Digitization will continue to grow in the maritime industry and, with it, the threat of cyberattacks. The industry’s historic willingness to accept the risks that the open seas offer and meet them head-on when they occur should not also be its approach to cybersecurity. The stakes are high, with attackers employing increasingly ingenious strategies to achieve massive paydays from the vessels – and their companies – that leave unneeded vulnerabilities open to them. And not only are massive amounts of money at state, but also people’s lives and well-being. As digitization of the maritime industry grows, attention to cybersecurity must grow with it.
As physical objects and processes are increasingly being monitored or controlled by connected computational devices such as Industrial Control Systems (ICS) or Internet of Things (IoT), those physical objects and processes become hackable in the same way as the embedded devices controlling them. Ignoring the reality of vulnerabilities will not restrict them to the realm of fiction. The threats are real. Many have already occurred. Only by recognizing the new challenges that our connected world poses and coming together to address them will we be able to make our leap into this new way of life secure and safe, and get the fullest benefits from it.
Marin Ivezic -
"We're building a robot the size of the world, and most people don't even realize it." This is how Bruce Schneier described the Internet of Things in a nutshell… The "things" in our Internet of Things are frighteningly exposed… So, why isn't there more discussion about IoT hacks outside of the cybersecurity community? While the headlines are dominated by news of cyberattacks on retailers, there’s been surprisingly little buzz about this huge threat to what’s increasingly becoming the Internet of Everything… Why doesn't a government somewhere evaluate these frameworks, consult with experts, and draft regulations? If there's one thing everyone agrees on, it's the need for some sort of global standard to adopt. Ideally, industry leaders will come together to create the framework our growing internet of things desperately needs. The successful development and adoption of this network depends on it.
The History of Cyber-Kinetic Attacks, Incidents and Research – Chapter 2 of Cyber-Kinetic Attacks bookMarin Ivezic -
(This is the draft second chapter of my upcoming book Cyber-Kinetic Attacks) The fact that cyber-kinetic attacks rarely appear on mainstream news doesn’t mean they don’t happen. They happen more frequently than you would think. Many, for various reasons, aren’t even reported to agencies charged with combatting them. This hinders security experts in understanding the full scope and recognizing the trends in this growing problem. We’ll highlight examples of cyber-kinetic incidents and attacks in this chapter. Some were malfunctions that, nonetheless, demonstrated cyber-physical system vulnerabilities. Some were collateral damage from hacking or computer viruses. The vulnerabilities these exposed inspired a growing number of targeted cyber-kinetic attacks in recent years. If nothing else, the attacks described in this chapter demonstrate that the threat of cyberattacks on critical systems are not hypothetical. They occur increasingly...
Below is a timeline of over 50 historic cyber-kinetic attacks, system malfunctions and key researcher demos targeting cyber-physical systems (CPS), Internet of Things (IoT) and Industrial Control Systems (ICS) resulting in kinetic impacts in the physical world. I tried to select only those that were first-of-the-kind or that significantly increased general awareness about a particular type of an attack or incident.
The World of Cyber-Physical Systems and the Rising Risk of Cyber-Kinetic Attacks – Chapter 1 of Cyber-Kinetic Attacks bookMarin Ivezic -
(This is the first chapter of my upcoming book Cyber-Kinetic Attacks) We live in a world in which the way we observe and control it is radically changing. Increasingly, we interact with physical objects through the filter of what computational systems embedded in them tell us, and we adjust them based on what those systems relate. We do this on our phones, in our cars, in our homes, in our factories and, increasingly, in our cities. Physical objects are so interconnected that we simply take those connections for granted, as if being able to unlock your car by pushing a button on your key fob, unlocking it with your phone or even by walking toward it is the way car locks always worked. This interconnectedness offers us capabilities that exponentially exceed the expectations of science fiction writers and futurists of past generations. But it also introduces disquieting possibilities. Those possibilities reach beyond cyberspace to threaten the physical world in which we live and – potentially – our own physical well-being.
Western publications often picture the People’s Democratic Republic of China (hereafter China) as the world’s chief propagator of cyberattacks. But the picture is much more complex than such broad-brush claims suggest. Few Westerners realize that China and its neighbours in the Greater China region (Taiwan, Macau and Hong Kong) have, over last few years, became the most technologically advanced region in the world – ahead of the West in the adoption, and in many cases even in the development of advanced technologies. Countries in the region were always close to the top of the list of victims of cyberattacks. Factors, such as internal hacktivism and cybercrime perpetrated by the rapidly growing technologically savvy segment of the population and their legion of wannabe hacker apprentices have propelled cyberattacks on the region firmly to the top of that list. Rapid adoption of new technologies without adequately addressing cybersecurity issues only exacerbates the problem. The Greater China region has adopted these technologies aggressively. Yet, in their rush to adoption, enterprises in the region have largely lagged the rest of the world in addressing cybersecurity.
You may have heard, over the last year or two, about the new technological miracle that is the blockchain. It seems that every banker, insurer, manufacturer, artist, lawyer and cybersecurity professional is shouting about blockchain from the highest peak and telling us how it will be used to secure everything against anything for all time, additionally removing those embarrassing blemishes from our skin and freshening our breath at the same time. Clearly some large portion of the blockchain-related content we see in the media is hyperbolic, at best, but it is an important technology nonetheless. Let's take a look at some of the realities of what we can and cannot do with blockchain in relation to cybersecurity.
When Hackers Threaten your Life – Introduction to Cyber-Kinetic Attacks and Security of Cyber-Physical SystemsMarin Ivezic -
In order to plan for the security of cyber-physical systems and the safety of those who will be using them or working around them, we must recognize that cyber-physical systems are inherently different from systems operating purely in the cyber or physical realms. We need to model security for them in a more broad manner, test them more carefully and thoroughly in order to uncover the various ways in which an attacker might misuse or abuse them, and recognize where some of our traditional security practices or controls may be rendered less effective or may not work at all. The interfaces between the cyber and physical realms will only continue to increase, and it is vital we secure these systems properly in order to protect lives, well-being and the environment.
Human Zombification as an Information Security Threat – Differences in Information Security Concepts Between Euro-Atlantic and China-RussiaMarin Ivezic -
As I am getting up to speed with cybersecurity laws, regulations and doctrine of my new country, China, an interesting realization came to me – China and Russia share an information security doctrine, one that is significantly different from Euro-Atlantic doctrines. In the Chino-Russian model of information space a discussion about population zombification does happen and it fits squarely within the domain of information security.
Below is my attempt at tracking all published IoT and "Smart Everything"-related security guidelines, frameworks and standards. If you are aware of additional entries that should be here, please let me know. List of Internet of Things (IoT) Security Guidelines, Frameworks and Standards by Marin Ivezic is licensed under a...
We have to ask ourselves; at what point does an unexpected outcome via expert prediction justify a prison sentence? Minutes after I delivered cyber risk assessment results to my Italian client, I heard the news - six Italian scientists and a government official have been sentenced to six years in...