IRPT Seminar Addresses New Government Cybersecurity Mandates
An update on new government mandates for audits concerning cybersecurity was the topic of a special session at the recent Inland Rivers, Ports and Terminals Inc. conference in Biloxi, Miss.
David Wren, president and CEO of Network Technology Partners, shared information on InfraGard, a free membership program that is a partnership between the Federal Bureau of Investigation (FBI) and members of the private sector for the protection of critical U.S. infrastructure, which could include ports, locks and dams and certain other government and commercial facilities. Members include multiple transportation and agricultural facilities. Wren also serves as the president of InfraGard.
The InfraGard program is now 25 years old, and it has more than 75,000 members nationwide, Wren said.
It helps protect against all manner of cybersecurity risks, including ransomware attacks. Those attacks are ongoing even against small companies and don’t take much to succeed, he said. For example, the attack that shut down the Colonial Pipeline this spring was the result of one username and password purchased from the Dark Web.
Such an attack could be especially harmful in the river industry, he said. He gave an example of a ransomware attack at one grain elevator.
“It could stop grain flowing down the river for a day, a month, a week, and think about the cost of that,” Wren said. “Think about the cost for not only paying out ransom but also the cost of interruption of business.”
The U.S. Department of Defense already has cybersecurity requirements in place for about 20 percent of the supply chain, including prime contractors and their subcontractors, and the measures are coming to the transportation industry, Wren said.
“The Biden administration is going to be forcing this set of cyber-criteria into the industry, and if you don’t comply, there are going to be fines,” he said.
That could be potentially expensive. Using the Department of Defense as an example, he said that in 2020 the department collected $2.2 billion in fines.
“So it’s not bad enough that we’re being targeted by hackers,” he said. “If you don’t properly secure your environment and then you don’t properly notify when that happens, then the government could come after you for penalties and fines.”
The most common cybersecurity risks are ransomware and business email compromise, often from employees clicking on links in emails, Wren said. With more employees working from home, ransomware attacks grew by 400 percent in 2020 and by 900 percent in 2021. Their success means expected continued growth in attack.
The best protection against cybersecurity attacks remains prevention and continued vigilance.
He advises companies to log data and make backups and to stress to employees to take their time when a new email comes in to make sure that both the email and its links are legitimate. Be particularly suspicious of emails that create a sense of urgency, he said. Companies may also benefit from completing a risk assessment and scheduling cybersecurity awareness training for their employees, focusing on early detection and response.
Additionally, Wren employs “ethical hackers” that test cybersecurity, and he suggested other companies would be well served to put them to use.
“Everybody should hire a hacker to hack your company,” he said. “It’s better to hire a hacker and have them hack you and show you how they did it than it has to have the bad guys do it.”
Caption for photo: David Wren, president and CEO of Network Technology Partners, speaks during the recent Inland Rivers, Ports and Terminals conference in Biloxi, Miss. (Photo by Dee Dee Whittaker)
