CyberWEEK Security SINGAPORE CYBER
From Left: Raymond Macaisa (IT Architect, Red Sea Gateway Terminal (RSGT)) Steven Sim, Senior Manager –(IT Security PSA Corporation Ltd) Chiang (Northport Malaysia Bhd) Photo Credit: Cyber Security For Maritime Summit 2017
Redwood (Director, BSI Asia Pacific General Manager) and John DiMaria (Research Fellow Global Product Champion, BSI Group Inc)) introduced the concept of “Information Resilience” and the application of ISO/IEC 27001 standards. To make organisation more resilient, ISO27001 embodies technology controls such as encryption; employee awareness and user access are some of the internal controls, as well as external controls such as vendor management, and partnership such as sharing cyber-intelligence with peers. The implementation of ISO/IEC 27001 necessitates three phases: “understand and prepare”, “see how ready you are” and finally “review and get certified”. Mr RedWood and DiMaria highlighted, however, the need to “go beyond a focus on compliance”. Consistent with a key control within the ISO/IEC 27001, they emphasized that the “journey does not stop with certification”, to “continually improve the suitability, adequacy and effectiveness of the information security management system”. Red Teaming and Alignment of Business and Technology Risk
Tam Huynh (Senior Director- Cyber Security, Kroll) on “Proactive Defense Against Cyber Threats” Photo Credit: Cyber Security For Maritime
Aside from the most recent NotPetya ransomware which hit Maersk terminals and cost an estimated $300million in losses, the Maritime sector had also suffered other notable attacks - one that specifically target shipping lines to cause reputational damage
(e.g. hack of the Iranian Shipping Line), or another that exploited the shipping firm’s server vulnerabilities to identify, locate and steal cargo of value. Tam Huynh (Senior Director- Cyber Security, Kroll) on his “Proactive Defense Against Cyber Threats” outlined an approach which is adopted in the intelligence community: “Red Teaming”. Using simulations based on realistic scenarios such as attackers’ targeting of the ship’s navigation system, red teaming assesses the organisation’s business risk and its ability to detect and respond to this incident, as opposed to traditional assessment such as Penetration Testing which may be scoped to focus only on technical risk. A holistic view of enterprise risk that embodies both business and IT risks was also highlighted by Steven Sim (Senior Manager (IT Security), PSA Corporation Ltd) in his talk “Future-proofing Maritime Ports against Emerging Cyber-Physical Threats”. Through detailing specific threats targeted at cyber-physical systems (including IoT/ IIOT) and blended cyber-physical threats, he pointed out the associated security pain-points and nuances. Tackling each, he recommended pragmatic solutions leveraging on CyberSecurity framework(s), threat model(s) as well as layered defenses by design, default and deployment across portfolio, process and people. One example was COBIT ("Control Objectives for IT). By using its best
Cyber Security for Airports Summit: Fr Left to Right
• Ms Lee Siu Min, Thales, Singapore
First row • Delegate, Airports Company, South Africa • Delegate, Airports Company, South Africa • Mr Gurmukh Singh Bawa, Airport Economist and Former General Manager, Public Relations as Head of the Department, Airports Authority of India • Mr Biju Hameed, Head of Information Security & Compliance, Dubai International Airport, UAE • Delegate, Airports Company, South Africa • Mr Ilgar Aliyev, Technology Governance and Information Assurance, PoB FTZ, Azerbaijan • Ms Roanne Tang, Changi Airport, Singapore
Second Row • Rick Ville, Sales Consultant IT & Controls Services, Vanderlande Industries B.V, The Netherlands • Joni Karywawansyah, Airport Technology Network Operational Support, Angkasa Pura Airports, Indonesia Third Row • Harsha E Thennarasu, Chief IT Security Advisor, HKIT Security Solutions, India. • Dheeraj Chandwani, Business Manager – Cyber Security.
Asia Pacific Security Magazine | 45