazon Web Services
Do you need your applications to extend across multiple regions? Whether for disaster recovery, data sovereignty, data locality, or extremely high availability, many AWS customers choose to deploy services across regions. Join us as we explore how to design and succeed with active-active multi-region architectures. Please join us for a speaker meet-and-greet following this session at the Speaker Lounge (ARIA East, Level 1, Willow Lounge). The meet-and-greet starts 15 minutes after the session and runs for half an hour.
Running Containers Without Servers: Introduction to AWS Fargate - SRV214 - At...Amazon Web Services
AWS Fargate makes running containerized workloads on AWS easier than ever. In this session, we provide a technical background for using AWS Fargate with your existing containerized services. We include best practices for building images, configuring task definitions, task networking, secrets management, and monitoring.
OpenSearch is a community-driven, open source search and analytics suite derived from Elasticsearch 7.10.2 and Kibana 7.10.2. It was initiated by AWS and consists of the OpenSearch search engine and OpenSearch Dashboards visualization interface. OpenSearch aims to provide a true open source search and analytics engine following licensing changes by Elastic that removed Elasticsearch's open source status.
Cost efficiencies and security best practices with Amazon S3 storage - STG301...Amazon Web Services
Join us to learn best practices for Amazon S3 cost optimization and security. Amazon S3 supports various storage classes to help you cost-effectively store data. In this session, Amazon S3 experts discuss these storage classes, their key features, and the use cases that they support. We examine the newest storage classes, S3 Intelligent-Tiering and S3 Glacier Deep Archive. Learn about Amazon S3 access control policies, encryption, and security monitoring. Also, learn how to use S3 Block Public Access, a feature that helps you enforce a no public access policy for an individual bucket, a group of buckets, or an entire account.
AWS 리소스를 사용하기 위한 모든 요청은 Identity and Access Management, 즉 IAM을 통해 이루어집니다. 따라서 IAM은 가장 기본적이면서도 핵심적인 도구이며, 고객 여러분들의 소중한 워크로드를 지키기 위한 시작입니다. 이번 세션에서는 AWS상에서의 인증과 인가, 그리고 감사가 어떻게 이루어지는지 보고, 다양한 사례들을 살펴보겠습니다.
I would like to thank my family, friends, colleagues, and everyone else who supported me in writing this book. Their encouragement and feedback were invaluable.
The document discusses Amazon Route 53 and Route 53 Resolver for hybrid cloud DNS. It explains that Route 53 Resolver allows DNS queries to be resolved between on-premises networks and AWS resources using private and public DNS zones. It provides examples of configuring inbound and outbound endpoints to allow resolution of queries from VPCs and on-premises to internet domains and private domains. The document also mentions additional capabilities like resolving queries for internal domain names in a VPC.
The document discusses creating an airport threat analysis framework to measure an airport's ability to resist and recover from cyber attacks. It notes that airports face unique cybersecurity challenges due to their use of SCADA systems, BYOD, electronic boarding passes, and shared IT systems. The document examines cyber attacks that have occurred at airports and identifies potential targets, including access control systems. It argues that a holistic approach is needed to address cybersecurity across airports' networks, devices, applications, and backend systems. Finally, the document advocates for a multi-agency approach to analyzing and addressing cyber threats across critical infrastructure like airports.
Unit 7 Assignment Group Assignment – Risk Analysis and Identcorbing9ttj
Unit 7 Assignment Group Assignment – Risk Analysis and
Identification
Assignment 7 will also be completed as a team assignment. Teams for the Group Assignment will
be assigned by the end of week 2. Each team will be randomly assigned in Blackboard. At the
beginning of or prior to Week 4, the team should assign a team leader to coordinate the team's
work due in Week 7.
Your team represents the State’s contractor selected by the State to carry out the Risk Assessment
Project for this case study. Your company's senior management and the State's Project Manager
have requested that you prepare a risk management plan that identifies potential risks and identifies
risk management strategies. From the course content and readings, you know that the overall
purpose of risk planning is to anticipate possible risk events and be ready to take appropriate action
when risk events occur—to eliminate or reduce negative impacts on the project.
Scenario
As the industry moves into a smart-shipping era, the risk of cyber threats is at an all-time high.
