How can manufacturers reduce Cyber Risk and recover following a cyber attack?
Cyber-risk and the threat of cyber-attacks were highlighted by two major incidents in 2017; the WannaCry attack in May and the Petya hack in June. These cyber-attacks caused significant damage across multiple countries. Major organisations, such as the National Health Service (NHS) in the UK suffered severe difficulties. The threat from cyber is unlikely to subside in 2018. In fact, The World Economic Forum’s (WEF) 2018 Global Risks Report highlighted cyber-risk as the third most likely risk to cause damage to businesses in 2018.
The Internet of Things (IoT) and its subset, the Industrial Internet of Things (IIoT), represent a growing source of vulnerability for manufacturers, and both systems will continue to see major growth in scale over the foreseeable future. With approximately 8.4 billion internet connected devices already in existence, and with this number expected to rise to approximately 20 billion by 2020, there are myriad opportunities for malicious actors to gain access to networks and systems.
Given that the manufacturing sector is expected to be responsible for approximately 35% of the overall usage of the Industrial Internet of Things for the period ending in 2025; manufacturers need to remain acutely aware of the threats they face, as well as how their organisations could recover should they suffer a cyber-attack.
Unfortunately, many of the existing manufacturing systems were designed to increase efficiency and productivity and not with security in mind. As such, many of the legacy systems used by the manufacturing sector are very vulnerable to cyber-risk, and could suffer significant disruption and damage if an attack occurs.
What damage can cyber-attacks cause to manufacturing facilities?
The threat that cyber-attacks pose to manufacturing facilities can result in either physical and non-physical damage, or a combination of the two. A cyber-attack on a manufacturing facility could be purely data focused, designed to steal intellectual property, whether that is unique manufacturing processes or other trade secrets. Alternatively, a cyber-attack could be designed to create physical disruption to the industrial control systems, causing machinery to malfunction or grind to a halt completely. Both examples, illustrate how a cyber-attack could have a major impact on the assets and structure of a facility.
Another example of the potential damage a cyber-attack could inflict, is the risk of a boiler being remotely forced to overheat and explode at a facility, resulting in a large-scale fire– a non-physical threat resulting in real physical damage. In this example, the targeted company is exposed to the cost of repairing or replacing the exploded boiler and the fire-damage which resulted from the boiler explosion, as well as the cost of hiring cyber-security professionals to ensure that the security-breach and any necessary security upgrades are addressed. Indeed, research tells us that the average cost of a successful cyber-attack on a manufacturing facility can be estimated at $5 million USD. Given the scale of the physical damage that cyber-attacks can cause, FM Global has considered data to be property for many years, with the result that damage caused by a cyber threat to data triggers policy coverage in the same way that damage to property from a fire or natural hazard would trigger coverage.
What steps can manufacturers take to reduce cyber-risk in their facilities?
The ability to reduce risk and recover quickly following an attack can be improved when manufacturers build resilience within their organisations. Resilience is the greatest asset that any organisation can have, and in the context of cyber-risk is particularly important – cyber-risk evolves so quickly that it is almost impossible to protect against every single threat.
The benefits of building cyber resilience are multi-faceted. This is because increased scrutiny from the public and media will be present due to the upcoming implementation of the European Union’s (EU) General Data Protection Regulation (GDPR). This could potentially amplify any reputational loss suffered following a cyber-attack.
There are a variety of steps that manufacturers can take to reduce cyber-risk in their facilities. These include:
- Training employees to ensure they are aware of how to avoid phishing and other email-based attacks – phishing attacks are one of the most common methods for external actors to gain access to a system.
- Ensuring that computer systems and other internet-connected devices are always updated with the latest patches and security features. Malware programmes are often deployed once a security-weak device has been compromised, enabling programmes to gain control over facilities through only one network-connected device.
- Conducting a thorough review of physical security at facilities. Whilst unsophisticated, an unauthorised individual who gains access to a server room could use the opportunity to steal intellectual property or damage equipment. Only select, vetted, individuals should have access to sensitive systems, and all external contractors should undergo sufficient background checks before being allowed on-site.
- Creating back-ups of valuable data off-site may help facilities to recover and begin operating normally as quickly as possible if data is corrupted or destroyed in a cyber-attack.
- Installing manual overrides for valuable pieces of machinery, so that if a cyber-attack does occur, the machinery could be de-activated before it causes damage to itself or other pieces of equipment, or employees.
Additionally, manufacturers should also create business continuity plans detailing the preferred response processes in the event of a cyber-attack. Continuity plans should highlight how relevant stakeholders, such as suppliers and customers, are contacted, how necessary back-up machinery should be acquired or utilised, as well as how employees should react. An appropriate plan could help the manufacturer create resilience, reducing the recovery time required following a cyber-attack.
Finally, manufacturers should partner with an insurer with the understanding of the risks faced within manufacturing facilities. Ideally, the insurer should be able to assess and process claims quickly to help to ensure that policyholders have the required capital to recover from a cyber breach – something that is particularly important when the cyber-attack has caused property damage and resulted in business interruption.
Benedict McKenna is the Vice President and Operations Claims Manager of London Operations at FM Global.
At FM Global we believe that resilient businesses are successful ones. Whilst cyber-attacks are evolving quickly, manufacturers should be aware that there are many steps that can be taken to mitigate the damage these attacks can cause. These steps will build resilience, allowing the manufacturer to recover quickly, minimising disruption, loss of revenue, and reputational shock over the long-term.