A recent article titled, The Untold Story of NotPetya, The Most Devastating Cyberattack in History came out a few weeks ago and I’ve been ruminating on it ever since. It bothered me because while the NotPetya ransomware attack is old news if you are in the cybersecurity business, there is a lot of new and really interesting information in this piece.
This story by Andy Greenberg, focuses on Maersk, the largest container ship and supply vessel operator in the world, and reveals some things that most of us weren’t aware of until now. Like many cybersecurity tales of woe, it reads like a Robert Ludlum thriller and will leave you wanting more.
My interest in maritime cybersecurity isn’t necessarily greater than my interest in electricity, oil & gas, manufacturing or any of the other critical infrastructures, but I keep thinking about how what happened to Maersk could have happened to anyone. Literally anyone. Fortune 500 or Unfortunate 5,000, every organization on the face of the earth could have just as easily been a victim of NotPetya - and others were, including FedEx, Merck, Cadbury, and many other international companies.
If you are a CEO or a Board Director, it should prompt you to ask some really important (and hard) questions of your team.
Here are the Cliff Notes that should pique your interest:
What began as a June 2017 Russian cyber-attack on the Ukraine (as part of their on-going 4.5 year conflict), quickly spread to some of the largest companies across the globe, including Maersk - which just happens to control 20% of the global shipping industry. This cyber event ended up costing Maersk over $300M, with total damages to all (known) companies over $10B. That’s $10,000,000,000.00 for one single cyber event. Where's the outrage?
Maersk by the numbers:
- $35B in 2017 revenue
- 88,000 employees
- Business units that include:
- Transportation
- Ports
- Logistics
- Shipping
- oil drilling
- energy
- 130 countries
- 574 offices
- 76 ports
- 800 ships
Here’s what has been rumbling around in my brain for the past few weeks: Maersk is a HUGE company, with a HUGE number of customers. Customers depend on Maersk's ability to efficiently get ships underway and manage complex cargo manifests destined for every port on the face of the earth. How closely does this resemble your company? Maybe not in relative scale, but in breadth of supply chain responsibility? This story cements the criticality of understanding both directions of your supply chain.
A few of cyber-related points of reference:
M.E. Doc. The initial vulnerability vector for NotPetya was a little software application widely used in the Ukraine called M.E. Doc. Of course, that little software application is used in other places as well, including a single installation, on a single server, at Maersk. This is the classic example of being 99.9% secure, and still 100% vulnerable.
No Segmentation. Where was the network segmentation? Seriously! Segmentation is one of the easiest tools in our security toolbox, but at Maersk, flat networks with no segmentation meant NotPetya ran amok with no boundaries to limit its spread. As a security professional, this one really hurts because it's a purely self-inflicted wound and unfortunately, one I still see far-too-frequently in far too many companies.
No Back-ups. No backups meant that when all 150 Domain Controllers were corrupted, Maersk literally had no means of recovering. Anything. Nothing. Zip. Nada. For those that don’t know what a Domain Controller (or DC) is, it’s basically the heart of a Windows network and authenticates user account information between network domains. Corrupted Domain Controllers without backups is literally one of the worst things that can happen in a network next to global-thermo-nuclear-war. In a single fortuitous bit of luck, they found a single isolated Domain Controller, located in a remote office in Ghana, that wasn’t corrupted. Why wasn't it corrupted? It wasn’t corrupted because a power outage had knocked it off-line just before NotPetya. Lucky huh? Well, luck is not a strategy to base the survival of your company on and I doubt your shareholders would be very understanding.
The article poses a lot of questions, such as, “Could this happen to my company”, or “If so, do we have the appropriate disaster recovery processes in place to recover?”, and finally, “Could my company survive an unplanned (relatively speaking) $300M hit?”
If the answers are Yes, No, and No, you have work to do.
Be safe out there.
