With financial consequences estimated at an average $11.7 million, cyber-attacks are one of the principal risks facing today’s companies. Given our increasing dependency on digital technologies – whether for production equipment, infrastructure, or everyday life – the impact of a cyber-attack can be disastrous. And yet, many companies are still behind the curve in terms of cyber-security, leaving their organisations vulnerable to the numerous threats surrounding them.
The risk of a cyber-attack arises whenever an information system is used as it is widespread access to the Internet and communication between systems that has opened the door to hackers. As cyber-attack resources have become more easily available, they can be carried out by any hacker that wants to cause damage to private individuals, companies or institutions.
More and more hackers are being attracted by the potential financial gains of cyber-attacks and the fact that they are increasingly easy to carry out, as illustrated by the growing number of articles about cyber-attacks in the mass-market media. In the manufacturing sector, the financial risk of cyber-attacks represents hundreds of millions of euros and yet industrialists are still insufficiently aware of the problem and have a tendency to bury their heads in the sand.
Cyber-attacks are getting easier
Requiring highly specific skills or at least substantial financial resources, large-scale cyber-attacks were for a long time restricted to organisations with significant wealth behind them – in practice government agencies. The first massive industrial cyber-attack was Stuxnet, which was launched in 2009 when Iran’s nuclear programme was causing concerns for the West. Stuxnet was a computer worm created by the US and Israeli secret services that attacked the IT systems used to control the centrifuges in Iran’s uranium enrichment process. It infected over 200,000 computers and damaged thousands of machines, putting a halt to the Iranian nuclear programme.
Since Stuxnet, industry has had to deal with much more widespread access to cyber-attack resources, which has led to a surge in cyber-risks. Nowadays when a cyber-attack is perpetrated, more often than not it is then shared on the dark web – an anonymous network that overlays the traditional Internet – and can therefore be reproduced by hackers across the whole world. The dark web is not just used for illegal purposes but it does contain a wide range of illegal activities and offers, including the sale of IT breaches and cyber-attack resources.
“As digital technologies are playing an increasingly important role in all professions, companies’ exposure to attacks has become considerably heightened.“
With the development of the dark web, cyber-attacks have propagated. Resources spread rapidly from one sector to another and hackers can attack their targets using methods that have already been successful for others. In addition, as digital technologies are playing an increasingly important role in all professions, companies’ exposure to attacks has become considerably heightened. This is due to the fact that in addition to using management information systems, major industrial players are using computers more and more to control, supervise, and exchange data at a level very close to their production chains.
Cyber risks are as varied as they are dangerous
Hackers are generally driven by one of two goals: either to damage their target (for economic, political or military reasons) or to achieve financial gain. The methods they use vary depending on their objective and include DoS (Denial of Service) attacks (which consist of making an IT system unavailable to its intended users), cyber-espionage, cyber-fraud and financial crime, cyber-burglary etc. Altogether, twelve main types of cyber-attacks have been identified.
In cases where the goal is to damage a target, the perpetrator is often a government agency with significant financial resources that is seeking to attack an enemy country. For example, in December 2016, a virus-based cyber-attack on the Ukrainian electricity grid caused a major power cut in West Ukraine. The virus infected the electricity supplier’s remote command system, cutting the current of the switching devices and erasing all of the control systems’ configuration files. This was a disaster for the people affected, as they were deprived of energy in the middle of winter, and was also a severe blow for the Ukrainian government.
“Over and above the cost impact, a cyber-attack can cause significant damage to a company’s brand image”
Attacks aimed at achieving a financial gain can cause just as much damage. In recent years, large companies in a range of different sectors have been the targets of ransom cyber-attacks. The principle of these attacks is simple: a virus infects the company’s information systems and encrypts the data in its computers. This paralyses the company, which can only re-access its data by paying a ransom. Last year, companies and institutions worldwide were targeted by Cerber Ransomware, which was based on this principle. In France alone, major companies in a variety of sectors (retail, automotive, public transport and manufacturing) were attacked. Following this cyber-attack several of the targeted companies announced financial losses in the region of €300 million. Others had the connections to their factories cut off, resulting in production stoppages and estimated losses of €200 million. Over and above the cost impact, a cyber-attack can cause significant damage to a company’s brand image.
How can industrial players protect themselves?
“It is impossible for companies to achieve zero risk. However, by constantly looking out for the slightest signals, they can ward off attempted cyber-attacks”
Just as the French couldn’t fully protect themselves against the German army with the Maginot line in World War II, it is impossible for companies to achieve zero risk. Provided they have the necessary time and financial resources, hackers will always be able to find a way of getting round the protection systems in place. However, by constantly looking out for the slightest signals, companies can ward off attempted cyber-attacks.
As the cyber-attack threat is constantly evolving, cyber-security systems need to be regularly updated. However, this is not easy in the manufacturing sector, where the overriding priority is production and the general approach is “if it isn’t broken don’t fix it”. Introducing changes means taking the risk of unforeseen effects.
Some companies have made cyber security a number one priority, either because they are voluntarily taking the lead in the area or because they have been required to do so by law. In France, this is notably the case for Critical Organisations (called “OIVs”), which play a major role in society. Other companies have buried their heads in the sand and are waiting until they are directly affected before dealing properly with cyber-security. On average, a company that has suffered a $1 million loss through a cyber-attack will invest 43% of that amount (i.e. $430,000) in securing its systems afterwards.
At Assystem, we have people specialised in the cyber-risks of production systems who can serve all sectors, ranging from industry and nuclear to business and transport. In order to pinpoint weak spots and counter potential attacks, cyber-security needs to be addressed at three levels:
- In-depth knowledge of production information systems and their interaction. These systems tend to be regularly altered by the teams concerned in order to meet changes in production needs, without an overall vision. As a result, there is no global systems mapping and sometimes the security rules in place within the company are circumvented, which makes the whole computer network vulnerable.
- Updates to communication architectures. Some systems run on obsolete operating systems which are no longer supported by their manufacturer. In this case, the manufacturer no longer offers updates to correct OS failures and bugs, which makes the system vulnerable to attacks. It is therefore primordial to adapt companies’ protection architecture in order to safeguard against risks.
- And lastly, a more global approach to security. Cyber-attacks often happen because of an upstream problem, such as a procedure that has not been respected, an unauthorised connection or an unplanned visit. That is why we prefer to talk of global security, which integrates physical, functional and cyber-security into one overall scope of analysis. By analysing all three of these areas together we can create a holistic risk approach.
Faced with such a multitude and variety of cyber-attacks, some companies are tempted to opt for the apparently easy route of ignoring the problem. However, the risks are great and the price to pay can be very high. For instance, imagine if a computer virus were to target a highly critical area such as nuclear power plants and cause the stoppage of a facility. Above and beyond the financial impact (which would be enormous in itself at €1 million per day of stoppage) and the complexity of relaunching the operation of a nuclear facility, the image of the company concerned would be badly damaged and it would completely lose the public’s confidence. Surely this means that prevention is better than cure?