Maritime Supply Chain Security in the Indo-Pacific Region: Threats and Policy Implications for National Security and Resilience

By volume, about 99% of Australia’s trade is carried by sea mainly through the Indo-Pacific region. Australia currently imports 90% of liquid fuel from other countries, primarily Japan, Korea and Singapore. Global shipping trade valued around USD3.37 trillion is also passed through the South China Sea, where Strait of Malacca is one of the busiest oil/energy shipping routes in the world. The region especially the South China Sea and East China Sea is subject to increasing maritime security threats due to territorial disputes and the risk of military conflicts. This report presents emerging security challenges facing maritime supply chains in the Indo-Pacific region and the implications for Australia. The report comprises four component studies. The first study is a scenario analysis of maritime security threats in the South China Sea and the broader Indo-Pacific that are associated with three contexts, South China Sea conflict, cyber attack on Australian maritime information systems, and Indo-Pacific maritime logistics network disruption. The result of the scenario analysis indicates that South China Sea conflicts would cause shipping capacity shortage, port operations breakdown, production disruption, technology failures, international armed conflicts, trade sanctions/embargo and diversion. These will likely result in an economic downturn, critical supplies, maritime supply chain disruptions, and increasing military activities in the region. Cyber attacks on Australian maritime information systems will cause navigation operations disruption, cyber operations disruption, social technical disruption, human resource issues (due to temporary skill shortages), and maritime supply chain disruption. These in turn have further impacts on Australia including port congestion and disruption of commercial shipping and supply chain operations. Disruption of the Indo-Pacific maritime logistics network can caused by factors other than those mentioned above. These can be competitive responses/interaction between countries or large organisations; disruptive innovation, e.g. Northern Sea Route, and Belt and Road Initiative; geopolitical disruptions; ecological disruptions, e.g. tsunamis, pandemic, climate change; and trade related disruptions. These could have impacts on Australia including disruption of IT systems and trade networks, port and shipping operations, supply chain operations, critical supply shortages, loss of human lives, exhaustion of emergency rescue and security capabilities, economic downturn and social unrest. The second study analyses the vulnerability of the tanker shipping network that Australia relies on for fuel supplies using Auto Identification System data. The analysis result indicates that while Australia’s energy trade with Malaysia, Indonesia, Singapore, the US, Japan, Taiwan (China), Vietnam and the Philippines is not critically exposed to maritime security threats in South China Sea and East China Sea, energy trade of the latter countries is substantially exposed to tanker operations disruption caused by a closure of the South China Sea and East China Sea. All shipping routes connected to Taiwan will be directly impacted and so will all imports to Brunei. Seven out of eight shipping routes to Japan are affected and six of them are subject to a very significant impact. Six out of ten shipping routes to Malaysia, four out of fourteen routes to Singapore, and two out of seven routes to Thailand will be affected. The closure of the South China Sea and East China Sea will force tankers to avoid these seas causing tanker tonnage shortages and disruption of the fuel supply chains. As a result, Australia may join allies and other countries in the region in ensuring the Freedom of Navigation Operations (FONOPS) and upholding the rules-based international maritime order. The third study highlights the vulnerabilities of the Australian maritime industry due to cyber-attacks and analyses the potential impact of cyber attacks on Australian maritime information systems under five cyber security threat scenarios, namely attacks on Australian destined shipping in the Malacca Straits; attacks on Australian bound shipping in the Lombok Strait; attacks on Australian bound shipping due to ransomware cyber breaches; maritime supply chain disruption due to data breach; maritime supply chain disruption due to cyber blockade. The third study also provides a number of recommendations for cyber security, including back-up system development, ransomware policy; adopting international cybersecurity standards and guidelines; improving the security of corporate information systems; strengthening the incident reporting systems; improving the security of electronic navigation systems; diversifying supply sources; formulating strategic alliances and partnership with countries; onshoring and nearshoring to avoid the conflict areas; building cyber resilience; incorporating cyber security in maritime training and education; and the Government’s initiatives on maritime cyber security. The fourth study proposes a national security-resilience framework for maritime supply chains, recapitulates security threats and advances strategies to enhance preparation and prevention, recovery from and adaptation to supply chain disruptions in the Indo-Pacific region. A focus group workshop was held to identify national security risks; resource and capacity constraints; and draw policy implications and recommendations for national resilience strategies. Several security issues and constraints facing Australia’s maritime supply chains identified include: reliance on one or few countries for critical supplies and main trade; the lack of ownership and control of a strategic fleet; insufficient stockpiles and fuel reserves; risk of disconnected to allies and partners in the Indo-Pacific in case of maritime territorial conflict; political influences on the Indo-Pacific region affecting Australia’s strategic position; insufficient maritime infrastructure and the management of foreign investment in critical maritime infrastructure; natural disaster and climate change effects. The strategic policy recommendations to address the above security risks and constraints include: increasing of stockpiles and critical reserves and the diversification of supply sources and supply chains to mitigate the risk of reliance on a few sources for critical supplies; development of reliable domestic production capacity; better control and development of a strategic fleet and maritime infrastructure; the Government taking the leading role in national resilience through active engagement with the private sector, public-private partnership and the participatory approach; the Government leading national preparedness and resilience building by promoting national awareness and consciousness of the security and resilience issues. Australia should take a more active role in the region through international relations and cooperation, focusing not only on the warfare and defence elements but also shifting trade patterns and building alliances with friendly countries in the region

