Cyber criminals are well known for attacking the computer software of companies to breach their information systems. Now they are increasingly discovering the potential of disrupting manufacturing facilities or power plants, as well as other vital infrastructure, through denial-of-service attacks or other security compromises.

Industrial automation has increased the potential impact cyber criminals can have on a company’s operations. While in the past, critical infrastructure and operational technology were often separate from the general computer networks, those worlds are converging more and more. This inter-connectivity creates new opportunities for hackers with potentially disastrous consequences.

A rising threat

The deployment of destructive malware, software which can render systems inoperable, is on the rise, according to IBM’s X-Force Incident Response and Intelligence Services (IRIS) (opens a new window). Such attacks can wreak havoc on innumerable devices instantaneously, bringing entire businesses to their knees.

X-Force IRIS noted a 200 percent increase in the number of destructive attacks in the first half of 2019 compared to the previous six months.

Destructive malware incidents are costing a large multinational company $239 million on average; 61 times greater than the average cost of a data breach ($3.92 million), according to the report (opens a new window). A single destructive attack destroys, on average, 12,000 machines per organisationSuch destructive attacks on average require 512 hours from their incident response team and, more often than not, also require the use of multiple consultants to handle the response and remediation.

A business affected by a disruption to its computer network system will experience loss of production (and therefore loss of revenue), significant breach response costs, possible exposure to third parties, diminution of market share, damage to corporate reputation – the list goes on. One potential additional cost to consider is a ransom demanded by cybercriminal attackers, ostensibly in exchange for allowing the business to regain access to its computer. Many destructive attacks often include "wiper" malware to increase the pressure on victims to pay the ransom. To pay or not to pay? Now that really is the question.

The Norsk Hydro event

A case that has spread ripples across the corporate world recently is that of global aluminium producer Norsk Hydro. The company fell victim of a cyber-attack that brought much of its global production facilities to a halt.

It is believed that once inside Norsk Hydro’s computer system hackers spent weeks exploring the group's IT systems, seeking out weaknesses. When the criminals finally launched their ransomware attack on March 19, 2019, it hit 22,000 computers across 170 different sites in 40 different countries. A note appeared on computers, which read: "Your files have been encrypted with the strongest military algorithms... without our special decoder it is impossible to restore the data."

When faced with the ultimate question, Hydro was steadfast. It refused to pay (opens a new window) the demanded ransom. Instead, production lines shaping molten metal were switched to manual functions, and the company reverted to "the old-fashioned way" of doing business, relying on long-since retired staff, manual procedures and archived paperwork.

Remarkably, while most companies are understandably cagey after falling victim of a cyber-attack, Norsk Hydro has been entirely transparent (opens a new window) in its communication. The strong message was that it was not going to let the criminals win.

The attack affected Hydro’s entire global organisation, but having pooled all available resources (both internal and external) with an enforced 24/7 focus on manual procedures and old-school systems, the Norwegian firm was eventually able to bring manufacturing process back to normal.

Norsk was able to restore PCs and servers across the company following a security cleanse, restoration, rebuild and review.

Nevertheless, the company lost NOK400-450 million ($44-$49 million) between March 19 and 31 due to the attack.

Overall, Hydro has estimated the total cost of the attack to be in the range NOK550 million-NOK 650 million ($60-$71 million), noting that it has a "robust" cyber insurance in place.

How to mitigate the risk

Risks of a breach are manifold for computerised systems used to control industrial operations. Another high-profile attack was the 2010 Stuxnet worm malware, which targeted Iran’s nuclear facilities. Further, operations at the food company Mondelez and drug maker Merck were disrupted by the 2017 ransomware attack dubbed NotPetya.

For companies involved in critical infrastructure such as dams, energy, oil and gas facilities, the risks may be even higher (opens a new window) as they may also attract nation state hackers and not just those seeking financial gain.

Businesses must prepare for potential cyber events by managing their cyber-security exposure. This means assessing systems and ensuring staff are aware where the network vulnerabilities lie, testing and monitoring those systems and developing a strategy for the worst-case scenario. Strategies in the event of a cyber-attack might include isolating the most critical systems, developing off-band communication techniques (that, incidentally  are NOT itemised in an Incident Response Plan) and even ensuring access to outdated paper records and contact phone numbers for long-since retired workers!

That said, the sad reality is that no amount of IT security can provide 100% protection; specialist cyber cover is the final piece of the cyber resilience jigsaw. Lockton can provide cyber risk insurance based on proprietary wordings and negotiated advantageous terms.

In addition to developing highly competitive and bespoke risk solutions, Lockton offers access to in-house information security expertise as well as additional cover ranging from technology errors and omissions to media liability.