- LATEST BLOG POST
- echo $post_date ?>
- Australian law firm plans to sue world’s No.1 miner BHP. They argue BHP knew the Samarco dam was “at imminent…
- Read More
The cyber world is asymmetric. A few script kiddies can have the power to launch powerful world-wide, far reaching attacks as we saw with the WannaCry ransomware case. We cannot assume perpetrators will only target political or financial interests. Perpetrators could be anywhere and everywhere. From a risk management point of view, it is irrelevant whether Petya is a cyber weapon being used to carry out cyberwarfare activities or just a ransomware. However, Petya’s consequences dramatically highlight risk road maps significance insofar they may be very different than those of a ramsomware.
In the asymmetric cyber-world small acts of vandalism can have unreasonably big consequences. Example: a small hazard (vandals with possibly little chance of success) can generate huge risks (as the consequences of their actions may have world-wide, far reaching effects by Common Cause Failures and long-chain interdependencies ).
Petya, which can be classified as a “wiper” rather than a ransomware, has reportedly affected networks and systems in 65 countries. Below is the “top-ten” tally arising so far from public news (as of June 29th ).
Petya attacked unpatched windows machine, i.e. likely the “usual forgotten” machines still hooked to the network (lack of asset Management, ISO 55000), the ones that did not got replaced/patched or were considered low priority to replace, based on financial considerations.
New threats are detected everyday. It is impossible to fix everything due to personnel time limitations, attackers are “everywhere” and they have time and creativity on their side.
Maintaining, patching, updating and keeping a clear asset management record of the elements of a corporate or operation’s network/system is a first priority. A clear risk road-map should drive the game.
Continuous updates of the risk road map are paramount. That is because of the continuous evolution of threats on software and hardware, personnel (hacks through human error).
However risk is not only an IT issue. In fact it includes consequences of all type. They range, for example, from the inability to load the right container on a ship to the inability to retrieve an invoice. Thinking cyber risks are only an IT issue is a nonsense. Same nonsense of arguing the quality of a car is the sole driver of the risks it generates. That is without considering the operating environment, including the driver. Example: if a car swerves out of the road in a flat isolated stretch, the risk is smaller than if the traffic around it will generate multiple collisions, and one or more vehicles will fall of a cliff. It is obvious that the environment matters!
Thus and similarly, we have to evaluate multi hazards and multi-dimensional consequences deriving from the system’s environment to determine corporate/operations’ risks. Identical computers in an organization will have different task and hence consequences in case of a cyber-attack hitting them. For example: a wiped-out disk could have similar direct consequence on a harbor facility than a fire in a ship loader. In other words, the inability to load the ship. Due to inter-dependencies and indirect consequences, mitigation and downtime will however vary widely. Furthermore, ship-loaders can be replaced whereas a non backed-up wiped-out disk probably means the information is lost forever.
To be able to understand the possibly far-reaching consequences of a cyber attack we have to understand the big picture. Additionally, we have to look one step beyond what a given computer is performing for an the operation. We have to analyze the meta data of each computer’s relation with the others and, of course, other operation intricacies.
Petya’s consequences dramatically highlight risk road maps significance
ORE was born to solve this type of conundrums.
We have been working in this field for many years. Contact us to know more.