A status report on cyber-risks

A status report on cyber-risks

3 July 2018
cyberattacks cyberrisk cybersecurity IT
Read the article

With financial consequences estimated at an average $11.7 million, cyber-attacks are one of the principal risks facing today’s companies. Given our increasing dependency on digital technologies – whether for production equipment, infrastructure, or everyday life – the impact of a cyber-attack can be disastrous. And yet, many companies are still behind the curve in terms of cyber-security, leaving their organisations vulnerable to the numerous threats surrounding them.

The risk of a cyber-attack arises whenever an information system is used as it is widespread access to the Internet and communication between systems that has opened the door to hackers. As cyber-attack resources have become more easily available, they can be carried out by any hacker that wants to cause damage to private individuals, companies or institutions.

More and more hackers are being attracted by the potential financial gains of cyber-attacks and the fact that they are increasingly easy to carry out, as illustrated by the growing number of articles about cyber-attacks in the mass-market media. In the manufacturing sector, the financial risk of cyber-attacks represents hundreds of millions of euros and yet industrialists are still insufficiently aware of the problem and have a tendency to bury their heads in the sand.

Cyber-attacks are getting easier

Requiring highly specific skills or at least substantial financial resources, large-scale cyber-attacks were for a long time restricted to organisations with significant wealth behind them – in practice government agencies. The first massive industrial cyber-attack was Stuxnet, which was launched in 2009 when Iran’s nuclear programme was causing concerns for the West. Stuxnet was a computer worm created by the US and Israeli secret services that attacked the IT systems used to control the centrifuges in Iran’s uranium enrichment process. It infected over 200,000 computers and damaged thousands of machines, putting a halt to the Iranian nuclear programme.

Since Stuxnet, industry has had to deal with much more widespread access to cyber-attack resources, which has led to a surge in cyber-risks. Nowadays when a cyber-attack is perpetrated, more often than not it is then shared on the dark web – an anonymous network that overlays the traditional Internet – and can therefore be reproduced by hackers across the whole world. The dark web is not just used for illegal purposes but it does contain a wide range of illegal activities and offers, including the sale of IT breaches and cyber-attack resources.

As digital technologies are playing an increasingly important role in all professions, companies’ exposure to attacks has become considerably heightened.

With the development of the dark web, cyber-attacks have propagated. Resources spread rapidly from one sector to another and hackers can attack their targets using methods that have already been successful for others. In addition, as digital technologies are playing an increasingly important role in all professions, companies’ exposure to attacks has become considerably heightened. This is due to the fact that in addition to using management information systems, major industrial players are using computers more and more to control, supervise, and exchange data at a level very close to their production chains.

Cyber risks are as varied as they are dangerous

Hackers are generally driven by one of two goals: either to damage their target (for economic, political or military reasons) or to achieve financial gain. The methods they use vary depending on their objective and include DoS (Denial of Service) attacks (which consist of making an IT system unavailable to its intended users), cyber-espionage, cyber-fraud and financial crime, cyber-burglary etc. Altogether, twelve main types of cyber-attacks have been identified.

In cases where the goal is to damage a target, the perpetrator is often a government agency with significant financial resources that is seeking to attack an enemy country. For example, in December 2016, a virus-based cyber-attack on the Ukrainian electricity grid caused a major power cut in West Ukraine. The virus infected the electricity supplier’s remote command system, cutting the current of the switching devices and erasing all of the control systems’ configuration files. This was a disaster for the people affected, as they were deprived of energy in the middle of winter, and was also a severe blow for the Ukrainian government.

“Over and above the cost impact, a cyber-attack can cause significant damage to a company’s brand image”

Attacks aimed at achieving a financial gain can cause just as much damage. In recent years, large companies in a range of different sectors have been the targets of ransom cyber-attacks. The principle of these attacks is simple: a virus infects the company’s information systems and encrypts the data in its computers. This paralyses the company, which can only re-access its data by paying a ransom. Last year, companies and institutions worldwide were targeted by Cerber Ransomware, which was based on this principle. In France alone, major companies in a variety of sectors (retail, automotive, public transport and manufacturing) were attacked. Following this cyber-attack several of the targeted companies announced financial losses in the region of €300 million. Others had the connections to their factories cut off, resulting in production stoppages and estimated losses of €200 million. Over and above the cost impact, a cyber-attack can cause significant damage to a company’s brand image.

How can industrial players protect themselves?

“It is impossible for companies to achieve zero risk. However, by constantly looking out for the slightest signals, they can ward off attempted cyber-attacks”

Just as the French couldn’t fully protect themselves against the German army with the Maginot line in World War II, it is impossible for companies to achieve zero risk. Provided they have the necessary time and financial resources, hackers will always be able to find a way of getting round the protection systems in place. However, by constantly looking out for the slightest signals, companies can ward off attempted cyber-attacks.

As the cyber-attack threat is constantly evolving, cyber-security systems need to be regularly updated. However, this is not easy in the manufacturing sector, where the overriding priority is production and the general approach is “if it isn’t broken don’t fix it”. Introducing changes means taking the risk of unforeseen effects.

Some companies have made cyber security a number one priority, either because they are voluntarily taking the lead in the area or because they have been required to do so by law. In France, this is notably the case for Critical Organisations (called “OIVs”), which play a major role in society. Other companies have buried their heads in the sand and are waiting until they are directly affected before dealing properly with cyber-security. On average, a company that has suffered a $1 million loss through a cyber-attack will invest 43% of that amount (i.e. $430,000) in securing its systems afterwards.

