Recent Cyber Incidents
Written by Jason Grimbeek, founder and CEO of Iron Spear
Cybercrime is certainly a leading problem that many businesses have to face, some faster than they had planned. Recent headlines such as the Colonial Pipeline breach that interrupted fuel supplies to the Southeast of the US for 11 days are testament to the impact of these events. That particular attack was through a forgotten-about account that had remote access to their environment. Ultimately a ransom of $4.4 million (USD) was paid to restore operations. And while a good deal of that money was retrieved through the FBI, it did nothing to cover the losses in production, which were significantly more than the ransom itself. Not only did Colonial lose production revenue, downstream impacts were far and wide with fuel shortages and price escalations hitting airlines, trucking, and other major industries. Pump prices rose six cents per gallon during this outage, which is significant.
Another headlining attack was that of SolarWinds, which provides software to manage business IT systems. This software typically sits in the background and facilitates easy and efficient mechanisms of administering large IT networks and is used widely across all sectors of business. I n December of 2020, FireEye, one of the world’s leading cybersecurity firms announced they were victims of a cyber-attack, perpetrated by a nation-state. The tools they used to test their client’s networks for security were stolen. While investigating their own attack, they uncovered evidence that SolarWinds software had a backdoor, used by attackers to gain easy-access to a company’s network.
Later investigation would reveal that hackers had gained access to SolarWinds as early as January 2019, embedding backdoors into the software used by IT teams across thousands of companies, potentially exposing them to intrusion.
“After an initial dormant period of up to two weeks, it retrieves and executes commands, called ‘Jobs,’ that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services,” the FireEye analysts said. “The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plug-in configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated block lists to identify forensic and anti-virus tools running as processes, services, and drivers.”
This was a sophisticated attack that included mechanism to hide from security tools and anti-malware software. The end result was up to 18,000 organizations being infected with potential backdoors. The attackers would not use this backdoor to perpetuate the crime, rather to gain further backdoors through remote user account creation, etc. This would limit the chances of the initial ingress point being detected and blocked.
SolarWinds issued a patch to address the problem, but due to the complexity and unknown entry points opened from this breach, the scope of the problem is almost impossible to measure. The US Government has attributed blame to Russia, and this is a trend we are seeing more often. Supply-chain attacks such as these are one of the biggest threats to all industries due to their broad reach. Nation-state attacks are significant and undermine a country’s security. While nation-state is a big contributor to attacks, so is organized crime.
Cybercrime
Cybercrime is profitable and we are fooled if we believe it is still a kid in his mom’s basement tinkering on a keyboard. By the end of 2021, cybercrime is expected to cost the world over $6 trillion according to Cybersecurity Ventures. This is exponentially larger than the damage inflicted from natural disasters in a single year, and will be more profitable than the global trade of all major illegal drugs combined.
According to the IBM Security, Cost of a Data Breach Report for 2021, the average cost of a breach globally was $4.24 million, while in Canada this was $5.04 million. While the mining industry has little in terms of sellable data, they do have operational systems that if taken out, will cripple production to significantly impact the bottom line. IBM statistics show that in 2021, 38 per cent of a breach cost was from the loss of production.
Cyberattacks are not IT events, they are business crippling incidents, and the insurance companies are bearing the initial brunt of this. We are seeing cyber criminals actively searching for companies with cyber insurance policies, increasing the chances of large payouts.
The Cyber Insurance Crunch
The number of insurance claims across all industries saw an increase of 98 per cent from 2020 to 2021. The most notable increase was in the industrial sectors with a 263 per cent increase in claims. This is an indicator that criminals realize the impact of a digital attack on an industrial system. Operational Technology (OT) used to operate industrial systems are typically under protected for the sake of reliability. Criminals know this and will work tirelessly to break into them, as an organization will be crippled without them, just as Colonial Pipeline was.
Statistics vary, but between 58 to 76 per cent of organizations end up paying the ransom to recover their data. Either way, it’s a high number which indicates organizations are not prepared for these events. Insurance rates have increased an average of 32 per cent in the last year, and some of our customers have reported over 300 per cent increases, while some others have been denied coverage completely.
Most insurers rely on reinsurance for cybersecurity. Currently there are four key players accounting for 60 per cent of reinsurance market for cyber security.
“The cyber insurance market is currently driven by a demand and supply imbalance which shows no sign of relenting any time soon. Claims are up, capacity is down and underwriting profitability is, at best, under pressure,” says Shay Simkin, global head of cyber at Howden.
Although there have been significant premium increases, this has done little to offset the combined ratio deterioration which has seen a significant increase according to S&P.
Cyber insurance has not been in place for decades and there is no large long-term capital base, meaning these increases in payouts are impacting the bottom line and, with no end in sight to this rise in crime, the risk is beginning to outweigh the revenue. To stem this outflow of cash, insurers are starting to mitigate these risks through coverage higher premiums, increased deductibles, and tougher T&C’s requiring organizations to implement better security. No longer are there a few questions being asked about the security controls, now we are seeing the requirement for third party audits, or at least a demonstration of an adequate cyber program by some insurers.
What is a Cyber Program?
Cyber security is often thought of as a set of controls to force a password change or make life difficult to access your computer. Instead, a comprehensive program involves a full range of controls and procedures to ensure the right controls are in place for traditional IT, as well as the industrial OT side of the organization. Mines have typically skated through with the bare minimum, but these days we are seeing an uptick in extending security into the mine itself. At Iron Spear we are focused on a practical approach to cyber security in IT and OT.
We start with industry frameworks such as NIST, ISA/IEC 62443 and ISO 27002, and build a program with actionable controls and processes that technicians can own and operate. We are firm believers in getting the basics right before investing in the many technologies out there. There will be a time for those, but without the basics, your organization will always be vulnerable. The Colonial attack could’ve been prevented by a simple account review process that requires no technology and 30 minutes of someone’s time.