While Cyberattacks Are Inevitable, Resilience Is Vital

It wasn’t that long ago when a series of major companies in the food industry suffered ransomware attacks that forced them to shut down operations.

As in multiple other sectors, the companies were wildly unprepared: living with a false sense of security, thinking they would never suffer any kind of cyberattack, believing they had a built-in sense of resiliency they thought would keep them up and running.

They were wrong.

To that end, the food sector is just one of many that must understand that production availability is key in operational technology (OT) environments. Production systems generate enormous amounts of revenue per hour so having one down for days or weeks because of a cyberattack is extremely expensive—not to mention the brand damage, environmental and safety risks involved.

This is exactly where a resilience program can really come into play.

Resilience entails the ability of a system to anticipate, withstand, recover from and adapt to, cyberattacks and natural or accidental disruptions. Along those lines, organizations must acknowledge that the days of the hard-shell security exterior keeping attackers out are long gone. There must be a realistic and comprehensive resilience strategy to control the impacts of an attack.

“We must accept the fact successful attacks are inevitable, but ensure we have the people, processes and technologies in place to avoid catastrophic events,” said Mark Carrigan, senior vice president of process safety and OT cybersecurity at Hexagon. “This starts by identifying the most critical assets, understanding the potential consequences of the attack and improving our ability to respond and recover.”
 

Attack costs rising

Understanding your critical assets is even more important today because the costs of attacks continue to go up. Just look at the numbers from various industry reports. According to IBM’s annual Cost of a Data Breach Report, the industrial sector experienced the costliest increase of any industry, rising by an average of $830,000 per breach over last year.

For 2024, the report found that the data breach cost for the industrial sector was $5.56 million compared to the previous year's $4.73 million. Energy also went up to $5.29 million from $4.78 million. Pharmaceuticals also jumped to $5.10 million from $4.82 million.

When it comes to ransomware attacks, manufacturing is the top target, according to a report from cloud security provider Zscaler, Inc.

According to the Zscaler ThreatLabz 2024 Ransomware Report, which analyzed the ransomware threat landscape from April 2023 through April 2024, there was an 18% overall increase in ransomware attacks year-over-year, as well as a record-breaking ransom payment of $75 million to the Dark Angels ransomware group.
 
In terms of specific attacks, MKS Instruments in February 2023 suffered an attack that “affected…production-related systems, and as part of the containment effort, the company has elected to temporarily suspend operations,” according to a report on the incident database, ICSSTRIVE.com. The total cost of that attack to date has been $450 million. The breakdown from that attack was $200 million, which fell on MKS, while one of their suppliers felt a $250 million hit because they couldn’t get product from MKS.

In August 2023, Clorox said damage to the information technology (IT) network "caused widescale disruption of Clorox’s operations." Total cost of that attack to date is $49 million, according to ICSSTRIVE. That same year, Johnson Controls was the victim of an attack that cost the company a minimum of $27 million, according to ICSSTRIVE.
 

Tracking OT cyber incidents

According to the 2024 Threat Report issued by ICSSTRIVE, out of 356 cyberattacks reported in 2023, 68 caused physical consequences to manufacturing or critical infrastructure facilities distributed among more than 500 sites—a 19% increase over the 57 attacks reported in the previous year. Costs related to cyberattacks reportedly were $27 million for Johnson Controls, $49 million for Clorox and up to $450 million for MKS Instruments, to name just a few.

ICSSTRIVE stands for “Industrial Control System Security, Threats, Regulations, Incidents and Vulnerabilities provided by Experts.” ICSSTRIVE.com, a sister site of ISSSource.com, is a database of incidents in the manufacturing sector that started in March 2021. On the site, you can search the more than 1,200 reported incidents in the ICSSTRIVE database by industry sector, country, company, type of attack (like malware or ransomware), or even attack groups.

Other key findings in the 2024 Threat Report include:

• In the period 2019-2023, attacks are almost doubling annually with an average compound annual growth rate of over 90% per year.

• The discrete manufacturing sector was the hardest hit, followed by transportation and process manufacturing.

• In roughly one-quarter of all attacks since 2010, where public reports included enough detail, threat actors impaired or manipulated operational technology (OT) systems directly. In the remaining attacks, physical consequences were an indirect result of compromising IT systems or other kinds of systems.

• Attack complexity is increasing, including for example the emergence of serious GPS spoofing attacks and an increasing number of supply chain attacks with physical consequences.