Cyber attacks leave physical consequences
Feb 19th, 2020
We are pleased to see that FM Global recognize the fact that Cyber attacks leave physical consequences.
Some context on physical consequences
Last year in 2019 we wrote about an aluminum maker forced to shut down operations because of a ransomware attack.
Successful hacking on industrial systems seemed to remain “isolated exploits” for a long time. For example, in 2014 hackers struck a steel mill in Germany. They did so by manipulating and disrupting the industrial control systems (ICS) to such a degree that a blast furnace could not be properly shut down, resulting in reportedly “massive” damage.
Lately an aluminum producer in Norway was brought to the brink of full shut-down.
Then Triton and Trisis, malwares targeting the Triconex industrial control systems product line made by Schneider Electric came to light. The targeted systems provide emergency shutdown in critical industrial processes. Thus, they are Safety Instrumented Systems (SIS), comprising hardware and software components. Obviously, the impairment of such a safety system leads to unmitigated consequences of a malfunction.
Power plants, gas refineries are among the users of the Triconex product line and SIS.
Furthermore a major mining corporation hacking scenario we had predicted and explained in 2012 occurred in 2016. Indeed Goldcorp’s (TSX:G) payroll, trade secrets, and other intimate information leaked on a torrent free for anyone to download.
Predictable event: Cyber attacks leave physical consequences?
It is useful to define two terms. The first one is predictability. Predictability is the state of knowing what something is like, when something will happen, etc.: we apply it to hazards: can we predict the magnitude and the frequency of a hazard? The answer is yes to both! And in the case of cyber-attacks chances one of very numerous attacks is successful, despite all the IT defenses is appalling high, due to human factors.
Foreseeable event: Cyber attacks leave physical consequences?
Let’s now define the second term: Foreseeability. Foreseeability is the facility to perceive, know in advance, or reasonably anticipate that damage or injury will probably ensue from acts or omissions. A foreseeable event or situation is one that can be known about or guessed before it happens. We apply it to consequences: can we foresee the damage generated by a (predicted) hazard hit based on present or future mitigation and policies/actions? In case of some hazards hitting complex systems, the foreseeability enhancement passes by cautious analysis of interdependencies and dominos effects. Cyber hazards belong to this group. Thus, provided we understand the system and develop careful and complete analyses, we can say that cyber attacks are rather foreseeable. Of course we need to measure consequences in multiple “dimensions”, as detailed in prior posts.
Need for convergent ERM
An ERM (Entreprise Risk Management) employment looks at the Entreprise as a system. A system is a group of interrelated elements, procedures, organizations geared toward achieving a goal or objective. For example, a railroad network has fixed and moving assets. It is geared toward carrying passengers and or freight from multiple sources to multiple destinations. It uses power, fuel, IT, manpower and various types of infrastructure.
In addition, any system has four types of interdependencies:
- geographical, and finally
Enterprise Risk Management (ERM) approaches have to consider them all.
This is why cyber risks cannot be in an “Information Technology (IT) silo”, but we have to treat them as an ERM component. Hence the need to deploy convergent approaches to ERM. As we showed in a previous post IT silo lead to inefficiencies and possibly overexposures to risks.
Digital transformation means significant benefits and critical risks
Digital transformation offers a way to address productivity and margin challenges. Thus, it can enhance bottom-line value.
However, the cyber world is asymmetric insofar a few “David” can significantly hamper the “Goliath” of this world. The WannaCry ransomware was an example.
Perpetrators attack anything they fancy from anywhere and everywhere.
For Risk Management purposes, the attack vector is irrelevant from a predictability point of view, but very important from the foreseeability angle.
As we wrote in this blog back in 2015, Mining is in transition from the electro-mechanical era toward the cyber-informational one. Cyber risks are relevant and one should include them in any operation’s and ERM deployment.
IT, Internet of Things (IoT), and connectivity significantly benefit mining. However they increase the industry’s exposure to cyber-hazards. This phenomenon is general and occurs in every single industrial, infrastructural and service, not only in cyber risks in mining.
A management conundrum
At Riskope we have worked on country-wide risk assessments and included cyber risks in our multi-hazard approaches using ORE.
Indeed, infrastructural damages, especially those with environmental or health consequences will lead to significant crisis potential, reputational damages and legal consequences. Cyber risks in mining oil and gas companies are a reality one cannot ignore.
Any manager can be tempted to invest in “technological solutions”. There has been and still is a lot of interest on the technological mitigation for cyber. That kind of “pure-IT” attitude forgets, however, that the easiest way create havoc in cyber passes through “power-feeds”. And the consequences are far from stopping at IT.
The financial implications of the capital squandering is so significant that Cyber-protection costs will likely exceed benefits by 2019. Yes, that was last year!
Indeed, as shown by this latest attacks, cyber, natural and man-made hazards generate risks that siloed approaches cannot tackle. Indeed:
- Cyber risks are not only an IT issue, thus need for convergent approaches.
- Cyber attacks can generate physical arm because of direct or indirect hits.
- Systemic analyses are paramount to foster better decision-making and finally
- Sustainability and value increase with the use of convergent risk assessments.
Tagged with: convergent ERM, Cyber attacks, Foreseeable, industrial systems, physical consequences, Predictable
Category: Consequences, Probabilities, Risk analysis, Risk management, Uncategorized