Recently an oil platform stood silently in the Gulf of Mexico. Unbeknownst to workers on the rig, malware was on board which could have turned that facility into a floating time bomb!
Malware, or malicious software, and in Spanish “mal” meaning “bad” and includes viruses, worms, horses, spyware and others, downloaded via satellite and USB drives, shut down computer networks and left the rig lifeless. It was unable to perform any duties for a period of time.
While the rig eventually came back on stream after workers furiously fixed the locked up system, it turned out a worm was flooding their network in the middle of the ocean. Had this incident been a targeted attack, it could have caused major operational and safety issues on the rig. With the right knowledge of a facility like an oil platform, refinery, or pipeline network, a cyber attack like this one using distributed malware could lead to physical damage, serious losses of revenue and serious danger to personnel.
There is no way to calculate how many millions of dollars that unplanned downtime cost the oil company. In today’s tight economy, companies, big or small, cannot afford to lose that kind of money to this kind of safety or security incident. Uptime remains critical.
The cost of unplanned downtime is just one component of a very solid business case to develop solid safety and security programs. There is a growing awareness in the industry today that safety and security are not just insurance policies to protect against an incident or bad guys, but a business enabler. One which keeps networks and systems up and running, productive and profitable.
“The insurance justification doesn’t always work,” said Farshad Hendi, Safety Services Practice Lead at Schneider Electric. “People will say I worked at this plant for the past 15 years and we have never had an incident. It is true you didn’t have an incident in 15 years, but that does not mean you will not have an incident tomorrow. Uptime and operational stability is something that resonates with people very quickly. If your plant is down for one week you can quickly determine the total cost and investment you need to make and how much return you will get.”
Indeed, when talking about safety or security, users need to consider metrics such as improving operational efficiency, reduction in the time it takes to detect incidents and return on prevention.
But “wait a minute,” a senior manager says, “we have never been hit before, so why should I pay for something that doesn’t generate revenue?”
The simple answer is, safety and security can pay off big dividends.
“It is an interesting conversation to have,” said Joshua Carlson, Cybersecurity Manager North America at Schneider Electric. “The challenge is getting users to understand we are not just looking at the risk model and figuring out the probability. With cybersecurity, it is not a matter of if, but a matter of when. The challenge becomes at some point when are you going to have an incident and how much is it going to cost you?”
Safety has evolved over the years to where manufacturers think safety first. But security is an entirely different beast. With its constantly changing dynamic force, it isn’t about hardening a system to keep bad guys out any more, it is now about being situationally aware – understanding what is happening within a system at any given time. And if the senior manager thinks attacks aren’t happening, think again.
Just look at the numbers in Fiscal Year 2014:
Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) received and responded to 245 incidents reported by asset owners and industry partners. The energy sector led all others again in 2014 with the most reported incidents at 79 (32%), followed by critical manufacturing at 65 (27%).
And 55% of the incidents reported to ICS-CERT involved advanced persistent threats (APT) or sophisticated attackers.
While the numbers reported to ICS-CERT may seem low, in reality, the vast majority of companies don’t report incidents, but instead, keep news of the attacks to themselves.
When it comes to safety, the numbers in dollars and cents can numb the mind:
In the US, major industrial incidents cost an average of $80 million each.
— (Center for Chemical Process Safety, CCPS)
To combat that, if a company is truly smart about safety and focuses on what they have to do, remains vigilant and is a top-tier organization, they could realize a 5% gain in productivity (CCPS statistics). In addition, a company employing a solid safety program could see a 3% reduction in production costs, 5% reduction in maintenance costs, 20% reduction in insurance and a 1% reduction in capital budget.
In the security realm, costs continue to rise with the average consolidated cost of a data breach is $3.8 million up from $3.5 million the previous year, which is a 23% increase in the total cost of a data breach since 2013, according to a Ponemon Institute study of 350 companies spanning 11 countries.
A top-tier organization could realize a:
5% gain in productivity
3% reduction in production costs
5% reduction in maintenance costs
20% reduction in insurance
1% percent reduction in capital budget
Source: (Center for Chemical Process Safety, CCPS)
In addition, malicious attacks can take an average of 256 days to identify while data breaches caused by human error take an average of 158 days to identify, the report said.
On top of that, in a separate study the Ponemon Institute found the average annual cost of cybercrime per large U.S. company at $15.4 million, an increase of 19% from $12.7 million a year ago. It also represents an 82% jump from Ponemon’s first study six years ago.
(To be continued).
Courtesy Schneider Electric