Digitalized ships, increasing interconnectedness, the extended use of electronic data exchange and
electronic navigation increases the likelihood of cyber-attacks in variety, frequency and sophistication.
Cyber threats are one of the most serious economic and international security challenges facing the
maritime industry today. The need for protection and security enforcements to mitigate the threats is
more important today than ever. Guidelines to support secure cyber operations and contingency plans
to be followed in a case of cyber incident have become necessary. The XYZ Shipping Chamber
recognizing the increasing concern of its Members with regards to the cyber security and their
protection, developed this document with the intention to create awareness of the threat and provide
guidance to its Members.
Company Description
“We own and/or operate over 100 ships which include tankers, bulkers, and container ships. We employ
directly over 3,000 employees in seven offices worldwide. The company operates as an owner and
technical operator, including crewing services”.
Motivation
“Driving this shipping company’s cyber security initiatives is the increasing awareness of the invasive
nature of cyber-criminal activity in the shipping industry. Cyber threat has imposed an elevated cyber
security related risk awareness from ship owners, the company board of directors, cargo owners, and
legal / regulatory bodies such as TMSA, IMO and USCG to name some, as well as P&I club coverage”.
4.1 “Reducing the risk should be the main deliverable of the company’s cyber security strategy and
outcome of the risk assessment decided by senior management. At a technical level, this would include
the necessary actions to be implemented to establish and maintain an agreed level of cyber security.”
4.2 Ships entering / leaving management pose added challenge to mai ...
"What if weather or any other major event prevents a large number of your users from coming into the office? Does your VPN or remote connectivity solution scale?
Deploying solutions in AWS gives you access to agility, cost savings, elasticity, breadth of functionality, and the ability to deploy globally in minutes. With access to these benefits through the AWS platform, administrators can launch global, scalable and resilient VPN solutions to support your business at a moments notice.
In this session, learn how to build a flexible, elastic, highly secure VPN infrastructure by using Amazon Route 53, Amazon EC2, Auto Scaling, and 3rd party solutions to allow hundreds or thousands of users to work remotely as soon as the first snowflakes begin to fall.
To attend this session it is suggested that attendees have a working knowledge of VPC, EC2, general networking and an understanding of routing protocols."
Build real-time streaming data pipelines to AWS with Confluentconfluent
Traditional data pipelines often face scalability issues and challenges related to cost, their monolithic design, and reliance on batch data processing. They also typically operate under the premise that all data needs to be stored in a single centralized data source before it's put to practical use. Confluent Cloud on Amazon Web Services (AWS) provides a fully managed cloud-native platform that helps you simplify the way you build real-time data flows using streaming data pipelines and Apache Kafka.
금융 서비스 패러다임의 전환 가속화 시대, 신한금융투자의 Cloud First 전략 - 신중훈 AWS 솔루션즈 아키텍트 / 최성봉 클라우...Amazon Web Services Korea
신한금융투자는 급변하는 금융 환경에 민첩하게 대응하기 위해 디지털 트랜스포메이션 마스터플랜을 수립하고, 2021년 상반기 본격적인 서비스 시작을 앞두고 있습니다. 비즈니스와 서비스의 중심을 클라우드 기반으로 전환하는 Cloud First 전략을 추진 중입니다. Cloud First 전략의 일환으로 데이터 & 고객 중심의 Seamless 서비스를 위해 클라우드 기반의 데이터 분석 플랫폼, 인공지능 컨택센터 구축에 착수하였으며, 이번 발표에서는 서비스 구축 과정에서 당사가 고민했던, Why Cloud, What and How to do에 대해 공유하고자 합니다.
1. The document discusses how to configure a Network Load Balancer (NLB) with a PrivateLink endpoint to provide private access to services within a VPC.
2. Key steps include creating an Elastic Network Interface (ENI) in each Availability Zone, associating the ENIs to the NLB, and specifying the PrivateLink endpoint DNS name to route traffic privately.
3. PrivateLink allows networking interfaces and resources to be accessed privately without an internet gateway, NAT device, VPN connection or AWS Direct Connect.
