Cynthia Hudson founded what would become the global maritime risk consultancy HudsonAnalytix in 1986, long before cybersecurity was a buzzword.
The Camden, New Jersey-headquartered company has evolved over the years to include HudsonMarine, HudsonSystems and HudsonTrident, offices in San Diego, Greece and Italy, as well as a HudsonCyber unit, launched in 2016.
Speaking at this fall’s conference of the Women’s International Shipping & Trading Association (WISTA) in the Cayman Islands, Hudson said the company she leads as CEO “overall is focused on risk in the maritime space and trying to find solutions, whether those are services or technology, to provide insight and support to vessel owners, ports and terminals.”
Hudson, president of the WISTA Delaware River and Bay chapter, said addressing cyber risk requires “an A-to-Z point of view, what happens from the assessment point all the way to what happens should there be an unfortunate cyber breach.”
To gain that broad perspective, HudsonCyber and Aon announced in late April that they were partnering to provide cybersecurity capability assessment, integrated cyber breach response and mitigation support to the global maritime community.
Aon was selected as a partner because it has “what we consider a best-of-breed response and remediation house,” Hudson said. “We will be able to provide a technical arm for a cyber response, not only the consultative and management arm, which we’re already doing, but actually the response arm all around the world.”
The partnership “hopefully will lead to insurance policies and products,” which are beginning to become available in the maritime industry, Hudson said. “I understand there’s something coming — or has come — out of Shoreline. There is something with Norwegian Hull. There is something with two clubs that we’re aware of that announced specific policies. So there are many, many options, but we feel this is an A-to-Z model. Let’s figure out the risk and then let’s figure out what to do if an unfortunate event happens and then let’s figure out how we can insure the gap between what we can sustain and what our loss is.”
Hudson illustrated the need for risk assessment by providing examples of cyberattacks in the global maritime industry:
• An August 2011 cyberattack on the Islamic Republic of Iran Shipping Lines (IRISL) caused “a complete business interruption from A to Z,” Hudson said.
• At the Port of Antwerp between 2011 and 2013, drug traffickers were responsible for what Hudson called “a situation where data was encrypted and it was used in order to take over an ecosystem, delivering illicit cargo through containers and even all the way through the port system.”
• Maersk said a 2017 cyberattack cost it $350 million. “I think maybe it’s double, but I don’t have the insight,” she said. “It was a very, very big incident. It was not just ships, it was terminals, their entire organization.”
She said there have been countless cases of “spear phishing and business email compromising. That’s the ‘please send $1 million to this bank account right away,’ and it’s signed by a president who happens to be out of town that day.”
Hudson said her company’s HudsonCyber unit is “seeing the highest probability through our threat department of ERP — enterprise system compromises.”
Hudson, a director of the North American Marine Environment Protection Association (NAMEPA), said all companies need to know where the value is within their organizations and learn how to protect it. “Maybe nothing happens to your business for years. Maybe next year the cyber hacker has a buyer for the type of information your company has internally, and so suddenly you have an attack.”
Some companies mistakenly make cybersecurity the responsibility of a “security practitioner,” Hudson said. “We’re encouraging you to think about the risk as a bigger problem that goes from top to bottom. When I say top to bottom, I mean starting at the top.”
From CEOs to security practitioners, everyone must understand what cyberattackers want: money.
“So if we start to think about the risks that cyber threats create, it’s a monetary risk, whether that’s because of time, because of theft of actual money, theft of cargo,” Hudson said. “They want money. They’re willing to work for it.”
She said there are industry guidelines available, including the National Institute of Standards and Technology’s Cybersecurity Framework. It’s important to use those resources to protect company value. “The cost of cyber breaches is expected to exceed even the worst of our natural disasters,” Hudson noted.
HudsonCyber developed assessment software that was tested at three U.S. ports, “and we proved that it could work as an assessment process and tool. That led to the U.S. Trade and Development Agency funding a project, if we could find the right partner and identify a great location. Well, we did and they did. We started in April 2018 a technical assistance project. That is located in the Dominican Republic for Dominican ports,” she said.
She said cyber-risk assessments were conducted at four Dominican ports. “There were commonalities and we could see what the high points and low points were. It really was enlightening. We were able to show them what we thought the gaps were.”
The assessments have prompted the creation of a national port cybersecurity strategy, said Hudson, who was named one of the Outstanding Women in the Maritime and Port Industry by the Organization of American States’ Inter-American Committee on Ports in 2016. “This has led the Dominican Republic to something that will put them a little bit in the forefront, and we think it’s replicable and we think it’s fundable.”
These assessments can help close gaps and reduce cyber risks. “Once it comes down, what happens? You’re insurable,” she said.
“Yes, there’s a risk for all of this and, yes, there are ways to tackle it and there are solutions if you can come together and look at your entire enterprise and work together within competitive bounds with your neighbors.”