Assessing and bracing against cyber vulnerabilities in industrial sectors.
WHY THIS MATTERS
A number of studies suggest that business and government leaders recognize today’s industrial cyber threats but are not yet prepared to fend them off. While cyber-attacks are often cross-border and the threat to industrial companies is global, geopolitical realities and the concentration of industrial activity in certain parts of the world have made threats more acute in some countries.
The numbers are staggering. Ransomware attacks on operational technology (OT) networks soared fivefold from 2018 to 2020. Out of these, manufacturing entities comprised more than one-third of confirmed ransomware attacks on industrial organizations, followed by utilities, which made up 10 percent.
The estimated global cost of these ransomware attacks? It too has skyrocketed and is predicted to reach USD20 billion in 2021 — up from USD325 million in 2015.3 Operational disruption due to ransomware in OT environments has seen a 23-fold increase. In 2020, there was a 32 percent increase in ransomware attacks against energy and utilities organizations.4 Adding to the bad news for the sector, of course, is the fact that ransomware attacks continue to grow in sophistication. Additionally, attacks have increasingly targeted industrial control system (ICS) environments like oil-and-gas and manufacturing.
The dramatic evolution of today’s cyber-threat landscape
Threat actors continue to raise their game. Cybercriminals are continually changing tactics in an effort to avoid detection, increase their prospects for success and maximize their returns on ransomware attacks, including:
— The increasing use of close-knit syndicates of organized crime groups;
— Taking time to become more familiar with the operations of potential victims;
— Targeting attacks more precisely using legitimate documents that identify potential victims for malware delivery;
— Selling and buying direct access for rapid ransomware attacks instead of conducting advanced intrusions which are often more time consuming and costly
The motives for attacks can vary.
How do attackers choose their victims? Motives can vary and they are often supported by the illegal sale of passwords, tools and techniques to access corporate networks, which is also on the rise. Beyond financial gains, targeted ransomware attacks can involve diverse motives such as ideological or political factors. Regardless of motive, however, adequate security measures remain indispensable in order to effectively manage attacks.
Supply chains are enduring new threats.
Improved ecosystem hygiene is pushing threats to the supply chain, turning friends into unsuspecting ‘enemies.’ Global inter-connectedness of businesses, wider adoption of traditional cyber-threat counter measures, and improvements to basic cyber security are prompting threat actors to pursue new approaches that increasingly target supply chains — including software, hardware and cloud services.
OT/ICS infrastructure vulnerabilities demand costly solutions.
The discovery in recent years of vulnerabilities in programmable logic controllers (PLCs), human-machine interface (HMI), historian or engineering workstations all represent a high risk to organizations. In some cases, where vulnerabilities in critical infrastructure are targeted, operations could be impacted physically — causing safety hazards and even lead to loss of life.
In the crosshairs of geopolitics.
As new threats emerge, businesses may be facing the negative impact of geopolitical tensions and nation state cyber threats. These cyber-threat actors can take advantage of new capabilities as new technologies enable more sophisticated tactics, techniques and procedures (TTPs) which are focused to OT/ICS environments
According to the US Department of Homeland Security, cyber resilience is meant to ensure that business systems continue to perform mission-critical functions during a cyber-attack. Cyber resilience is particularly important for a subset of critical infrastructures known as lifeline sectors or strategic infrastructures. And it’s not just the US putting extra emphasis on the cyber resilience for critical infrastructure.
The EU’s 2016 NIS Directive is continually evolving to enhance cyber capabilities among critical infrastructure. The EU is also preparing to launch the Digital Operational Resilience Act (DORA), which aims to bolster cyber resilience for financial services among the lifeline sectors.
Additionally, the National Cybersecurity Authority in Saudi Arabia has mandated all sectoral regulators to develop sector specific frameworks to support the country’s cyber security strategy and regulation.
Distinguishing cyber resilience from cyber security
A key point that differentiates cyber resilience from cyber security is that cyber resilience capabilities continue to function even after an adversary has penetrated the security perimeter of a network to compromise cyber assets. Even at the later stages of the cyber-kill chain, cyber resilience can help to prevent adversaries from gathering intelligence on, exfiltrating data from, or taking control of mission-essential systems. A tailored cyber resilience program can serve post compromise along with a designed handbook for achieving cyber resilience outcomes based on a system engineering perspective on system lifecycle processes. The tailorable nature of engineering efforts and lifecycle processes ensures that systems that apply cyber resilience design principles are sufficient to protect stakeholders from the loss of key assets and the associated economic and national security consequences. Engineering cyber-resilient systems to combat today’s evolving threat landscape involves the following characteristics that should be considered when designing new systems or enhancing existing ones.
Cyber resilience value at the enterprise level
Due to the inherent complexity and dynamic nature of cyber-resilience techniques, initially deploying and maintaining appropriate cyber resilience can cost more than deploying and maintaining traditional cyber security measures. But despite their higher deployment and maintenance costs, cyber resilience can cost the enterprise less than traditional cyber security measures when assessed on a lifecycle-cost basis, given the ability of cyber resilience capabilities to withstand attacks and ultimately avoid costly enterprise downtime and lost revenues. A sophisticated cyber-attack designed to shut down a critical infrastructure enterprise could paralyze the enterprise for several weeks, rather than just several days with less-sophisticated attacks. Calculating the estimated potential loss of revenue and customers, compared to the cost of implementing cyber resilience design principles and techniques, is what determines whether cyber resilience is cost effective for the enterprise
Cyber resilience value at the societal level
Even if a cyber resilience investment does not yield a net economic benefit at the enterprise level, it may still yield an economic benefit at the societal level. Critical infrastructure firms who know that a shutdown of their enterprise would have ripple effects throughout the region in which they operate should be able to make that case to their governments. When an enterprise cannot make the business case for its own cyber resilience, but recognizes how dependent other enterprises are upon them, they can make the business case at the regional societal level.
Courtesy KPMG. Get the full report and PDF here