Swift 7.2 & Customer Security: Providing choice, flexibility and control. Nancy Hernandez
Meeting Swift 7.2 & Customer Security Deadlines: Practical strategies for success.
Presented by Patricia Hines, Senior Celent Analyst and Head of Swift Services, B. Venkat from PayCommerce.
2016 06 - design your api management strategy - axway - Api ManagementSmartWave
David Soulalioux, API Gateway pre-sales engineer at Axway illustrated, among others, a concrete use case of cloud API management at a worldwide energy industry leader. The presentation depicted the exposition of customer’s “Fuel Market” intranets website existing APIs to the outside world. This integration outlined the added value of the API Gateway as authentication layer, security and Quality Of Service (QoS) enforcement point. Also, the retained cloud infrastructure enabled for a scalable and reliable solution, allowing developers to focus on services instead of worrying about the infrastructure.
The document provides an overview and implementation guide for ISO 27001:2013, an internationally recognized standard for information security management systems (ISMS). It discusses key principles like risk-based thinking, process-based audits, and the PDCA (Plan-Do-Check-Act) cycle. The benefits of ISO 27001 certification include commercial advantages, more robust operational security, and peace of mind. The guide then covers each clause of the ISO 27001 standard in detail to help organizations successfully implement an ISMS.
Architecture Patterns for Multi-Region Active-Active Applications (ARC209-R2)...Amazon Web Services
Do you need your applications to extend across multiple regions? Whether for disaster recovery, data sovereignty, data locality, or extremely high availability, many AWS customers choose to deploy services across regions. Join us as we explore how to design and succeed with active-active multi-region architectures. Please join us for a speaker meet-and-greet following this session at the Speaker Lounge (ARIA East, Level 1, Willow Lounge). The meet-and-greet starts 15 minutes after the session and runs for half an hour.
Running Containers Without Servers: Introduction to AWS Fargate - SRV214 - At...Amazon Web Services
AWS Fargate makes running containerized workloads on AWS easier than ever. In this session, we provide a technical background for using AWS Fargate with your existing containerized services. We include best practices for building images, configuring task definitions, task networking, secrets management, and monitoring.
OpenSearch is a community-driven, open source search and analytics suite derived from Elasticsearch 7.10.2 and Kibana 7.10.2. It was initiated by AWS and consists of the OpenSearch search engine and OpenSearch Dashboards visualization interface. OpenSearch aims to provide a true open source search and analytics engine following licensing changes by Elastic that removed Elasticsearch's open source status.
Cost efficiencies and security best practices with Amazon S3 storage - STG301...Amazon Web Services
Join us to learn best practices for Amazon S3 cost optimization and security. Amazon S3 supports various storage classes to help you cost-effectively store data. In this session, Amazon S3 experts discuss these storage classes, their key features, and the use cases that they support. We examine the newest storage classes, S3 Intelligent-Tiering and S3 Glacier Deep Archive. Learn about Amazon S3 access control policies, encryption, and security monitoring. Also, learn how to use S3 Block Public Access, a feature that helps you enforce a no public access policy for an individual bucket, a group of buckets, or an entire account.
AWS 리소스를 사용하기 위한 모든 요청은 Identity and Access Management, 즉 IAM을 통해 이루어집니다. 따라서 IAM은 가장 기본적이면서도 핵심적인 도구이며, 고객 여러분들의 소중한 워크로드를 지키기 위한 시작입니다. 이번 세션에서는 AWS상에서의 인증과 인가, 그리고 감사가 어떻게 이루어지는지 보고, 다양한 사례들을 살펴보겠습니다.
I would like to thank my family, friends, colleagues, and everyone else who supported me in writing this book. Their encouragement and feedback were invaluable.
The document discusses Amazon Route 53 and Route 53 Resolver for hybrid cloud DNS. It explains that Route 53 Resolver allows DNS queries to be resolved between on-premises networks and AWS resources using private and public DNS zones. It provides examples of configuring inbound and outbound endpoints to allow resolution of queries from VPCs and on-premises to internet domains and private domains. The document also mentions additional capabilities like resolving queries for internal domain names in a VPC.
