Rising concern over cybersecurity is being driven by high-profile data breaches and the growing realization that potential revenue losses from cyber risks can rival those of business interruptions and natural disasters. The scale of cyber incidents and resulting costs of such events continue to set new records.
Cyber risk is relatively new territory, and is evolving rapidly due to changes in both offensive and defensive technologies. Security measures are designed to protect networks, computers, software, and data from attack, damage, or unauthorized access. Human elements of cybersecurity include disaster recovery/business continuity planning, operational security, and end-user education.
The most common types of cyber attacks pose risk to data security and cause business interruption. These include:
- Data Exfiltration, the unauthorized transfer of data from a computer, is the predominant cause of insured cyber loss, with many instances of individual companies suffering from data leaks. The risk of data exfiltration loss is increasing in severity.
- Financial Theft is a major source of cyber attacks and cyber-enabled fraud. The most common means of financial theft is credit card misappropriation. Many theft campaigns involve data harvesting from point-of-sale systems, particularly with legacy systems. The growing use of chip and pin (EMV) credit cards is reducing theft levels.
- Cloud Service Provider Failure is a growing concern as many companies are making cloud services more central to their business operations and migrating more services to the cloud.
- Denial of Service (DoS) Attacks are security events that occur when an attacker takes action that prevents legitimate users from accessing targeted computer systems, devices, or other network resources. DoS attacks typically flood servers, systems, or networks with traffic in order to overwhelm the victim resources and make it difficult or impossible for legitimate users to use them. A distributed denial-of-service (DDoS) attack is an attack in which multiple compromised computer systems attack a target.
- Cyber Extortion, which attempts to extort major companies using cyber attacks, is still relatively rare, but events are growing in frequency and the scope of their ambition. The issue is common in personal computing and is occasionally seen in attacks on companies. There have been recent examples of cyber extortion demands on corporations resulting from data exfiltration, in which confidential data is threatened to be released, and as part of denial of service attacks. These elements are likely to become more common components of these loss processes in the future.
Cyber attacks can involve more than just data security, and can be targeted at interfering with the computerized systems that control physical processes. This approach opens the possibility of cyber attacks to cause physical damage, destruction of property, fires or explosions, deaths, injuries, loss of services, or other harms.
There is a particular concern about control systems that are connected to networks and could be accessed by unauthorized third parties. This includes a wide range of sensors, actuators, valves, switches, mechanical devices, and electronic controls, especially in industrial control systems. Many electronic systems now contain elements of connectivity for diagnostic read-outs, upgrading and programming uploads, data transmission, and signal processing. These are all targets for potential attacks.
The proliferation of devices that are connected to the Internet is often referred to as the “Internet of Things” (IoT). Estimates and forecasts of the number of Internet-connected devices vary, but the number certainly reaches into the tens of billions and will continue to climb. Cybersecurity issues have been raised about industrial process control systems, building heating and ventilation systems, webcams, drones, and numerous other systems. Following are examples of some cyber attacks being used to trigger physical damage:
- Spoofing (Sending False Data to a Sensor) – Sending false data can potentially be a damaging attack mechanism. When a sensor is vital to the safe performance of a system, spoofing the sensor can trick the system into unsafe activities. For example, spoofing thermostat readings could cause system overheating and damage.
- Hysteresis (Forcing Cyclical Behavior) – Once a hacker has control of a physical system, damage can sometimes be caused by forcing the system to start and stop in rapid cycles. This causes a number of problems, including the potential to trigger uncontrolled positive feedback. Thermal runaway in lithium batteries, for example, can be produced by hysteresis cyber attacks.
- Disconnection (Stopping the Function of a Device) – Simply preventing a physical system from connecting to its control system may be enough to cause damage and loss. For example, a denial of service attack on a building management system can make it unable to connect to the Internet resulting in system shut-downs.
- Actuators (Controlling Physical Components) – Actuators open and close valves, lock and unlock doors, manipulate robot arms, and control many other processes. The remote control of actuators has significant potential to cause damage, either by preventing them from operating or causing them to operate unsafely. For instance, cyber attacks have opened valves and manipulated pumps to maliciously release water, sewage, and gas supplies.
Many cyber attacks occur because companies and organizations have been slow in implementing the critical security measures needed to protect themselves. In response, new government regulations are emerging that are forcing organizations to get up to speed. The regulations often feature penalties for those that don’t comply.
For example, the nation’s first state-mandated cybersecurity regulations regarding banking and financial services companies went into effect in New York state on March 1 of this year. The 23 NYCRR 500 regulation from New York State’s Department of Financial Services (“Cybersecurity Requirements for Financial Services Companies”) will be enforced in phases over a period of two years.
The regulation requires companies to implement controls to ensure a strong cybersecurity program, including requirements for a program that is adequately funded and staffed, overseen by qualified management, and periodically reported on to the board or the most senior governing body of the organization. It is not one size fits all, and allows companies to develop a cyber security program based on their individual risk assessments (with most of the requirements tied to those risk assessments). Although many components of the new regulation are already considered best practice, many companies have not yet implemented these protective measures. At Risk Logic we can help identify Cyber Risk. Please contact our main office if you have any questions.