Gene Price, a partner with Frost Brown Todd LLC, and part of the firm's privacy and data security practice, sat down with WorkBoat.com to discuss the field of cybersecurity in the maritime industry and explore the effective measures that can be implemented to bolster digital defenses. After 36 years of service, Gene recently retired from the Navy as a rear admiral, where he served as commander of the Office of Naval Intelligence, commander of Naval Information Forces Reserve, and director of the National Maritime Intelligence Integration Office.

Gene Price

“The hard part about cybersecurity is bad guys only have to be right once. Your won-loss record in cyber security doesn't really equate to how well you're doing,” Price told WorkBoat.com. “People will say the human element is by far the biggest vulnerability. I think that misses the point. Unfortunately, people all too often are our last line of defense. Even if you have layered defenses, if you have two-factor authentication, if each segment in your network is encrypted, if all your patching is up-to-date, it is still so important for people and crew to be trained in this stuff.”

Price emphasizes the significance of basic hygiene, multifactor authentication (MFA), data encryption, phishing training with consequences, patch discipline, zero trust architecture, software bill of materials (SBOM), and tailored incident response plans. Below is a breakdown of the actions that can be taken by maritime companies to best defend against cyberattacks.

Basic Hygiene

To minimize the risk of cyberattacks, Price stressed the importance of adhering to basic cybersecurity practices. Companies and ports can significantly reduce their vulnerability by implementing fundamental hygiene measures. By prioritizing cybersecurity, organizations become less attractive targets for malicious actors seeking quick monetary gains. Basic hygiene serves as the first line of defense, forming the groundwork for a robust cybersecurity strategy.

The bad guys are in it for the quick bucks. And if a company has a defensive mindset, they’ll prefer to mess around with somebody who’s a lot easier to break into.”

Multifactor Authentication

“Multifactor authentication is a big one. A basic blocking and tackling item that I think almost any cybersecurity technical person would say is important is multifactor authentication. Most people stop at two-factor authentication, three is better.”

By implementing MFA, organizations ensure that individuals accessing their systems are indeed who they claim to be. Price urges IT departments to conduct regular checks for misconfigurations while highlighting the significance of MFA as a vital cybersecurity measure.

Encrypting Data

Price underscores the necessity of data encryption, particularly when dealing with personally identifiable information (PII) and personal health information (PHI). Regulatory bodies such as the U.S. Federal Trade Commission have strict guidelines to prevent the exposure of sensitive information. Encryption provides a robust layer of security, rendering stolen data unreadable and worthless without the encryption key. By employing encryption techniques, organizations can bolster their cybersecurity defenses and safeguard sensitive data from unauthorized access.

Phishing Training with Consequence

Price emphasized the importance of continuous and rigorous phishing training programs throughout the year. “I’m not talking about every October during National Cybersecurity Month, but all year long, consistently, not just occasionally. That keeps people on their toes. Get them trained and see if they can pass a couple of tests. And if they bite on something that they shouldn’t be biting on, you have a consequence, and they have to go through more remedial training.”

Gene doesn’t suggest termination, but he does stress that holding individuals accountable for their actions through additional training reinforces the significance of maintaining a strong cybersecurity posture.

Patch Discipline

To combat cyberthreats effectively, organizations must exercise patch discipline. Hackers often exploit vulnerabilities in unpatched systems to gain unauthorized access. According to Price, the window for applying patches to disclosed vulnerabilities is critical, with evidence from Verizon’s Data Breach Investigations Report suggesting application of new patches as soon as possible. By promptly identifying and applying necessary patches, organizations can significantly reduce the likelihood of successful cyberattacks. Price advocates for immediate action upon discovering vulnerabilities, even if it requires running down remote devices to complete the patch.

Zero Trust Architecture

Zero trust architecture (ZTA) has emerged as a pivotal cybersecurity strategy, and appears to be gaining momentum among organizations. A significant aspect of ZTA is it restricts lateral movement within networks. Traditional network architectures lack sufficient internal security measures, allowing hackers to escalate privileges and traverse the network. Implementing ZTA ensures stringent access controls, requiring reverification at every stage. By adopting ZTA principles, organizations bolster their defense architecture and reduce the potential impact of intrusions.

Software Bill of Materials (SBOM)

SBOMs are an aspirational idea outlined in the National Cybersecurity Strategy released by the current administration and are a fairly new aspect of cybersecurity. SBOM mandates that software developers provide comprehensive lists of the software components they employ. This transparency enables organizations to better manage vulnerabilities and track potential threats originating from the software supply chain. By embracing SBOM, organizations can strengthen their cybersecurity posture and help ensure the integrity of their software ecosystem.

Tailored Incident Response Plans

Customized incident response plans (IRPs) are critical in effectively addressing cybersecurity incidents. Off-the-shelf IRPs may not adequately cater to an organization's specific needs. A tailored IRP includes detailed steps, contact information, attack playbooks, and immediate actions to be taken in the wake of a breach. By investing time and effort into developing a tailored IRP, organizations can navigate cybersecurity incidents more efficiently and minimize potential damages.

Price said that while the human element plays a role, the key to effective cybersecurity lies in proactive measures that eliminate or reduce vulnerabilities. That mindset will allow organizations to stay one step ahead of cyber threats and protect their valuable digital assets.

As for the future of cybersecurity, Price predicts that within the next five years, three key factors will converge.

The first is the widespread adoption of SBOMs by software developers, which he expects to occur sooner than anticipated. The others come down to adopting two approaches that are being advocated by the Biden administration, FBI, NSA, and CISA. These are implementing security by design and security by default, which entails building networks and products with security in mind from the very beginning. “Right now, security is usually bolted on, it’s not baked in,” said Price. By incorporating these practices, cyberdefenders will be able to reduce their workload and focus on deeper analysis, ultimately improving their effectiveness. 

Price said that as the industry realizes the necessity for these changes, defenders will gain an advantage over cybercriminals, leading to a more favorable outcome in the ongoing battle against cyberthreats. “These criminals are not stupid, there are some brilliant minds out there.  And we have to out-think them."

Ben Hayden is a Maine resident who grew up in the shipyards of northern Massachusetts. He can be reached at (207) 842-5430 and [email protected].