jump to navigation

Chris Mark in The Maritime Executive August 30, 2011

Posted by Chris Mark in InfoSec & Privacy, Piracy & Maritime Security, Risk & Risk Management.
Tags: , , , ,
add a comment

Yours Truly (Chris Mark) was interviewed in the current issue (July – August, 2011) of The Maritime Executive on the topic of Cyber Piracy.  You can read a summary of the issue here. If you are not a current reader, Maritime Executive is a great periodical with volumes of information on the Maritime industry. You can subscribe to the print edition here.

“Jack O’Connell has explored the Internet underworld with his piece, “Cyber Piracy: Clear and Present Danger?” It’s a dangerous cyber world in which we unknowingly tread, so users beware. Both of these article’s are timely and essential reminders of an Internet moving faster than a speeding bullet.”

Security 101; Defense in Depth August 26, 2011

Posted by Chris Mark in Risk & Risk Management, Uncategorized.
Tags: , , , ,
1 comment so far

This post is a complement to the post Risk101.  In reading a number of articles and positions on maritime security strategies it appears that some of the authors, while well intended, misunderstand or misstate the basics of security.   While this particular post is not a dissertation on security, it will discuss one of the more important concepts- Defense in Depth.

While defense in depth has been widely promoted as an information assurance concept developed by the NSA, it originates from military strategy. To understand how DID works, it is important to understand that security is not, and cannot be absolute.  It is not a binary concept- “secure” or “not secure”.  The appropriateness of a security strategy is relative to the identified risk.  One cannot say: “my house is secure”.  You can say: “My house has been secured in a manner that is commensurate with the identified risks”.  Security should be viewed as a function of time & effort.  Given the skills/tools, a person with sufficient time and effort can theoretically circumvent any control.  As skills/tools improve security controls must also adapt.  Safes are good examples of this concept.  The Safe Source provides US safe ratings.  Safes are rated from B1- simple theft resistant to B6 which is an underwriters certification which includes TRTL-30.  This rating means that a particular safe has been shown to 30 minutes of net working time with a torch and a range of tools including high-speed drills with carbide bits, saws and prybars.  While safe ratings are not the focus of this post, it is a good example of the security continuum.  Notice that none of the safes provide a ‘guarantee’ that it can never be breached.  With tools, and effort it is simply a matter of time.  The goal of any security strategy is to increase the risk/reward calculation to the point where the attackers give up on the effort.

The basic concept behind defense in depth is to give up space to buy time.  By implementing multiple layers of controls with each layer designed to delay the attacker it is possible to move modify the risk/reward calculation to the point where it is simply not a wise investment of time to continue the effort. Remember that security must be implemented commensurate with the identified risk.  As the risk increases the controls must increase proportionally.  Until this past year, many shipping companies were content with using less than lethal technologies to deter pirates.  As ransoms have exceeded $3million US the pirates have greater incentive to assume risk and spend the time/effort on an attack and therefore shipping companies need to increase their security controls.

Defense in Depth strategies require that companies evaluate and implement a number of controls.  In general, security controls can be categorized into detection, prevention,  and responsive controls. There is often a temptation to spend money and effort on preventive controls alone.  This is a dangerous strategy.  A complete defense in depth strategy will employ a number of overlapping controls to include best practices in ship speed, maneuvering, and routes, as well as more dynamic controls such as the use of armed guards, and citadels.  The controls should be included in a force continuum.  In short, the use of force should be the last control employed…not the first.

By ensuring that you evaluate your security needs and controls in the context of the identified risks to which your vessels are exposed you are better able to make decisions regarding the types of controls required.  By implementing the controls using a defense in depth strategy ensuring that you address detective, preventative, and responsive controls you will ensure that you have a comprehensive security strategy designed to provide the maximum defensive value at the lowest possible cost.

Security 101: The Human Element – “Trust but Verify” August 24, 2011

Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.
Tags: , , , , ,
1 comment so far

As maritime security becomes more lucrative and companies to steps to stop attacks, it is the natural evolution of crime that the pirates will begin looking for new vulnerabilities to support their efforts.  Often the most vulnerable element of any security strategy is the human element.  People often provide the proverbial ‘weak link’ in the strategy.  Often it is not an intentional act by a person that creates and issue.  It could be a simple mistake or the person could be deceived into taking action.  While these are common aspects of security today I want to talk about people that take direct action with intentions that are contrary to the organization.  It not something that any company likes to consider but it is an unfortunate fact of life.  People are rational actors and as such a percentage of any population will be inclined to perform actions that are outside the bounds of what are considered by most to be ethical or moral behavior.   This is where the idea of “trust but verify” comes in.  We all like each other and we all want to believe that we are all honest people.  It is irresponsible however, to simply take people at their word.  It is responsible and appropriate given my access to information.  It is obvious that with increased responsibility comes increased authority.  Often this leads companies to believe that these senior “trusted” individuals do not require the same level of monitoring to which more junior level employees may be subject. This is a serious mistake.  Increased responsibility and authority comes with increased access to information.  It is often these very employees that can do the greatest damage.  I will give an example from my own experience.

