Petya’s consequences dramatically highlight risk road maps significance

Petya’s consequences dramatically highlight risk road maps significance

Jul 5th, 2017

The cyber world is asymmetric. A few script kiddies can have the power to launch powerful world-wide, far reaching attacks as we saw with the WannaCry ransomware case. We cannot assume perpetrators will only target political or financial interests. Perpetrators could be anywhere and everywhere. From a risk management point of view, it is irrelevant whether Petya is a cyber weapon being used to carry out cyberwarfare activities or just a ransomware. However, Petya’s consequences dramatically highlight risk road maps significance insofar they may be very different than those of a ramsomware.

Petya's consequences dramatically highlight risk road maps significance

Petya’s infamous red screen.

Welcome to the far west of cyber criminality

In the asymmetric cyber-world small acts of vandalism can have unreasonably big consequences. Example: a small hazard (vandals with possibly little chance of success) can generate huge risks (as the consequences of their actions may have world-wide, far reaching effects by Common Cause Failures and long-chain interdependencies ).

Petya, which can be classified as a “wiper” rather than a ransomware,  has reportedly affected networks and systems in 65 countries. Below is the “top-ten” tally we have compiled so far from public news (as of June 29th ).

  • The Ukrainian state power company and Kiev’s main airport were among the first to report issues.
  • The Chernobyl nuclear power plant was forced to monitor radiation levels manually after they had to shut down the Windows systems used by their sensors.
  • Kiev’s metro system stopped accepting payment cards because they were affected.
  • Copenhagen-based shipping company Maersk experienced outages in multiple IT systems and across multiple business units.
  • The following companies declared being hit:
    • Food giant Modelez, which makes Oreo and Toblerone.
    • Netherlands-based shipping company TNT.
    • Law firm DLA Piper.
    • Heritage Valley Health System, a US hospital operator.
  • The following companies declared being affected:
    • Antonov aircraft company.
    • French construction company St. Gobain.
    • Pharmaceutical company Merck.

Petya attacked unpatched windows machine, i.e. likely the “usual forgotten” machines still hooked to the network (lack of asset Management, ISO 55000), the ones that did not got replaced/patched or were considered low priority to replace, based on financial considerations.

New threats are detected everyday. It is impossible to fix everything as personnel time is limited, attackers are “everywhere” and they have time and creativity on their side.

Petya’s consequences dramatically highlight risk road maps significance

Maintaining, patching, updating and keeping a clear asset management record of the elements of a corporate or operation’s network/system is a first priority which should be driven by a clear risk road-map.

The risk road map has to be updated continually as threats on software and hardware, personnel (hacks through human error) are continually detected and evolving.

However risk is not (only) an IT issue, as it includes consequences of all type, ranging, for example, from the inability to load the right container on a ship to being unable to retrieve an invoice. Thinking cyber risks are only an IT issue is a nonsense. Same nonsense of arguing risks generated by a car are solely driven by the quality of the car, without considering the operating environment, including the driver. Example: if a car swerves out of the road in a flat isolated stretch, the risk is smaller than if the traffic around it will generate multiple collisions, and one or more vehicles will fall of a cliff. It is obvious that the environment matters!

Thus and similarly, we have to evaluate multi hazards and multi-dimensional consequences deriving from the system’s environment to determine corporate/operations’ risks. Identical computers in an organization will have different task and hence consequences in case of a cyber-attack hitting them.  Example: A wiped-out disk could have similar direct consequence on a harbor facility than a fire in a ship loader (un-ability to load the ship). Due to interdependencies and indirect consequences, mitigation and downtime will however vary widely. Furthermore, the ship-loader could be replaced whereas a non backed-up wiped-out disk could mean that the information could be lost forever.

Closing comment

To be able to understand the possibly far-reaching consequences of a cyber attack we have to understand the big picture and look one step beyond the simple question of what a given computer is performing for an the operation. We have to analyze the meta data of each computer’s relation with the others and the other operation intricacies.

Petya’s consequences dramatically highlight risk road maps significance

ORE was born to solve this type of conundrums.

We have been working in this field for many years. Contact us to know more.

Tagged with: , , , , ,

Category: Consequences, Mitigations, Risk analysis, Risk management, Uncategorized

Leave a Reply

Your email address will not be published. Required fields are marked *

Riskope Blog

  • We look today at Solar Storm hazard and risks after discussing Volcanoes and Meteorites. This video shows both X-class flares from…
  • Read More

More Info

  • Get in Touch
  • Learn more about our services by contacting us today
  • t +1 604-341-4485
  • +39 347-700-7420

Vancouver Digital Creative Agency Ballistic Arts Media Studios.