Cyber Risk – Trends and Critical Infrastructure

The U.S. federal government, banks, and businesses are spending big bucks in a war against hackers and cyber criminals. Cybersecurity budgets are rising in all industries alongside the cyber crime figures. Consider some of the latest market summary and forecast data:

  • British insurance company Lloyd’s estimated that cyber attacks cost businesses as much as $400 billion a year currently and growing, which includes direct damage plus post-attack disruption to the normal course of business.
  • Juniper research recently predicted that the rapid digitization of consumers’ lives and enterprise records will increase the cost of data breaches to $2.1 trillion globally by 2019, increasing to almost four times the estimated cost of breaches in 2015.
  • The global cybersecurity market reached $75 billion in 2015, and it is expected to reach $175 billion by 2020.

The 2015 Cost of Data Breach Study by IBM and the Ponemon Institute found that the average total cost of a data breach was $3.79 million – up from $3.52 million in 2014. Even technology companies have been victims leaving themselves exposed and failing to adequately defend themselves. Examples of well know companies and recent breaches:

  • Yahoo confirmed recently that more than 500 million of its user accounts have been stolen – the largest data breach from a single site in history. The hack is said to have actually occurred in late 2014, which means it took the company two years to realize there had been a breach.
  • Marketing firm Epilson was struck by hackers back in 2011, and is believed to be the most costly in history, with estimates varying between $100 million and $4 billion. Thieves stole names and email addresses from the company’s marketing division, affecting clients that included JPMorgan Chase, Capital One, Citi, and Target.

Ransomware is a growing threat where a company is locked out of their files and will only be allowed access once a ransom has been paid. Online extortion is on the rise, as criminals use a variety of attack vectors, including exploit kits, malicious files, and links in spam messages, to infect systems with ransomware. Once all the files have been encrypted, victims can either try to recover the files on their own or pay the ransom.

While there have been some exceptions, victims are seldom able to break the encryption and restore access. More often, successful circumvention of a ransomware attack involves wiping the affected systems and promptly restoring everything from clean backups. This is not a security decision — it’s a business decision.

Critical Infrastructure
A U.S. Government cyber security official has warned that they have seen an increase in attacks that penetrate industrial control systems stating “industries are vulnerable because they are exposed to the Internet.” To cause serious damage and destruction, a cyber attack only has to hack into a system and send malicious instructions to computers known as PLC’s, to cut energy supply, cause an explosion at a chemical, processing plant, water, wastewater system to poison food and water supplies.

Awareness about cybersecurity has increased in recent years – industry and infrastructure consultants say industries remain reluctant to spend the money needed to upgrade their aging equipment – especially in the absence of much pressure from the U.S. government, regulators, or shareholders. A leading expert cybersecurity company Digital Bond stated, “systems are insecure by design. If they (infrastructure and industry) truly understood the risk they were taking, they would find it unacceptable.”

Security experts say the problem lies with the PLCs, also called programmable logic controllers, used to control processes in energy plants, water, water treatment facilities, chemical plants, processing facilities, factories and other industries. The PLCs are designed to obey commands; regardless of what impact they might have, according to the experts. The risk is increasing as companies move to connect operations and machinery to the Internet to collect and exchange data and make it easier to control remotely.

Energy Sector
U.S. Department of Homeland Security (DHS) Industrial Control Systems Cyber Emergency Response Team says it responded to reports of 256 cyber incidents last year, more than half of them in the energy sector, nearly double the agency’s 2012 case load. The incidents include hacking into systems through Internet portals exposed over the Web, injecting malicious software through thumb drives (Insider Threat – upcoming article), and exploitation of software vulnerabilities, DHS said.

In 2014, a German steel mill suffered “massive damage” following a cyber attack on the plant’s network. Furthermore, several German hospitals have come under attack from Ransomware, infecting machines and demands that users pay to get an electronic key to unlock it. Germany approved an IT security law that orders 2,000 providers of critical infrastructure to implement minimum security standards and report serious breaches or face penalties. Fifty-one percent of companies have been victims of digital espionage, data theft, or sabotage in the past two years, according to IT lobby group Bitkom.

Nuclear Power Plants
Concerns regarding cyber attacks on nuclear sites have grown in recent years after the emergence of computer malware used to attack industrial controls. Korea Hydro & Nuclear Power Co Ltd, which operates 23 nuclear reactors in South Korea, said in 2014 it was beefing up cyber security after non-critical data was stolen from its computer systems, although reactor operations were not at risk. German utility RWE increased its security after a nuclear power plant was found to be infected with computer viruses. The company said they did not appear to have posed a threat to operations.

International Atomic Energy Agency (IAEA) Director Yukiya Amano cited a case in which an individual tried to smuggle a small amount of highly enriched uranium about four years ago that could have been used to build a so-called “dirty bomb”. More hackers are gaining access to the control system layer because more control systems are directly connected to the Internet according to the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). ICS-CERT helps U.S. firms investigate suspected cyber attacks on industrial control systems as well as corporate networks.

Interest in critical infrastructure security has surged since late last month when Ukraine authorities blamed a power outage on a cyber attack from Russia, which would make it the first known power outage caused by a cyber attack. ICS-CERT said malware used in the attack in Ukraine as BlackEnergy 3, a variant of malware that the agency said in 2014 had infected some U.S. critical infrastructure operators.

Presidential Executive Order (EO)
A Presidential Executive Order (E0) was issued on April 1, 2015 increasing prevalence and severity of malicious cyber threats stating an unusual and extraordinary threat to the national security, foreign policy and economy of the United States. The President included $14 billion for cyber security spending in his 2016 budget. The U.S. Federal Government has encouraged industries to test themselves against a newly drafted set of cyber standards, and has encouraged more sharing of information about cyber threats and best practices.