Threat in the making: Ransomware hits industrial control systems
Risk managers play critical role in protecting production
Skyrocketing growth in connected devices and organizations’ increasing exposure to malware attacks are troubling trends, but not new. However, an emerging cyber risk area, which should greatly concern risk professionals, is the growing threat to their industrial control systems.
Developments in manufacturing and industrial systems intended to improve efficiency are a double-edged sword. On one side, more connections between information technology networks and operations technology systems make monitoring and control of production processes easier. On the other, such connectivity is raising the risk of malware infecting the operations on which industrial organizations’ revenue and profitability depend.
A decade ago, production networks were obscure systems few understood. As these systems have become more mainstream, the number of specialists has risen. Just as operations tech skill sets have grown, so too have the skills of hackers to penetrate them. Security through obscurity is no longer sufficient, and organizational silos perpetuate risks.
Cyber criminals continue to deploy malware such as ransomware because it’s profitable. For example, the more valuable an asset they can disrupt, the higher the ransom attackers can demand, making it more attractive as a target. For manufacturers, after their people and intellectual property, among their most important assets are production equipment and processes that generate revenue and protect an organization’s value.
The nature of malware attacks is evolving, which requires risk professionals to keep up with changing exposures and mitigation strategies. For example, in 2017 the NotPetya attack changed how the world viewed ransomware risk. According to news reports, NotPetya infected tens of thousands of computers around the world, with costs for affected organizations totaling billions of dollars. It was a broad, indiscriminate attack that not only shut down operations but also destroyed data in many industries. Recent types of attacks, however, are more targeted, and many of them aim at high-value core systems, such as those that control or are critical to the continuity of manufacturing and production.
A role for risk managers
Cyber risks to production cannot remain the sole responsibility of technology professionals. Such risks are enterprise-level and call for coordinated risk management. Typically, the best person to lead this effort is a risk management professional, who can bring together business leaders and senior management. It is a compelling opportunity for risk managers to show their value to their organizations by also becoming more proficient about their organization’s operational technology.
From there, risk professionals can take several steps to help their organizations mitigate the impact of malware, including ransomware, and improve resilience. These include:
- Break down technology silos. Many organizations have a functional and cultural gap between IT staff and those working on production networks, and they often exist in silos. Often these groups speak different languages and are driven by different departmental objectives. Organizations should break down these silos and unify their technology teams. Cyber risk management calls for a holistic approach, and risk professionals should closely collaborate with chief information security officers. Risk managers should be aware of their accountability as a risk steward and fear complacency on cyber risk more than they fear the difficulty of understanding technical processes.
- Prioritize cyber as an enterprise risk. A good place to start with an enterprise risk management approach that includes cyber is to look at who is invited to the table for ERM meetings. Are the IT and operations technology sides represented? Cyber is like any other risk in terms of impact from disruption; a fire that could burn down a production facility is an enterprise risk that would disrupt the entire organization. Similarly, malware that encrypts or manipulates control systems poses an enormous threat to property and key assets.
- Insist on secure backups. A time-honored and proven technique in property risk management is redundancy. In a technology context, data backups serve as redundant resources, but not all backups are created equal. Having secure backups offline that cannot be hacked is critical, and it provides a completely different option when a company is attacked. Led by risk professionals, the right backup strategy can ensure resilience ahead of time, letting organizations focus on rapid recovery instead of the difficult decision to rebuild their systems from scratch or pay a ransom demand to regain access to critical systems.
- Prepare the organization for attacks. Resilience in the face of emerging risks takes a mindset of preparation. Risk professionals should communicate that malware risk in industrial control systems is real, and it often begins with phishing emails. Layering defenses and balancing security with business enablement are critical steps. While cyber-attacks are inevitable, cyber losses are preventable if risk managers collaborate with their organizations’ technology leaders.
Bringing all the pieces together to mitigate the risk of malware is vital. Otherwise, organizations will never manage cyber risk effectively. The convergence of systems and cyber risks means that risk management and cybersecurity also must converge. System convergence and remote monitoring were occurring even before the coronavirus pandemic, and that will certainly continue. In the future, the security of production
FM Global #DIA