Enabling business through safety, security
With enough knowledge of a facility such as an oil platform, refinery, or pipeline network, a cyber attack that used distributed malware could lead to physical damage and serious losses of revenue.
An oil platform stood in the Gulf of Mexico waves a short time ago and unbeknownst to workers on the rig and those offshore, malware was on board turning that facility into a potential floating time bomb.
Malware, downloaded via satellite and through USB drives, had incapacitated computer networks and left the rig lifeless and unable to perform any duties for a period of time.
While the rig eventually came back on stream after workers fixed the locked up system, it turned out a worm was flooding their network. Had this incident been a targeted attack, the rig could have sustained major problems.
With enough knowledge of a facility like an oil platform, refinery, or pipeline network, a cyber attack that used distributed malware could lead to physical damage and serious losses of revenue.
There is no explaining how many millions of dollars that unplanned downtime cost the oil company. In today's tight economy, companies, big or small, cannot afford to lose that kind of money to any kind of safety or security incident.
Uptime remains critical
The cost of unplanned downtime is just one case to show management there is a solid business proposition behind employing solid safety and security programs. The idea pushing forth in the industry today is safety and security are not just insurance policies to protect against an incident or bad guys, but rather a business enabler that keeps the network and system up and running, productive and profitable.
"The insurance justification doesn't always work," said Farshad Hendi, industrial automation safety industry manager at Schneider Electric. "People will say I worked at this plant for the past 15 years and we have never had an incident. It is true you didn't have an incident in 15 years, but that does not mean you will not have an incident tomorrow. Uptime and operational stability is something that resonates with people very quickly. If your plant is down for one week you can quickly determine the cost and you can quickly determine how much investment I need to put in and how much gain I will get."
Indeed, when talking about safety or security users need to consider metrics such as improving the efficiency of operations, reduction in time to detect incidents and return on prevention.
But "Wait a minute," a senior manager could say, "we have never been hit before, so why should I pay for something that doesn't generate revenue?" The simple answer is, safety and security can pay off big dividends.
"It is an interesting conversation to have," said Joshua Carlson, industrial automation manager for cyber security in North America at Schneider Electric. "The challenge is getting users to understand we are not just looking at the risk model and figuring out the probability. With cyber security, it is not a matter of if, but a matter of when. The challenge becomes at some point when are you going to have an incident and how much is it going to cost you?"
Mature vs. dynamic
Safety has evolved over the years to where manufacturers think safety first. But security is an entirely different beast. With its constantly changing dynamic force, it isn't about hardening a system to keep bad guys out any more, it is now about being situationally aware—understanding what is happening within a system at any given time. And if the senior manager thinks attacks aren't happening, think again.
Just look at the numbers in Fiscal Year (FY) 2014, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) received and responded to 245 incidents reported by asset owners and industry partners. The energy sector led all others again in 2014 with the most reported incidents at 79 or 32%, followed by critical manufacturing at 65 or 27%. Of all the incidents reported to ICS-CERT, 55% involved advanced persistent threats (APT) or sophisticated attackers.
While the numbers reported to ICS-CERT may seem low, in reality, the vast majority of companies don't report incidents, but instead, keep news of the attacks to themselves.
When it comes to safety, the numbers in dollars and cents can numb the mind, because in the U.S. major industrial incidents cost an average of $80 million each, according to a report from the Center for Chemical Process Safety (CCPS).
Focus results in savings down the line
To combat that, if a company is truly smart about safety and focuses on what they have to do, remains vigilant and is a top-tier organization, they could realize a five percent gain in productivity, according to CCPS statistics. In addition, a company employing a solid safety program could see a three percent reduction in production costs, five percent reduction in maintenance costs, 20% reduction in insurance and a one percent reduction in capital budget.
In the security realm, costs continue to rise with the average consolidated cost of a data breach is $3.8 million up from $3.5 million the previous year, which is a 23% increase in the total cost of a data breach since 2013, according to a Ponemon Institute study of 350 companies spanning 11 countries.
In addition, malicious attacks can take an average of 256 days to identify while data breaches caused by human error take an average of 158 days to identify, the report said.
On top of that, in a separate study the Ponemon Institute found the average annual cost of cybercrime per large U.S. company at $15.4 million, an increase of 19% from $12.7 million a year ago. It also represents an 82% jump from Ponemon's first study six years ago.