The document discusses creating an airport threat analysis framework to measure an airport's ability to resist and recover from cyber attacks. It notes that airports face unique cybersecurity challenges due to their use of SCADA systems, BYOD, electronic boarding passes, and shared IT systems. The document examines cyber attacks that have occurred at airports and identifies potential targets, including access control systems. It argues that a holistic approach is needed to address cybersecurity across airports' networks, devices, applications, and backend systems. Finally, the document advocates for a multi-agency approach to analyzing and addressing cyber threats across critical infrastructure like airports.
Unit 7 Assignment Group Assignment – Risk Analysis and Identcorbing9ttj
Unit 7 Assignment Group Assignment – Risk Analysis and
Identification
Assignment 7 will also be completed as a team assignment. Teams for the Group Assignment will
be assigned by the end of week 2. Each team will be randomly assigned in Blackboard. At the
beginning of or prior to Week 4, the team should assign a team leader to coordinate the team's
work due in Week 7.
Your team represents the State’s contractor selected by the State to carry out the Risk Assessment
Project for this case study. Your company's senior management and the State's Project Manager
have requested that you prepare a risk management plan that identifies potential risks and identifies
risk management strategies. From the course content and readings, you know that the overall
purpose of risk planning is to anticipate possible risk events and be ready to take appropriate action
when risk events occur—to eliminate or reduce negative impacts on the project.
Scenario
As the industry moves into a smart-shipping era, the risk of cyber threats is at an all-time high.
Digitalized ships, increasing interconnectedness, the extended use of electronic data exchange and
electronic navigation increases the likelihood of cyber-attacks in variety, frequency and sophistication.
Cyber threats are one of the most serious economic and international security challenges facing the
maritime industry today. The need for protection and security enforcements to mitigate the threats is
more important today than ever. Guidelines to support secure cyber operations and contingency plans
to be followed in a case of cyber incident have become necessary. The XYZ Shipping Chamber
recognizing the increasing concern of its Members with regards to the cyber security and their
protection, developed this document with the intention to create awareness of the threat and provide
guidance to its Members.
Company Description
“We own and/or operate over 100 ships which include tankers, bulkers, and container ships. We employ
directly over 3,000 employees in seven offices worldwide. The company operates as an owner and
technical operator, including crewing services”.
Motivation
“Driving this shipping company’s cyber security initiatives is the increasing awareness of the invasive
nature of cyber-criminal activity in the shipping industry. Cyber threat has imposed an elevated cyber
security related risk awareness from ship owners, the company board of directors, cargo owners, and
legal / regulatory bodies such as TMSA, IMO and USCG to name some, as well as P&I club coverage”.
4.1 “Reducing the risk should be the main deliverable of the company’s cyber security strategy and
outcome of the risk assessment decided by senior management. At a technical level, this would include
the necessary actions to be implemented to establish and maintain an agreed level of cyber security.”
4.2 Ships entering / leaving management pose added challenge to mai ...
SECURITY AND SAFETY OF THE POWER GRID AND ITS RELATED COMPUTER INF.docxbagotjesusa
SECURITY AND SAFETY OF THE POWER GRID AND ITS RELATED COMPUTER INFORMATION SYSTEMS 1
Security and safety of the power grid and its related computer information systems
Name of the student:
Name of the institution:
There have been increased use and application of information and communication technologies in most of critical infrastructures and departments of the government. They have proved to be fundamentally significant in helping the various departments to carry out their daily activities with a lot of ease and proficiency. However, these systems have also opened quite a considerable unforeseen opportunity both positive and negative. The infrastructures have become highly efficient and flexible and this has been very beneficial to the people. On the other hand, there have been persistent problems with cybercrimes and hackers who have outsmarted the government and the set securities protocols every now and then. This has made the state lose billions of dollars in a theft of its secrets and high-level information. In this case, it is right to analyze all the general impacts that can be put in place to prevent cybercrimes as well as threats. It is hence important to validate all the necessary measures that need to be put in place in every organization. The paper will hence give recommendations that can help the named organization solve the issues mentioned.
