The manufacturing industry in Canada is transitioning into the digital era. With the influx of Internet of Things (IoT)-connected technologies, manufacturers are now able to connect their industrial control systems (ICS) to central control networks, which means they can gather, store and monitor data with much greater efficiency than ever before. However, as manufacturing firms become digital hubs, the primary focus behind these ‘smart’ investments is often utility rather than security, which means many manufacturing firms remain vulnerable to cyberattacks and data breaches.
In recent years, there have been lots of examples around the world of malware targeting ICS. In 2010, a malicious computer worm called Stuxnet was discovered in Iran. The malware targeted supervisory control and data acquisition (SCADA) systems (part of the ICS), and is thought to have caused substantial damage to Iran’s nuclear program. It has been suggested that Stuxnet was an American/Israeli cyberweapon and was therefore state-sponsored – a trend not too uncommon when it comes to industrial cyberattacks, according to Debbie Hobbs, practice leader at EmergIn Risk.
“We had a very big year in 2017 with WannaCry and NotPetya. Where these cyberattacks are a bit different from an ICS standpoint is that they aren’t generally carried out by standard hackers; a lot of them are state-sponsored,” Hobbs said. “For me, the Triton malware [discovered in 2017] represents a real step in the sophistication of ICS attacks. Triton was the first [malicious software to target] safety instrumental systems (SIS). It was discovered in a petrochemical plant in Saudi Arabia and, fortunately, it was unsuccessful. It was directed at the SIS system, which is the last line of automated safety defence for industrious systems. It’s what stops equipment from failing in catastrophic events – and now we’re seeing that being specifically targeted by hackers. It’s a scary world.”
Another piece of malware threatening industries around the world is Emotet. It was originally designed as a banking malware to steal sensitive and private information from computers. Now, the Emotet trojan has evolved to become a major threat to all industry sectors. It has worm-like capabilities that enable it to spread within a network and apply different encryptions, including ransomware, denial-of-service, bank fraud and so on. If industrial technology is hit with Emotet malware, this could lead to severe operational and financial disruption.
“There’s lots of white hacking going on with good guys testing various ICS. We read a lot more about vulnerabilities in these industrial systems from researchers that are interested in how things can be disrupted than we actually do from incidents. But [we cannot ignore that] this is a world where the main aim for an ICS attack is to control and manipulate without detection. Unfortunately, the way the world is set politically, international criminals are able to operate state sponsored attacks pretty much with impunity,” commented Neil Hare-Brown, founder and CEO of STORM Guidance.
While the insurance industry can do little to prevent state-sponsored industrial cyberattacks, they can do more to help manufacturers understand cyber best practices and the benefits of cyber insurance, according to Brett Warburton-Smith, partner, global professional & financial risks, Lockton.
“Sadly, I think we’re quite far behind on this. Anecdotally, if we look at the [cyber] insurance market, yes, there’s been a huge uptick in interest around the world, but is the understanding there? Having grown-up, deep conversations about these risks is very important and I think it’s our responsibility as an industry to go out there and raise awareness,” he said. “I think we could potentially see some very fundamental losses come through the market in the near future, which will force a change in behaviour and will change the quality of the conversations we’re having with our clients and prospective clients.”
Changes in behaviour often come down to education and money. Where Warburton-Smith claims to have seen some traction is when senior stakeholders from outside of an organization start to take interest in the company’s cybersecurity. They’re raising concerns with risk managers and chief information security officers about integral infrastructure failures and highlighting the financial losses such core failures could cause.
“It’s our responsibility to have those conversations as brokers with our clients to raise awareness. I think a lot of it comes back to the distraction that a cyber incident can have on the business and the consequential loss, which is the business interruption (BI) loss,” Warburton-Smith added. “You start having that BI conversation with a risk manager and you suddenly see the light turning on because they understand what BI is. It’s then educating the risk manager, so they understand the scope of cyber insurance coverage and that fact that there’s a tangible risk that could result in serious losses if they fail to address it properly.”