At Assystem, we have people specialised in the cyber-risks of production systems who can serve all sectors, ranging from industry and nuclear to business and transport. In order to pinpoint weak spots and counter potential attacks, cyber-security needs to be addressed at three levels:

  • In-depth knowledge of production information systems and their interaction. These systems tend to be regularly altered by the teams concerned in order to meet changes in production needs, without an overall vision. As a result, there is no global systems mapping and sometimes the security rules in place within the company are circumvented, which makes the whole computer network vulnerable.
  • Updates to communication architectures. Some systems run on obsolete operating systems which are no longer supported by their manufacturer. In this case, the manufacturer no longer offers updates to correct OS failures and bugs, which makes the system vulnerable to attacks. It is therefore primordial to adapt companies’ protection architecture in order to safeguard against risks.
  • And lastly, a more global approach to security. Cyber-attacks often happen because of an upstream problem, such as a procedure that has not been respected, an unauthorised connection or an unplanned visit. That is why we prefer to talk of global security, which integrates physical, functional and cyber-security into one overall scope of analysis. By analysing all three of these areas together we can create a holistic risk approach.

Faced with such a multitude and variety of cyber-attacks, some companies are tempted to opt for the apparently easy route of ignoring the problem. However, the risks are great and the price to pay can be very high. For instance, imagine if a computer virus were to target a highly critical area such as nuclear power plants and cause the stoppage of a facility. Above and beyond the financial impact (which would be enormous in itself at €1 million per day of stoppage) and the complexity of relaunching the operation of a nuclear facility, the image of the company concerned would be badly damaged and it would completely lose the public’s confidence. Surely this means that prevention is better than cure?

Share :

Something to say ?

Your email address will not be published. Required fields are marked *

Vincent Boulanger

External contributor

Our vacancies

Learn more

Related articles

Being an engineer in Tours: "a historic setting for large-scale projects"

Large-scale projects in the nuclear and defense sectors are multiplying in Tours thanks to the many partners present in the region. A perfect opportunity to discover the city known as “Little Pa...

Being an engineer in Cherbourg: "a real feeling of freedom".

The first is working on a major nuclear project, the second on naval defence project engineering. Alexis Turcan and Jérôme Lecolazet have both chosen the Cotentin region to live and work. Seduced by t...

10 good reasons to go and work in the Cotentin region

Just a few hours from Paris, the Cotentin region is renowned for its idyllic living environment, as well as the dynamism of its industries, particularly in the nuclear and defence sectors. Here are 10...

Before moving abroad, you have to know your host environment well

Since May 2019 Assystem has been supporting Uzbekistan in its energy transition thanks to the implementation of the country’s new energy mix (new production infrastructures, transport networks a...

"Working on the construction site of a nuclear power plant and living a five-minute walk from the sea"

As an expatriate in Turkey, Alexia Sergeant is involved in the ambitious nuclear programme of Akkuyu. Beyond the professional challenge, this young engineer shares a real love for a country rich in cu...

"I'm in the right place"

Italian by birth, Paolo Minelli has joined the Assystem team in France last February. His role: managing the data-scientist team and contributing to improve the performance of the group’s projec...

"I've been offered the opportunity to move on to several positions"

Between France and the UK, Nicholas Morris is currently experiencing the daily challenge of developing Assystem’s business around the British EPR project, Hinkley Point C. “FascinatingR...

Will we still need engineers in the future?

The question is not as strange as it might seem. Given the phenomenal growth of digital technology, robotics and artificial intelligence, where does this leave the engineers of tomorrow? How will they...

No, I'm not a superhero

For ordinary people, when we talk about engineers, is the image of Steve Job, inventor of the first Macintosh and founder of a now trillionaire company, or Elon Musk, imagining alone the car new gener...

So what exactly is an engineer?

Engineer /ɛndʒɪˈnɪə/, derived from the Middle English “engineour” and from the Old French “engigneor” – a designer and constructor of fortifications and weapons. > A person ...

Commute, work, sleep ... Inside an engineer's head during a banal day

Builders of bridges or power plants, application developers, designers, project managers … But what exactly do all these engineers do? Between meetings, exchanges with the client, team managemen...

When I grow up, I want to be an engineer!

Engineering schools are still as popular as ever. Why? Do we really know what an engineer is? Their backgrounds? Their daily lives? To answer this, we met up with three of them to find out more about ...

NASA’s taking nuclear energy into space

The conquest of space is more than ever at the centre of public attention, with projects like SpaceX and The Stealth Space Company, but who better than NASA to fulfil this dream that has existed for t...

Big Data Automation

It’s no secret that data is the lifeblood of more and more companies. While it brings many benefits for those who use it wisely, it creates just as many constraints for those who don’t. Ma...

Saudi, land of oil… and engineers

In Saudi, being an engineer is more than any profession. With “Saudi Vision 2030” plan to reduce Saudi Arabia’s dependence on oil and diversify its economy, Saudi engineers are becoming a rare c...

Being a woman engineer in the land of the Corcovado mountain

Happiness seems to be the watchword in the home of samba and the caipirinha. But the cool and carefree image that Brazilians present to the world is juxtaposed against a very different reality. The re...