Petya’s consequences dramatically highlight risk road maps significance
Jul 5th, 2017
The cyber world is asymmetric. A few script kiddies can have the power to launch powerful world-wide, far reaching attacks as we saw with the WannaCry ransomware case. We cannot assume perpetrators will only target political or financial interests. Perpetrators could be anywhere and everywhere. From a risk management point of view, it is irrelevant whether Petya is a cyber weapon being used to carry out cyberwarfare activities or just a ransomware. However, Petya’s consequences dramatically highlight risk road maps significance insofar they may be very different than those of a ramsomware.
Petya’s infamous red screen.
Welcome to the far west of cyber criminality
In the asymmetric cyber-world small acts of vandalism can have unreasonably big consequences. Example: a small hazard (vandals with possibly little chance of success) can generate huge risks (as the consequences of their actions may have world-wide, far reaching effects by Common Cause Failures and long-chain interdependencies ).
Petya, which can be classified as a “wiper” rather than a ransomware, has reportedly affected networks and systems in 65 countries. Below is the “top-ten” tally arising so far from public news (as of June 29th ).
- The Ukrainian state power company and Kiev’s main airport were among the first to report issues.
- The Chernobyl nuclear power plant had to monitor radiation levels manually after they had to shut down the Windows systems reading their sensors.
- Kiev’s metro system stopped accepting payment cards because due to an attack.
- Copenhagen-based shipping company Maersk experienced outages in multiple IT systems and across multiple business units.
- The following companies declared an attack:
- Food giant Modelez, which makes Oreo and Toblerone.
- Netherlands-based shipping company TNT.
- Law firm DLA Piper.
- Heritage Valley Health System, a US hospital operator.
- The following companies declared impacts:
- Antonov aircraft company.
- French construction company St. Gobain.
- Pharmaceutical company Merck.
Petya attacked unpatched windows machine, i.e. likely the “usual forgotten” machines still hooked to the network (lack of asset Management, ISO 55000), the ones that did not got replaced/patched or were considered low priority to replace, based on financial considerations.
New threats are detected everyday. It is impossible to fix everything due to personnel time limitations, attackers are “everywhere” and they have time and creativity on their side.
Petya’s consequences dramatically highlight risk road maps significance
Maintaining, patching, updating and keeping a clear asset management record of the elements of a corporate or operation’s network/system is a first priority. A clear risk road-map should drive the game.
Continuous updates of the risk road map are paramount. That is because of the continuous evolution of threats on software and hardware, personnel (hacks through human error).
However risk is not only an IT issue. In fact it includes consequences of all type. They range, for example, from the inability to load the right container on a ship to the inability to retrieve an invoice. Thinking cyber risks are only an IT issue is a nonsense. Same nonsense of arguing the quality of a car is the sole driver of the risks it generates. That is without considering the operating environment, including the driver. Example: if a car swerves out of the road in a flat isolated stretch, the risk is smaller than if the traffic around it will generate multiple collisions, and one or more vehicles will fall of a cliff. It is obvious that the environment matters!
Thus and similarly, we have to evaluate multi hazards and multi-dimensional consequences deriving from the system’s environment to determine corporate/operations’ risks. Identical computers in an organization will have different task and hence consequences in case of a cyber-attack hitting them. For example: a wiped-out disk could have similar direct consequence on a harbor facility than a fire in a ship loader. In other words, the inability to load the ship. Due to inter-dependencies and indirect consequences, mitigation and downtime will however vary widely. Furthermore, ship-loaders can be replaced whereas a non backed-up wiped-out disk probably means the information is lost forever.
Closing comment
To be able to understand the possibly far-reaching consequences of a cyber attack we have to understand the big picture. Additionally, we have to look one step beyond what a given computer is performing for an the operation. We have to analyze the meta data of each computer’s relation with the others and, of course, other operation intricacies.
Petya’s consequences dramatically highlight risk road maps significance
ORE was born to solve this type of conundrums.
We have been working in this field for many years. Contact us to know more.
Tagged with: cyberwarfare, petya, ransomware, risk road maps, road maps, wiper
Category: Consequences, Mitigations, Risk analysis, Risk management, Uncategorized
Leave a Reply