Recently through some legal proceedings it was discovered that a former Chief Technology Officer of a company I previously owned had taken steps to download every single employee and contractor’s email to his personal system.  When confronted at the proceeding, he admitted he had indeed downloaded very email.  He then took a number of steps to hide his actions.  His actions were only discovered 2 years later through legal proceedings.  He has not divulged why he took such action.  It should be noted that in many states in the US this is not only a crime but is a felony.  This was not a junior level employee who could plead ignorance.  This was a person with a graduate degree in information security who, by his own admission, “defines security and risk”.  To say I was apoplectic when I discovered his actions would be an understatement.  He not only violated the trust of the company and me personally, but potentially committed a serious crime.  The point of this example is to demonstrate the need to “trust but verify” what ALL employees are doing.

Operational security, or OpSec, is increasingly important in a hyper-competitive world.  Add to that the new threat of information theft by pirates and those supporting piratical acts and the need to protect your information and assets becomes critical.  It is not only the junior level staff that should be monitored and ‘verified’, it is all employees.  Anyone with a security clearance is used to the fact that every few years the Gov’t decides to crawl through your life and put you through a polygraph to ensure that you are still ‘trusted’.  This is a good example of ‘trust but verify’.   When developing a strategy to address information security, and operational security, it is important that all areas of the business are considered and addressed.  Often it is a single trusted person that cause irreparable  harm to the organization.

2011 Pirate Attacks at Record Pace July 14, 2011

Posted by Chris Mark in Piracy & Maritime Security, Risk & Risk Management.
Tags: , , , ,
add a comment

If the first six months of 2011 are any indication, the year is going to break records for the number of pirate attacks.  In the first six months of the year attacks are up 36% from 2010.  According to IMB, from January through June of 2011 there were 266 attacks compared with 196 a year earlier. While the number of attacks increased, the number of ships hijacked fell from 27 to 21 due to increased security measures.  Pirates only hijacked 1 in 8 vessels this year compared with 1 in 4 last year.  Unfortunately, there is a downside to the increased security.

According to IMB the pirates are taking more risks and becoming more violent in their attacks.  This year pirates fired upon ships during monsoon season for the first time.

Monsoon weather in the Indian Ocean region that began in early June displaced pirates to the Gulf of Aden and the southern Red Sea, the IMB said. It called the 18 attacks reported in the Red Sea area since May 20 “a cause for concern.” Three attacks in the Indian Ocean in adverse weather showed threats remained during monsoons for the first time, the IMB said, citing winds of 34 miles an hour and swells of 4.5 meters (15 feet).

“It may be that these recent Indian Ocean incidents are a sign of desperation on behalf of pirates, or that there are many more pirate action groups operating now than there were in 2010, particularly outside the Gulf of Aden,” the IMB said.

In short, while increased security measures may be hampering the success of pirates, this trend is not expected to last.  The potential ‘return on investment’ of a hijacking is simply too great for pirates to ignore.  The result with be an inevitable cycle of increased security followed by increased risk taking by the pirates.  This pattern can be seen developing now.  It is important for shipping companies to evaluate arming their ships with professional security personnel to prevent hijackings.

West African Pirate Attacks Mimic Those In GoA July 9, 2011

Posted by Chris Mark in Piracy & Maritime Security, Risk & Risk Management.
Tags: , , , , ,
add a comment

According to Bergen Risk Solutions, attacks off of the coast of Nigeria are beginning to resemble those off of the coast of Somalia in what some say is a disturbing trend. In June, 2011 there were five attacks alone.  The pirates are opting against the traditional robbery and are instead adopting the Somali tactics of hijacking the ships and holding for ransom.  The attacks demonstrate an increasing use of the Automated Ship Identification system (AIS) to target vessels as well as violence in their attacks.  1 person was killed in the attacks in June.  Bergen Risk stated:

 “Anecdotal evidence gathered in Nigeria confirms that the group has watched the modus operandi used by Somali pirates and has emulated their use of motherships.”

It added: “We find that most attacks are carried out in the hours of darkness, that pirates have no problems in carrying strikes up to 50 to 60 nautical miles from shore (but the vast majority of incidents are much closer to land) and that they have a very low threshold for using violence. Many crew members have been severely beaten and even shot during attacks.”