To address this issue, proper precautions needs to be put in place. The government has to demonstrate preparedness in combating this crime both in terms of systems put in place and also the legal jurisprudence (Higgins, 2016). The US power grid system is an interconnected system that is made up of power generation, transmissions software, and its distribution with a capacity to bring down the whole economy if not well protected. The nation's department of defense (DoD) is one of the most critical and sensitive institutions that can paralyze the state if tampered with by unscrupulous individuals. The situation is even worse if there is an advanced persistent threat (APT) against computers and software that operates the western interconnection power grid. This needs an urgent measure to remove the threat immediately and avoid its reoccurrence. We recommend the following security and safety of the power grid and its related computer information systems are taken by the concerned departments:
a. Creation of a special branch that is specifically dedicated to cyber security
It is high time for the government to come up with a special branch of the military personnel that will be dedicated to fighting cybercrimes (Higgins, 2016). Its main function will be to detect cybercrime activities, to develop mechanisms to prevent cybercrimes, apprehend, arrest and align cyber criminals in a court of law.
b. Creation of special court to determine cybercrime cases
Security and safety of the power grid and its related computer information systems and those crimes associated w.
This document provides an overview of maritime cyber security and risks. It begins with some definitions and opinions on the increasing issues around cyber attacks. Statistics are presented showing cyber attacks are rising in both impact and likelihood. Various cyber threats are described, from hacking and espionage to disruption. Specific issues for the maritime industry are then covered, such as the increasing digitization of vessels and challenges around crew connectivity and access to the internet. The differences between information technology (IT) and operational technology (OT) are also discussed in the context of maritime cyber security.
Cyber-insurance and liability caps proposed as incentives by Department of Co...David Sweigert
It is important to note that while the incentives study was required within 120 days of the date of EO 13636, the preliminary version of the Framework is required within 240 days of the date of EO 13636. In addition, DHS will be establishing a voluntary program to support Framework adoption within 365 days of the signing of EO 13636. This report is limited by the current understanding of what the Framework will entail and would benefit from more specifics to inform the analysis and recommendation of the incentives designed for promoting its adoption. For example, knowledge of the Framework would allow the cost of Framework adoption to be quantified. Since the Framework is still under development, this was not possible, and so the incentives considered were evaluated at a more general level with the understanding that the analysis would be updated as needed as the Framework is developed. Since the Framework is still in development at the time of this writing, the incentives that are intended to promote its adoption were assessed prospectively, in terms of the likelihood that they will motivate organizations to adopt the Framework in the future. It is expected that the most effective incentives will not only promote adoption of the Framework.
Get Ahead of Cyber Security by Tiffy Issac, Partner EY IndiaRahul Neel Mani
Internet of Things “IoT” can be defined as physical objects that connect to the internet through embedded systems and sensors, interacting with it to generate meaningful results and convenience to the end-user community. According to industry estimates, machine-to-machine communications
alone will generate approximately US$900 billion in revenues by 2020.
An advanced portfolio of leading infrastructure solutions for IT and OT networks. Our solutions include protection for wired and wireless networks and aid in the construct of highly secure indoor, campus, and outdoor networks.
This document outlines a 5-step process for managing organizational ICT security:
1. Identify the organization's business objectives to ensure ICT resources support them.
2. Identify all ICT resources, including network infrastructure, servers, user devices, and hardware.
3. Identify and assess risks to ICT resources, such as theft, damage, and unauthorized access, and prioritize them based on likelihood and cost.
4. Develop activities to mitigate risks through a 7-layered approach involving policies, physical security, perimeter controls, internal access management, host protection, and application hardening.
5. Implement and monitor the security program with roles for the CIO, CISO, ICT
This document provides a toolkit for universities to prepare communications in response to a cyber attack or security incident. It includes resources such as:
- A framework for effective communication developed by Knight and Nurse.
- Guidelines for pre-event planning including identifying aims, crisis communication capabilities, partners, and rehearsals.
- A cyber response flowchart outlining disclosure decisions and communication considerations.
- Sections on framing messages, disclosure options, and delivering the message.
- The goal is to help universities minimize impact, reduce reputational damage and costs from a cyber incident by having an effective prepared communication response. It emphasizes the importance of collaboration across the institution.
