In the age of ransomware, CFOs need to reassess their cyber physical security risk

I know what you are thinking…not another blog about the Colonial Pipeline and Darkside. We will save you from that. Their “15 minutes of fame (or infamy)” are up (hopefully). But the innovative business (or criminal, if you prefer) models behind ransomware-as-a-service and other new practices, the fundamental increase in reliance on vulnerable IT systems by physical process controls, and the evolving cyber insurance market mean that every industrial organization needs to reassess its risk matrix to take into account these cyber physical system “black swan” events which may be much more gray or “off-white” than truly black.

First, a note about the term “cyber physical”. About 18 months ago, Gartner analysts began to refer to “OT” or “ICS” cyber security as “cyber physical” security. While they weren’t the first, the Gartner cache carries a good amount of weight, and therefore, the term has started to gain momentum. For many people who work on OT and ICS systems, however, “cyber physical” sounds like some buzzword created by marketing people to make them sound cool. No one who runs a plant or a transportation system or a transmission grid ever referred to what they do as “cyber physical engineering”.  But the reality of Colonial Pipeline, MillerCoors, Westrock, Honda, and another 30 or 40 industrial ransomware incidents in the past year makes clear that the term does describe the risks appropriately.

Whether or not the attackers breached the “OT” systems, the effect was to shut down the manufacturing processes. In some cases, this was self-imposed due to an “abundance of caution” that the malware might spread and do more damage. In others, it was due to the fact that operations relies on many systems traditionally defined as “IT” to produce effectively – supply chain connections, pricing and revenue collection, payroll, etc. The reality is that even without “IT-OT convergence” in the technical sense, we already have it from a business sense. IT threats in industrial businesses can have operational impacts.  Hence the term cyber physical rather than “OT” can be appropriate.

Now, to why the past year’s events should make every industrial CFO and board audit or risk committee reassess their risk models.

The reality: cyber physical security risks are accelerating much faster than boards or CFOs realize and have already likely reset the risk matrix for most industrial organizations, perhaps without them realizing it. Audit & Risk committees and CFOs regularly review current risks and new and emerging threats to the company. Emerging risks from climate change, evolving terrorist threats around the world, and core cyber security have become more prevalent in the past decade. However, the shifting tectonic risk-plates of cyber-threat business model innovation, cyber insurance maturity, and IT-OT convergence have changed the risk profiles for most industrial organizations radically in the past 12 months – and will continue to do so over the next 2-3 years.

Cyber Physical Threat Business Model Innovation

One of the findings from the 9/11 commission was that one contributing factor to the U.S.’s lack of preparedness was a failure of imagination in how innovative the “bad guys” can be. This is absolutely true in the world of cyber physical systems. (Please note that by using the term ‘innovative’ we are not making a moral judgment that this is anything other than criminal behavior, but even criminals can be innovative).  Unlike most other threats to industrial organizations, the cyber physical security threat innovates to try to find new ways of hurting you. Climate change doesn’t innovate to make things worse. Hurricanes don’t invent new “business models” to make the wind blow stronger. Threat actors, however, innovate specifically to cause harm.

This innovation is accelerating at rapid pace. Before May 1^st 2021, most industrial CFOs and Audit committee chairs may not have known of Darkside or the term “ransomware-as-a-service”. Now it is on every board agenda. But this is just the one of the new business models. The reality is that the cyber criminal industry is forming and reforming continually, looking for new ways to make money – and perhaps cause societal impact when paid by the right group.

As the prices of personal information has declined given the supply that now exists, new forms of value creation have emerged – ransomware, data-leak extortion, IP theft, etc. are all ways of monetizing the attack tools. Platforms arise, such as Darkside, ReVil and others to enable third parties with access or an “angle” into the organization to share in the profits.  Our colleague Ron Brash likened cyber criminals to the Barbary pirates working privately but in conjunction with governments from time to time when their interests – or pocketbooks – aligned.

For the past 10 years or so, industrial organizations (other than power companies and some critical facilities) have ridden under the radar given the profit focus on personal information theft.  The landscape has shifted, however, as ransom, extortion, and other revenue models emerge. Industrial organizations are now the prime targets. Companies that make something or have to deliver a service using production systems have a much greater urgency to recover their data. And because they were not on the front-lines historically, their defenses are lower than similarly sized and situated financial or retail firms.

So cyber physical security has to become a greater focus of risk committees of industrial organizations.

IT-OT Convergence

The rapid acceleration of IT-OT convergence means that industrial organizations are potentially adding to their risks at just the same time as new business models are now targeting them to a greater extent. IT-OT convergence is not an option. It already exists in almost every industrial organization. As mentioned above, cyber physical systems are intertwined with IT systems from billing to supply chain to HR. However, Industry 4.0 and similar initiatives are increasing these connections – all in the productive pursuit of efficiency and innovation – and thereby the risks to the cyber physical systems themselves.

The notion of the “air-gap” was never real in practice in most organizations. But in many industrial processes the critical processes were self-contained at a plant or within a line. Advanced manufacturing, cloud analytics, etc. increase connections and, all other things being equal, the risk of intrusion.

Several recent client examples highlight this growing trend:

• Windfarms connected to vendors cloud infrastructure to enable advanced analytics on turbine performance AND then an inbound connection to make changes to tune the turbine for optimum performance
• OEM vendors including LTE or 5G modems in the backplane of controllers or stand alone to enable process data to stream directly to the cloud with no limitation on inbound paths from the cloud
• Connectivity of remote, formerly serially connected devices and lines to enable better uptime and process visibility to increase predictive information to reduce outages.

All of these and thousands of other use cases can have great ROIs. But at the same time are creating – or expanding –exposure to cyber physical system threats.

Cyber Insurance Reset

Three years ago we met with a very senior insurance executive who bemoaned the market inefficiency as new entrants were pricing cyber risk at what he believed was below the real risk rate due to a lack of robust historical claims data.  Three years later, the market has dramatically hardened as claims data has started to come back. This has led to a 50% increase for some customers – and potentially more coming in the next two to three years. Our recent blog highlights the growing challenges of cyber insurance.

The practical reality for industrial CFOs and Audit & Risk Committees is that insurers are now going to ask many more questions about the cyber physical systems risks that they are covering. The Colonial Pipeline is only one (albeit very famous) incident. Cyber insurers know of hundreds more from claims databases both in ransoms paid as well as recovery and incident response costs incurred. They will start to expect the same level of security management in the OT systems as in the IT ones. And they will expect to understand how those systems interact so that even if the threat does not cross the “boundary” what is the operational implication of the IT system attack. Further, AXA in Europe has already announced that they will no longer cover ransomware payments in an effort to reduce the attractiveness of ransomware to attackers. The result may mean a dearth of ransom insurance availability.

This shift will likely cause industrial organizations to need a much deeper assessment of their own risks to know how much and what to insure.

***

These three elements are radically shifting industrial organizations’ risk matrix. This is not an evolving threat like climate change or the aging of the workforce. This is a revolution in risk that can have massive consequences on financial performance as well as trust from supply chain partners. Imagine a JIT plant hit with ransomware and being down for 6 weeks and the impact on that company’s reputation.  Cyber physical systems resilience may even become a strategic advantage.

Industrial company boards and CFOs need to make this a priority to reassess their current cyber physical security threat risk and refine strategies to reduce that risk strategically.