ANCHOR: logically-centralized security for Software-Defined Networks

While the centralization of SDN brought advantages such as a faster pace of innovation, it also disrupted some of the natural defenses of traditional architectures against different threats. The literature on SDN has mostly been concerned with the functional side, despite some specific works concerning non-functional properties like 'security' or 'dependability'. Though addressing the latter in an ad-hoc, piecemeal way, may work, it will most likely lead to efficiency and effectiveness problems. We claim that the enforcement of non-functional properties as a pillar of SDN robustness calls for a systemic approach. As a general concept, we propose ANCHOR, a subsystem architecture that promotes the logical centralization of non-functional properties. To show the effectiveness of the concept, we focus on 'security' in this paper: we identify the current security gaps in SDNs and we populate the architecture middleware with the appropriate security mechanisms, in a global and consistent manner. Essential security mechanisms provided by anchor include reliable entropy and resilient pseudo-random generators, and protocols for secure registration and association of SDN devices. We claim and justify in the paper that centralizing such mechanisms is key for their effectiveness, by allowing us to: define and enforce global policies for those properties; reduce the complexity of controllers and forwarding devices; ensure higher levels of robustness for critical services; foster interoperability of the non-functional property enforcement mechanisms; and promote the security and resilience of the architecture itself. We discuss design and implementation aspects, and we prove and evaluate our algorithms and mechanisms, including the formalisation of the main protocols and the verification of their core security properties using the Tamarin prover.Comment: 42 pages, 4 figures, 3 tables, 5 algorithms, 139 reference

Analysis of Coastal Restoration Workforce Assets, Challenges, and Opportunities in South Louisiana

The implementation of Louisiana's 2012 Coastal Master Plan is underway and is designed to ensure the future of Louisiana's coastal environments and economy. The only plan of its kind in the country, the Coastal Master Plan will protect significant energy and commerce assets critical to the nation's economic security. The Coastal Master Plan, along with the Greater New Orleans Urban Water Plan, demonstrates a science-based, strategic approach to resilience that has garnered national and international attention for Louisiana. Recognizing the significant opportunity of planned coastal restoration projects on the communities, environments, and economies of South Louisiana, Foundation for Louisiana (FFL) commissioned Greater New Orleans, Inc. (GNO, Inc.) to produce an analysis of Louisiana's coastal restoration industry and workforce that could inform public officials, community partners and potential funders about the workforce assets, opportunities, and challenges relevant to implementing the Coastal Master Plan

Global Risks 2014, Ninth Edition.

The Global Risks 2014 report highlights how global risks are not only interconnected but also have systemic impacts. To manage global risks effectively and build resilience to their impacts, better efforts are needed to understand, measure and foresee the evolution of interdependencies between risks, supplementing traditional risk-management tools with new concepts designed for uncertain environments. If global risks are not effectively addressed, their social, economic and political fallouts could be far-reaching, as exemplified by the continuing impacts of the financial crisis of 2007-2008

Security and trust in cloud computing and IoT through applying obfuscation, diversification, and trusted computing technologies

