Ultra Electronics 3eTi

The High Cost of Playing Down ICS Cybersecurity

June 20th, 2014 / By

When Reuters reported May 20 that an unnamed American utility’s control system was hacked, according to the Department of Homeland Security, the story and DHS pointed out that despite no apparent operational impact, the utility probably had been hacked before. The agency’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) said, according to Reuters, that employees probably let the hackers in through an Internet portal that used a password system vulnerable to brute force hacks.

These crude intrusions test password combinations to gain entry. Such low-tech systems pervade industrial control environments worldwide, and they typically lack the logging capability that can enable thorough review and remediation.

Last year ICS-CERT responded to 256 cyber incident reports, Reuters’ Jim Finkle wrote, “more than half of them in the energy sector. While that is nearly double the agency’s 2012 case load, there was not a single incident that caused a major disruption. Those incidents include hacking into systems through internet portals…injecting malicious software through thumb drives, and exploitation of software vulnerabilities.”

So, what constitutes a “major disruption?” When a company’s industrial control system is compromised, the damage is consistently downplayed. Hey, no one was hurt; there’s nothing to see here, folks.

Bloomberg reported May 21 that US companies hacked by China didn’t tell investors that trade secrets and other data had been stolen. Two of the companies cited in the article, Alcoa and Allegheny Technologies, maintained that the attacks weren’t sufficiently serious to warrant disclosure to shareholders. Now, the SEC, Wall Street and shareholders are taking a closer look.

Intellectual property and trade secrets determine corporate value which moves investor decision-making and stock prices. What’s the cost when these are compromised, and the company doesn’t want to talk about it? Would the market care that the intrusions were actuated not by some malicious computer genius, but through malware in an internal email attachment?

Bloomberg and sources said the Alcoa employees who unwittingly released the malware were simply responding to routine correspondence from a member of the firm’s board of directors. As a result, nearly 3,000 emails with more than 800 attachments were stolen, including ones discussing sensitive acquisition activity.

I don’t know about where you work, but at my company that would be a very big deal. I would immediately start doing the math. First, there are time and materials associated with isolating the intrusion and cleaning the affected resources. Then, there’s diversion of human capital from revenue-generating activity. If the breach becomes known outside the company, as it almost inevitably does, there is a terrible price to pay in terms of company financial loss and reputation, and in some cases, such as in the case of Target’s CEO, loss of leadership.

And then there are numbers that are far less ambiguous. The cost to Target for its massive data breach may push past the $1 billion mark. In a February article, The Economist cited extensive and expert research in reporting that malicious attacks cost American companies, in 2012 alone, $277 for each customer account put at risk. The article noted that Symantec put the cost of cyber-crime last year at $113 billion.

Considering Target’s 40 million-or-more victimized customers, in that single instance, the Symantec estimate seems conservative. If I were in the handicapping business, I would want to attach a dollar value to sets of innumerable bad outcomes when cyber-crime breaches my mission-critical ICS and precious IP.

Then I’d re-think my executive priorities, and add 20 percent.