As the modern risk landscape becomes increasingly complex, cyber-risk is one area where businesses need to remain vigilant

Research from the World Economic Forum estimates that cyber-related damage in 2021 could reach $6 trillion – that’s roughly twice the GDP of the United Kingdom. Cyber attacks can cause an unprecedented amount of damage, easily crossing borders, and damaging multiple operations and systems around the world.

It is also apparent that broadly speaking the C-Suite is unprepared to properly mitigate these risks, as research from Deloitte demonstrates how although CEOs and board members understand that cyber-risk is a danger only a minority of them (38% of CEOs and 23% of board members) are “highly engaged” when it comes to managing the cyber threat.

COVID-19 has also had an effect, exaggerating existing cyber vulnerabilities as, out of necessity, organisations gained a greater digital presence. For risk managers, the challenge is to effectively communicate with the C-Suite to help them understand the complexity we face and to convince them of the benefits of investing in cyber resilience.

The benefits for organisations extend well beyond protecting digital assets, as arguably one of the more concerning aspects of modern cyber-attacks is their potential to cause damage in the physical world. The physical impact from such attacks can be significant, causing business interruption and damaging equipment and commercial property. This threat is closely linked with the growth of digitalisation and the use of industrial control systems (ICS) within commercial facilities; ICS bring opportunities for automation but also risks linking to connectivity, as they create new routes for malicious actors to exploit.

Exploiting industrial control system vulnerabilities

ICS connect the digital and physical worlds together by linking pieces of equipment and systems to the internet. This allows for greater visibility and control, as ICS are often adopted to optimise business processes and promote efficiency. This can range from building automation systems, such as intelligent air conditioning, to improving complex manufacturing processes by allowing machinery to operate autonomously on production lines.

As ICS offer ever greater inter-connectivity and operator convenience, the efficiencies they create can be very beneficial as they increase a facilities production capability. They do, however, expose facilities to increased cyber threats, as a larger digital footprint makes them more vulnerable to successful attacks. So, why are ICS particularly at risk of being targeted by an attack?

To answer this question, we have to look back to understand when and why ICS were originally created. Although the adoption of widescale ICS may be a more recent phenomenon, some systems have been in place for a much longer period of time. Numerous systems – including those in facilities, which process potentially volatile and dangerous substances, such as power plants and waste management sites – were designed and installed before the scale of cyber risk had grown. It is no surprise then that in these instances, security was originally much less of a concern than efficiency. The situation has now changed, leaving some devices and systems at risk, particularly in instances where retrofits to allow greater connectivity and remote management have been implemented.

COVID-19 has added an extra element to this situation, increasing the level of risk organisations face via their ICS due to the remote working revolution. This change in working practices has led to more people looking to control operations and access systems remotely, potentially blurring the line between IT and OT (operational technology) environments.

As IT systems and OT systems become more closely linked, the potential for a cyber-attack that damages one to adversely affect the other grows.

For instance, an attacker could cause damage to equipment if they are able to hack an employee with remote access to an ICS, whilst they were working in the more vulnerable home environment. The Bitglass 2020 Remote Work Report recently found that 41% of organisations had not expanded secure access capacity to protect employees accessing systems remotely, clearly indicating why successful cyber-attacks within the home environment are more likely.

Such attacks pose a serious risk for many businesses, as they can potentially render an entire facility inoperable – this was the case in one facility where a furnace was caused to overheat by an attacker, causing immense damage.

When it comes to building resilience and protecting ICS systems, there are several good practice security measures that businesses can take. These include:

  • Implementing measures to ensure that IT and OT systems are kept as separate as possible – both in terms of connectivity and physically – as well putting in place systems that can identify and alert the organisation when a cyber-attack has been attempted.
  • Firewalls and other VPN security measures are also vital, and it’s important that these systems are updated and configured to deal with the greater volume of outside traffic that COVID-19 may have caused.
  • The training of employees and anyone who may have access to secure systems is equally important. Trainings through techniques such as fake phishing emails can be very valuable, as they highlight to employees the need for vigilance.
  • Finally, should a successful cyber-attack occur on an ICS, organisations need to have contingency plans in place for how they respond – both in the short-term when dealing with the attacker and the potential damage that might be caused – but also looking further ahead, to understand how the attack occurred and how to stop it from happening again.

Adopting risk management strategies for building resilience, like those above, will be key for organisations in the next decade as digitisation increases remote connectivity. Risk managers and senior executives will need to take an active role combatting the cyber-threats that organisations face, as the threat continues to evolve. This will place their organisations in the best possible position to minimise the likelihood of an attack successfully occurring, safeguarding their operations and the associated revenue that they generate.

Tiago Dias is a cyber consultant – Cyber Hazards at FM Global