The document provides 10 tips from various experts on improving security for Internet of Things devices. The tips include implementing BYOD policies, having manufacturers design security into devices from the beginning, not rushing into IoT technology without proper security measures, adding layers of security like VPNs, integrating security into the development process, using automation to improve security operations, integrating cyber threat intelligence, training software developers in security, stopping employee negligence, and gaining better control of the "oceans of the internet" through standards and understanding of hacker capabilities. Each tip is accompanied by a short quote from an expert providing additional context.
The document provides 10 tips from various experts on improving security for Internet of Things devices. The tips include implementing BYOD policies, having manufacturers design security into devices from the beginning, not rushing into IoT technology without proper security measures, adding layers of security like VPNs, integrating security into the development process, using automation to improve security operations, integrating cyber threat intelligence, training software developers in security, stopping employee negligence, and gaining better control of the "oceans of the internet" through standards and understanding of hacker capabilities. Each tip is accompanied by a short quote from an expert providing additional context.
The document outlines India's national cyber security policy and strategies. It aims to build a secure and resilient cyberspace for citizens, businesses, and government. The key objectives are to create a secure cyber ecosystem, strengthen regulatory frameworks, enhance mechanisms for information gathering and response, protect critical information infrastructure, develop indigenous security technologies, and create a cybersecurity workforce. The strategies to achieve these objectives include designating agencies to coordinate cybersecurity efforts, encouraging adoption of best practices, developing testing and certification processes, and fostering public-private partnerships and cooperation.
This document provides guidance for lawyers on data security issues and how to help clients meet data security standards. It discusses how lack of security knowledge is common among both personal and enterprise computer users. Various threats like viruses, worms, Trojans, bots, and spyware/adware are described. Examples of data security risks include loss of portable devices containing personal information, insecure home networks that employees access for work, and insecure disposal of physical documents and digital media. The document advises evaluating security controls and investing in tools to detect breaches and audit compliance.
The document discusses several topics related to physical security and video surveillance:
1) It discusses the need to rethink physical security approaches and integrate ballistic barriers into interior spaces to provide protection from active shooter threats that enter facilities.
2) It discusses how video surveillance is playing an important role in meeting compliance and regulation needs in the transportation market. 360-degree cameras provide full situational awareness without blind spots.
3) It discusses GSA's efforts to promote procurement of physical access control systems (PACS) through the GSA Multiple Award Schedule (MAS) program and Schedule 84. GSA is seeking industry feedback to improve the PACS offering and create a blanket purchase agreement.
2. People are part of complex systems in the maritime environment; they inter-
act with one another and computer systems in both creative and destructive
ways. At every intersection of human and machine there is the possibility for error,
manipulation, coercion or sedition.” - The Future of Maritime Cyber Security - Lan-
caster University
IT systems are crucial to the safe and efficient operation of modern vessels and to the
functioning of the maritime industry in general. Increasingly complex systems enable a
host of essential maritime operations, from navigation and propulsion to freight manage-
ment and traffic control.
Onboard systems include GPS, DP, AIS, ECDIS, Radar, autopilot etc. and control sys-
tems for ballast, stability, engine and propulsion control, cargo handling etc.
Advances in satellite technology mean these previously remote onboard systems are in-
creasingly likely to have a permanent internet connection, with the potential for any device
onboard the vessel to become a node of the on-shore corporate IT network. The 24hr
availability of email, web browsers, cloud storage, network access, smartphones and the
challenges of 'BYOD' all add to the complexities and the vulnerable gateways to our data.
In addition to the equipment onboard vessels, there are similarly vulnerable systems lo-
cated in ports, VTS centres, offshore installations, operators and manager’s offices and in
numerous maritime support businesses and organisations.
There are considerable risks to the safety and security of vessels, the security and reputa-
tion of the owners and operators and risks to the movement of world trade should mari-
time corporate IT networks become compromised. The act of compromise can be either
deliberate and criminal, or unforeseen and accidental. Either way, the results can be
equally widespread and potentially disasterous.
3. The IMO propose that the subject be tackled using a process of Cyber Risk Management
(CRM), covering safety, security and operational risks under one umbrella. This pro-
ject will approach the subject from a similar viewpoint.
