We all know that cyber attacks are now a matter of when, not if.
The arms race is heating up in cyber security. We all know that cyber attacks are now a matter of when, not if. We also know that new technologies such as Internet of Things (IoT) devices and artificial intelligence (AI) can be used by attackers across multiple industries around the world. Chemical companies are increasing their defenses, but they can lack a structured understanding of cyber risk in terms of potential damages, their specific monetary implications, and the best way to allocate funds and resources to contain cyber threats. A risk management approach backed by effective governance and communication can help companies mitigate risk while optimizing their cyber security investments.
Cyber attacks are a growing ─ and a very expensive ─ threat to organizations. In the 2018 Harvey Nash/KPMG CIO Survey, 33 percent of respondents reported a major cyber attack in the last two years.1 Another survey suggests that the average total cost of a data breach is about US$3.62 million.2 In 2017, cyber attacks were estimated to cause US$5 billion worth of damages ─ a 15-fold increase since 2015.3
The chemical industry is exposed to many of today’s cyber risks. As discussed in REACTION magazine, Edition 18, (PDF 2.33 MB) chemical manufacturers are vulnerable to attack not only on the enterprise side with their IT systems but also on the operational side through their control systems and connected networks.4 In a manufacturer’s supply chain, for example, an attack originating on either the enterprise or operational side can result in physical damage with suppliers that experience business interruption related to a shutdown of IoT devices or technical damage when hackers gain access to a supplier’s network through unsecured devices.5
To better manage cyber risk and increase their ROI for cyber security, chemical companies should consider a comprehensive, quantitative model for addressing cyber risks. This model consists of five key components:
Business view ─ An understanding of the business, corporate vision and ambitions, business strategy and growth plans, intellectual property, unique processes, critical staff, critical assets, and suppliers to the organization.
Threat view ─ An understanding of threat actors of concern to the firm, their intent and motivation, as well as the attack patterns they might typically adopt to defeat the security capabilities of the target firm.
Security view ─ A structured assessment of the security capabilities in place within the organization to protect the critical assets. This should be done in a way which is repeatable and auditable while achieving highest degree of objectivity as possible.
Attack scenarios ─ A catalogue of business cyber attack scenarios, which link the threat actor to the asset at risk. This includes an assessment of the likely loss to the business in that scenario, and the potential gain to the attacker. These scenarios are the basis of a calculation of impact and are developed hand-in-hand with the business.
Link between threat and security ─ A means of relating the attack vectors that an attacker might use to the security capabilities that make the attacker’s life more difficult. This will help identify the costs those security capabilities might impose on an attacker and also how this changes the likelihood of that attack succeeding.
1Harvey Nash/KPMG CIO Survey 2018 (PDF 2.35 MB)