- LATEST BLOG POST
- echo $post_date ?>
- We look today at Solar Storm hazard and risks after discussing Volcanoes and Meteorites. This video shows both X-class flares from…
- Read More
The cyber world is asymmetric. A few script kiddies can have the power to launch powerful world-wide, far reaching attacks as we saw with the WannaCry ransomware case. We cannot assume perpetrators will only target political or financial interests. Perpetrators could be anywhere and everywhere. From a risk management point of view, it is irrelevant whether Petya is a cyber weapon being used to carry out cyberwarfare activities or just a ransomware. However, Petya’s consequences dramatically highlight risk road maps significance insofar they may be very different than those of a ramsomware.
In the asymmetric cyber-world small acts of vandalism can have unreasonably big consequences. Example: a small hazard (vandals with possibly little chance of success) can generate huge risks (as the consequences of their actions may have world-wide, far reaching effects by Common Cause Failures and long-chain interdependencies ).
Petya, which can be classified as a “wiper” rather than a ransomware, has reportedly affected networks and systems in 65 countries. Below is the “top-ten” tally we have compiled so far from public news (as of June 29th ).
Petya attacked unpatched windows machine, i.e. likely the “usual forgotten” machines still hooked to the network (lack of asset Management, ISO 55000), the ones that did not got replaced/patched or were considered low priority to replace, based on financial considerations.
New threats are detected everyday. It is impossible to fix everything as personnel time is limited, attackers are “everywhere” and they have time and creativity on their side.
Maintaining, patching, updating and keeping a clear asset management record of the elements of a corporate or operation’s network/system is a first priority which should be driven by a clear risk road-map.
The risk road map has to be updated continually as threats on software and hardware, personnel (hacks through human error) are continually detected and evolving.
However risk is not (only) an IT issue, as it includes consequences of all type, ranging, for example, from the inability to load the right container on a ship to being unable to retrieve an invoice. Thinking cyber risks are only an IT issue is a nonsense. Same nonsense of arguing risks generated by a car are solely driven by the quality of the car, without considering the operating environment, including the driver. Example: if a car swerves out of the road in a flat isolated stretch, the risk is smaller than if the traffic around it will generate multiple collisions, and one or more vehicles will fall of a cliff. It is obvious that the environment matters!
Thus and similarly, we have to evaluate multi hazards and multi-dimensional consequences deriving from the system’s environment to determine corporate/operations’ risks. Identical computers in an organization will have different task and hence consequences in case of a cyber-attack hitting them. Example: A wiped-out disk could have similar direct consequence on a harbor facility than a fire in a ship loader (un-ability to load the ship). Due to interdependencies and indirect consequences, mitigation and downtime will however vary widely. Furthermore, the ship-loader could be replaced whereas a non backed-up wiped-out disk could mean that the information could be lost forever.
To be able to understand the possibly far-reaching consequences of a cyber attack we have to understand the big picture and look one step beyond the simple question of what a given computer is performing for an the operation. We have to analyze the meta data of each computer’s relation with the others and the other operation intricacies.
Petya’s consequences dramatically highlight risk road maps significance
ORE was born to solve this type of conundrums.
We have been working in this field for many years. Contact us to know more.