This article, The Untold Story of NotPetya, The Most Devastating Cyberattack in History, by Andy Greenberg, came out about two weeks ago and I’ve been ruminating on it ever since. It bothered me because the NotPetya ransomware attack is old news if you are in the cybersecurity business, but there is a lot of new information here. This story focuses on Maersk, the largest container ship and supply vessel operator in the world, and reveals some things that most of us weren’t aware of until now. Like many cybersecurity tales of woe, it reads like a Robert Ludlum thriller and will leave you wanting more.
My interest in maritime cybersecurity isn’t necessarily greater than my interest in electricity, oil & gas, manufacturing or any of the other critical infrastructures, but I keep thinking about how what happened to Maersk could have happened to anyone. Literally anyone. Fortune 500 or Unfortunate 5,000, every organization on the face of the earth could have just as easily been a victim of NotPetya - and others were including FedEx, Merck, Cadbury, and many other international companies.
The article is a bit long but I promise, you’ll be smarter and better prepared for important cybersecurity discussions after reading it. Think of it as a time investment that will make you a better citizen and a better business leader. If you are a CEO or a Board Director, it should prompt you to ask some really important questions of your team. So, grab a cup of coffee on Sunday morning, or wait until the kids have gone to bed and you’ve settled in with a nice cabernet, or just print it out and save it for your next airplane ride, but carve out some time to read it. It’s important.
So, here’s the Cliff Notes that should pique your interest:
What began as a June 2017 Russian cyber-attack on the Ukraine (as part of their on-going 4.5 year conflict), quickly spread to some of the largest companies across the globe, including Maersk - who just happens to control 20% of the global shipping industry. This cyber event ended up costing Maersk over $300M, with total damages to all (known) companies over $10B. That’s $10,000,000,000.00 for one single cyber event.
Maersk by the numbers:
-2017 revenue was $35B
-Business units that include:
Here’s what has been rumbling around in my brain the past two weeks. Maersk is a HUGE company, with a HUGE number of customers, who depend on their ability to get ships underway and manage complex cargo manifests destined for every port on the face of the earth. How closely does this resemble your company? Many not in relative scale, but perhaps in breadth of supply chain responsibility? This story cements the criticality of understanding both directions of your supply chain.
A few of cyber-related points of reference:
M.E. Doc. The initial vulnerability vector for NotPetya was a little software application widely used in the Ukraine called M.E. Doc. Of course, that little software application is used in other places as well, including a single installation, on a single server, at Maersk. This is the classic example of being 99.9% secure, is still 100% vulnerable.
No Segmentation. Where was the network segmentation? Seriously! Segmentation is one of the easiest tools in our security toolbox but at Maersk, flat networks with no segmentation meant NotPetya ran amok with no boundaries to limit its spread. This one really hurts because it's a purely self-inflicted wound.
No Back-ups. No backups meant that when all 150 Domain Controllers (DC) were corrupted, they literally had no means of recovering. Anything. For those that don’t know what a Domain Controller (or DC) is, it’s basically the heart of a Windows network and authenticates user account information between network domains. Corrupted Domain Controllers without backups is literally one of the worst things that can happen in a network. In one fortuitous bit of luck, they found a single Domain Controller, located in a remote office in Ghana, that wasn’t corrupted. Why you ask? It wasn’t corrupted because a power outage had taken it off-line just before NotPetya. Luck is not a strategy to base the survival of your company.
Anyway, read the article and ask yourself questions along the way such as, “Could this happen to my company”, “If so, do we have the appropriate disaster recovery processes in place to recover?”, and finally, “Could my company survive an unplanned (relatively speaking) $300M hit?” If the answers are Yes, No, and No, you have work to do.
Mark Weatherford is SVP and Chief Cybersecurity Strategist at vArmour. He has more than 20 years of security operations leadership and executive-level policy experience in some of the largest and most critical public and private sector organizations in the world. Prior to vArmour, he was a Principal at The Chertoff Group an in 2011, was appointed by President Obama as the DHS’s first Deputy Under Secretary for Cybersecurity. Before DHS, he was VP and Chief Security Officer at the North American Electric Reliability Corporation (NERC). Prior to NERC, he was appointed by Governor Schwarzenegger as California’s first Chief Information Security Officer (CISO) and was also the first CISO for the State of Colorado. A former U.S. Navy cryptologist, Mr. Weatherford led the United States Navy’s Computer Network Defense operations and the Naval Computer Incident Response Team.
Mr. Weatherford holds a master's degree from the Naval Postgraduate School and holds the CISSP certification. He was awarded SC Magazine's "CSO of the Year" award in 2010, named one of the "10 Most Influential People in Government Information Security" by GovInfoSecurity in both 2012 and 2013, selected for the 2013 CSO Compass Award, and presented the 2017 SC Media Reboot 'Influencer' Leadership Award.