Aims
To mitigate the risk of exposure to cyber-vulnerabilities (deliberate or otherwise) by edu-
cating those who have access to exposed IT systems and infrastructure, both onboard
and shoreside. This will be achieved by giving a non-technical audience the knowledge to
understand the risks, to know what to do to protect against these risks and what to do in
response to a direct threat.
During the development of this resource, the participating parties will form a working
group to learn from the knowledge and experiences of each other to enhance their own
internal procedures and systems for implementing a successful corporate CRM strategy.
The final public output of the project will be to give practical guidance and advice on ‘Best
Practices’ to those who may not have an IT background or training, enabling those at the
sharp end to better support the work of the IT department in protecting the corporate net-
work.
For most companies, the greatest threat comes from the naivety of their
own employees, on ship and shore. Awareness and good procedures can
dramatically reduce the risk." - The Navigator, June 2016
Achieving the aims
To achieve the stated aim, the working group will gather the latest in technical, security
and behavioural knowledge and information and distil this into a series of practical
‘takeaways’ that can be easily understood and put into practice by a non-technical audi-
ence.
Fidra will then work with the creative team to create either a single film, or a series of
‘shorts’, that illustrate these points in a way that is both educational and entertaining to
watch. It is only by achieving the second of these two goals that we have the greatest
chance of the films being widely shared and the knowledge widely disseminated. If we are
successful, the exposure will extend beyond the maritime industry.
Fidra will work with the partners in the project and the maritime media outlets to ensure
that as much publicity as possible is generated on release, using all available channels.
Supporting materials could also be produced if these were felt to be of further benefit, in
the form of guide notes and ‘best practice’ leaflets and posters (distributed as PDF docu-
ments).
4. Project structure
The biggest risk is from employees using computer-based systems since
security prevention mechanisms within the network itself are rarely imple-
mented in the mistaken belief that perimeter defences are all that is required.” -
Maritime Cyber Security White Paper - ESC Global Security
The project will be developed by a working group consisting of a small number of interest-
ed parties, primarily but not necessarily exclusively from the maritime domain. Led by Fid-
ra, the group will assemble a body of technical knowledge and best practices that will then
be handed over to a team of behavioural and creative specialists.
A primary feature of this project is its collaborative nature, the sharing of information and
ideas for the benefit of the group (internally/privately where deemed appropriate) and for
the wider maritime community on release of the resource.
The technical working group will be tasked with:
Assembling a body of reference materials and resources pertinent to the subject
matter.
Identifying the most commonly encountered risks and vulnerabilities and those that
have the greatest potential to cause damage.
Creating clear and unambiguous advice for a non-technical audience on ways to de-
tect the presence of a risk, whether this be deliberate criminal activity or an internal
system failure.
Creating clear advice suitable for a non-technical audience on appropriate measures
to take in response to the presence of a potential threat to protect the network.
Collating a list of ‘Best Practices’ that should be adopted by all those with access to
the corporate IT infrastructure.
Discussing and sharing, although not necessarily publicly disseminating, internal
procedures and IT system defence policies and Best Practices from a more tech-
nical perspective (suitable for corporate IT and security teams and management).
The above is subject to discussion and amendment but is a logical starting point.
Budget
The budget is yet to be defined, but will be agreed upon by all parties to the project prior
to commissioning the creative team. The cost will be shared amongst those involved.
Fidra will not seek to sell or otherwise monetise the project following release, with the aim
of achieving as widespread distribution as possible. This is the reason that the develop-
ment, production and distribution budget must be raised from industry partners.
However, if the loss, damage, or liability was caused either directly or indi-
rectly by the use of a computer and its associated systems and software “as
a means of inflicting harm,” such loss, damage, or liability would be excluded from
coverage.” - Marsh & McLennan report
5. Fidra are in the process of encouraging a ‘headline sponsor’ who has an interest in raising
their profile within the maritime industry. This business or organisation may be less in-
volved with the creation of the content but will cover a significant proportion of the produc-
tion budget in return for the publicity generated by the release of the film(s). With the
sponsorship contribution it is envisaged that individual partners will invest somewhere in
the region of £5k (+VAT) each.