Cloud computing and Internet of Things (IoT) are very widely spread and commonly used technologies nowadays. The advanced services offered by cloud computing have made it a highly demanded technology. Enterprises and businesses are more and more relying on the cloud to deliver services to their customers. The prevalent use of cloud means that more data is stored outside the organization’s premises, which raises concerns about the security and privacy of the stored and processed data. This highlights the significance of effective security practices to secure the cloud infrastructure. The number of IoT devices is growing rapidly and the technology is being employed in a wide range of sectors including smart healthcare, industry automation, and smart environments. These devices collect and exchange a great deal of information, some of which may contain critical and personal data of the users of the device. Hence, it is highly significant to protect the collected and shared data over the network; notwithstanding, the studies signify that attacks on these devices are increasing, while a high percentage of IoT devices lack proper security measures to protect the devices, the data, and the privacy of the users. In this dissertation, we study the security of cloud computing and IoT and propose software-based security approaches supported by the hardware-based technologies to provide robust measures for enhancing the security of these environments. To achieve this goal, we use obfuscation and diversification as the potential software security techniques. Code obfuscation protects the software from malicious reverse engineering and diversification mitigates the risk of large-scale exploits. We study trusted computing and Trusted Execution Environments (TEE) as the hardware-based security solutions. Trusted Platform Module (TPM) provides security and trust through a hardware root of trust, and assures the integrity of a platform. We also study Intel SGX which is a TEE solution that guarantees the integrity and confidentiality of the code and data loaded onto its protected container, enclave. More precisely, through obfuscation and diversification of the operating systems and APIs of the IoT devices, we secure them at the application level, and by obfuscation and diversification of the communication protocols, we protect the communication of data between them at the network level. For securing the cloud computing, we employ obfuscation and diversification techniques for securing the cloud computing software at the client-side. For an enhanced level of security, we employ hardware-based security solutions, TPM and SGX. These solutions, in addition to security, ensure layered trust in various layers from hardware to the application. As the result of this PhD research, this dissertation addresses a number of security risks targeting IoT and cloud computing through the delivered publications and presents a brief outlook on the future research directions.Pilvilaskenta ja esineiden internet ovat nykyään hyvin tavallisia ja laajasti sovellettuja tekniikkoja. Pilvilaskennan pitkälle kehittyneet palvelut ovat tehneet siitä hyvin kysytyn teknologian. Yritykset enenevässä määrin nojaavat pilviteknologiaan toteuttaessaan palveluita asiakkailleen. Vallitsevassa pilviteknologian soveltamistilanteessa yritykset ulkoistavat tietojensa käsittelyä yrityksen ulkopuolelle, minkä voidaan nähdä nostavan esiin huolia taltioitavan ja käsiteltävän tiedon turvallisuudesta ja yksityisyydestä. Tämä korostaa tehokkaiden turvallisuusratkaisujen merkitystä osana pilvi-infrastruktuurin turvaamista. Esineiden internet -laitteiden lukumäärä on nopeasti kasvanut. Teknologiana sitä sovelletaan laajasti monilla sektoreilla, kuten älykkäässä terveydenhuollossa, teollisuusautomaatiossa ja älytiloissa. Sellaiset laitteet keräävät ja välittävät suuria määriä informaatiota, joka voi sisältää laitteiden käyttäjien kannalta kriittistä ja yksityistä tietoa. Tästä syystä johtuen on erittäin merkityksellistä suojata verkon yli kerättävää ja jaettavaa tietoa. Monet tutkimukset osoittavat esineiden internet -laitteisiin kohdistuvien tietoturvahyökkäysten määrän olevan nousussa, ja samaan aikaan suuri osuus näistä laitteista ei omaa kunnollisia teknisiä ominaisuuksia itse laitteiden tai niiden käyttäjien yksityisen tiedon suojaamiseksi. Tässä väitöskirjassa tutkitaan pilvilaskennan sekä esineiden internetin tietoturvaa ja esitetään ohjelmistopohjaisia tietoturvalähestymistapoja turvautumalla osittain laitteistopohjaisiin teknologioihin. Esitetyt lähestymistavat tarjoavat vankkoja keinoja tietoturvallisuuden kohentamiseksi näissä konteksteissa. Tämän saavuttamiseksi työssä sovelletaan obfuskaatiota ja diversifiointia potentiaalisiana ohjelmistopohjaisina tietoturvatekniikkoina. Suoritettavan koodin obfuskointi suojaa pahantahtoiselta ohjelmiston takaisinmallinnukselta ja diversifiointi torjuu tietoturva-aukkojen laaja-alaisen hyödyntämisen riskiä. Väitöskirjatyössä tutkitaan luotettua laskentaa ja luotettavan laskennan suoritusalustoja laitteistopohjaisina tietoturvaratkaisuina. TPM (Trusted Platform Module) tarjoaa turvallisuutta ja luottamuksellisuutta rakentuen laitteistopohjaiseen luottamukseen. Pyrkimyksenä on taata suoritusalustan eheys. Työssä tutkitaan myös Intel SGX:ää yhtenä luotettavan suorituksen suoritusalustana, joka takaa suoritettavan koodin ja datan eheyden sekä luottamuksellisuuden pohjautuen suojatun säiliön, saarekkeen, tekniseen toteutukseen. Tarkemmin ilmaistuna työssä turvataan käyttöjärjestelmä- ja sovellusrajapintatasojen obfuskaation ja diversifioinnin kautta esineiden internet -laitteiden ohjelmistokerrosta. Soveltamalla samoja tekniikoita protokollakerrokseen, työssä suojataan laitteiden välistä tiedonvaihtoa verkkotasolla. Pilvilaskennan turvaamiseksi työssä sovelletaan obfuskaatio ja diversifiointitekniikoita asiakaspuolen ohjelmistoratkaisuihin. Vankemman tietoturvallisuuden saavuttamiseksi työssä hyödynnetään laitteistopohjaisia TPM- ja SGX-ratkaisuja. Tietoturvallisuuden lisäksi nämä ratkaisut tarjoavat monikerroksisen luottamuksen rakentuen laitteistotasolta ohjelmistokerrokseen asti. Tämän väitöskirjatutkimustyön tuloksena, osajulkaisuiden kautta, vastataan moniin esineiden internet -laitteisiin ja pilvilaskentaan kohdistuviin tietoturvauhkiin. Työssä esitetään myös näkemyksiä jatkotutkimusaiheista