ESC Global Security recommends that companies operating in the maritime
industries put cyber security awareness training at the top of the agenda for
users of technology and computer resources. This is one of the most effective
ways of reducing a company's exposure to cyber security threats and increases
both detection and incident response at the same time.” - Maritime Cyber Security
White Paper - ESC Global Security
While we are acutely aware of the financial position of many businesses in the maritime
sector in these challenging times, we must be aware of the need to balance prudence
with the ability to be creative and produce an effective resource. If the budget is too high,
the project will languish as an idea that never came to fruition. If the budget is too low, we
will be limited in what we can do and may fail our objectives by producing ‘just another
training film’.
For those looking to get internal budget sign-off, it may help to spread the cost across
HSEQ, Risk Management, IT and Marketing Dept. budgets, as each department stand to
benefit. The sum invested in this project could be recouped if just one cyber-attack or fail-
ure can be avoided.
It might be argued that the relatively low public profile of most marine busi-
nesses means they are less likely to be the subject of a cyber-attack than fi-
nancial institutions, energy companies, public utilities, or airlines. That may be the
case, but nevertheless, the threat is real, and the results of a successful attack
could be catastrophic. Certainly, the lack of any inbuilt encryption or authentication
code in the critical systems used for navigation on board ship means that shipping
could be seen as a soft target, and that perception alone could be enough to pro-
voke an attack.” - Marsh & McLennan report
6. Resources & references
Hackers working with a drug smuggling gang infiltrated the computerized
cargo tracking system of the Port of Antwerp to identify the shipping con-
tainers in which consignments of drugs had been hidden. The gang then drove the
containers from the port, retrieved the drugs and covered their tracks. The criminal
activity continued for a two-year period from June 2011, until it was stopped by
joint action by Belgium and Dutch police. Cyber criminals will continue to do the
unexpected, and the nature of attacks of this sort will evolve.” - Marsh & McLennan
report
IMO document MSC 96/4/1 (4th
Feb 2016): Measures to enhance maritime security -
Guidelines for Cyber risk management - SOURCE
IMO document MSC 96/4/2 (9th
Feb 2016): Measures to enhance maritime security -
Guidelines for Cyber risk management - SOURCE
IMO document MSC 96/4/5 (8th
March 2016): Measures to enhance maritime securi-
ty - Measures aimed at improving cybersecurity on ships - SOURCE
IMO document MSC 96/INF.4: Measures aimed at improving cybersecurity on a
ship - SOURCE
BIMCO: The Guidelines on Cyber Security Onboard Ships - SOURCE
United States National Institute of Standards and Technology's Framework for Im-
proving Critical Infrastructure Security (the NIST Framework) - SOURCE
ENISA (European Network and Information Security Agency): Analysis of cyber se-
curity aspects in the maritime sector (Nov 2011) - SOURCE
Lancaster University: The Future of Maritime Cyber Security - SOURCE
Marsh & Mclennan report: The risk of cyber-attack to the maritime industry –
SOURCE
NCC Group: Maritime cyber security: Threats & Opportunities - SOURCE
ESCGS: Maritime Cyber Security White Paper - SOURCE
AMMITEC: Cyber Security Awareness Guidelines - SOURCE
The Navigator: June 2016 issue – SOURCE
ABS: The application of cyber-security principles to marine and offshore opera-
tions - SOURCE
7. Contact details
Interested parties should in the first instance contact Chris Young:
Chris Young MNI
Executive Producer
Fidra Films
Tel: +44 (0)7500 906 220
chris@fidragroup.com
... it is important that security procedures and processes are in place so that opera-
tors know how to identify a potential security threat or have been trained to re-
spond when a cyber attack is in process.
Cyberspace was once just a way to communicate but now pretty much everything de-
pends on it. Our critical infrastructures for energy, healthcare, banking, transportation and
water are dependent on how well we protect and secure the systems and the data that
controls them.” - Maritime Cyber Security White Paper - ESC Global Security
Fidra Films is a trading name of Fidra Group Ltd, a company registered in England and
Wales No. 9864419, VAT Reg. No. 232197420
Project partners
To become a partner in this ground breaking project please contact us directly. See below for
details.
For reasons of project scale and collaborative logistics, places are strictly limited and will be
offered on a first come first served basis.