A string of high-profile corporate security breaches this year illustrates that cyber criminals are growing more sophisticated and aggressive in undermining the global business community’s defenses. Any company that relies on networked systems — including industrial facilities — can be a target. Here we look at the costs of cyber crime and the importance of robust protection.

Information technology (IT) is a crucial part of manufacturing, greatly enhancing process efficiency and enabling the smooth operation of increasingly complex production systems. But the recent emergence of new viruses targeting industrial controls, as well a series of major cyber attacks against corporate and government networks this year, have highlighted IT vulnerabilities around the world.

“It seems like almost every day we are hearing about attacks on computer networks. In just the last few months, cyber attacks have been reported at Citicorp, Exxon, Shell, Google, PBS, NASA, Fox, Lockheed Martin and the International Monetary Fund,” Manufacturing Executive’s Game-Changing Technologies blog explains. “The type of company or organization doesn’t matter. Any company or organization appears to be vulnerable.”

According to the Cisco 2Q11 Global Threat Report, the number of unique instances of malware attacking companies more than doubled between the first quarter and the second quarter of 2011, climbing from 105,536 in March to 287,298 in June. The average malware encounter rate during the second quarter was 335 encounters per enterprise per month, with peaks in March (455) and April (453).

Among the top 10 fields affected by cyber crime, companies in the pharmaceutical and chemical industries were at the highest risk of malware attacks, followed by firms in energy, oil and gas; transportation and shipping; agriculture and mining; education; food and beverage; insurance; HVAC, plumbing and utilities; travel and entertainment; and manufacturing.

“Malware has evolved along with the Internet and is now the tool of choice for would-be attackers. But the key lies in its ability to remain surreptitious: It must enable the attacker to remotely manipulate a system while remaining virtually invisible to standard defenses,” Cisco explains. “This specialized class of malware, termed ‘advanced persistent threats’ (APTs), presents a widely publicized yet little understood security challenge.”

Cyber crimes can be extremely costly. The second annual cyber crime survey from the Ponemon Institute found that the median annualized cost of cyber crime among large-sized organizations reached $5.9 million per year in 2011, a cost increase of 56 percent from the prior year. Across companies, costs ranged from $1.5 million to $36.5 million, with smaller firms incurring significantly higher per-capita losses ($1,088) than larger companies ($284).

The average time to resolve a cyber attack is 18 days, with an average cost to afflicted organizations of $415,748, 67 percent higher than the average cost in 2010.

According to a joint survey this year from Ponemon and IT security firm Symantec, information theft continues to be the highest-costing form of cyber crime, accounting for 40 percent of external costs on an annualized basis, while disruption to business and productivity losses from cyber crime account for 28 percent of external costs.

“We continue to see an increase in the costs to businesses suffering a data breach,” Larry Ponemon, chairman and founder of the Ponemon Institute, said in an announcement of the findings. “Regulators are cracking down to ensure organizations implement required data security controls or face harsher penalties. Confronted with both malicious and non-malicious threats from inside and outside the organization, companies must proactively implement policies and technologies to mitigate the risk of costly breaches.”

Among the major data-breach incidents recorded by the Open Security Foundation, 47 percent involve businesses. Fifty-four percent of breaches stem from outside sources, while 24 percent derive from accidental activity within the company itself and 9 percent from malicious inside sources.

Guarding against security risks is particularly important in the industrial sector. Last year, the Stuxnet worm, considered the world’s first cyber super weapon, infected thousands of computer networks worldwide, specifically targeting industrial control systems critical for operating factories, refineries and power plants.

Security experts recently identified a successor to Stuxnet. Known as Duqu, the new malware relies on much of Stuxnet’s original source code, is designed to attack industrial networks and may pose an even greater threat to cyber security.

“Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created since the last Stuxnet file was recovered,” Symantec explains. “Duqu’s purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.”

How can manufacturers protect themselves from these types of threats? Apart from purchasing security and encryption software, another sound strategy is to maintain a resilient network infrastructure that limits widespread access to information while providing it to the necessary personnel.

Manufacturing software firm IQMS offers these additional tips for keeping an industrial business safe from cyber crime:

• Assign a specialist. Having a specific person (or team of people) responsible for organizational security is key to reducing the threat potential. While many small businesses hire outside consultants for such work, having internal staff who can monitor and maintain safeguards onsite is an important asset.
• Track your data retention. It’s critical to know what type of data your company holds onto and how long it needs to retain it. Purging data that is no longer useful or outside your business parameters narrows the scope of risk and reduces the potential liability should a breach occur.
• Strengthen your password protection. Password policies often go overlooked, with many employees using access codes that are several years old or even the default password first assigned to them. Implement a regular schedule for updating passwords for workstations, administrative consoles, system controls, servers and routers.
• Issue user guidelines. Make sure employees know what is acceptable for them to do at company-provided workstations and what is not. While they should be able to customize their systems somewhat to feel comfortable, they must also be reminded that they are part of a corporate network and their actions — whether downloading unsanctioned programs or installing outside software — can have larger ramifications for the business as a whole.

Cyber security issues are of particular importance as increasing numbers of manufacturers are building and launching products that connect to the Internet and the cloud.

“This new world of connected-product development demands adjustments by manufacturers. They must develop new competencies in cloud security or partner with trusted parties with the needed expertise. They must create a new sort of disaster-recovery plan that defines effective responses to cyber attacks and the loss of customer information — and even the potential for customer harm,” Managing Automation advises. “You may not be a connected manufacturer today, but five years from now you might be. Consider the ramifications now and plan for a future in which you manage product lifecycles further into the field than ever before.”

Earlier

Protecting Your Business form Cyber Threats

Most Advanced Malware Ever Targets Manufacturing

Can Cloud Computing Help Your Business?

Resources

Cyber-Security: Do Manufacturers Have a New Opportunity?
by David R. Brousell
Manufacturing Executive, July 21, 2011

Cisco 2Q11 Global Threat Report
Cisco Systems, 2011

Second Annual Cost of Cyber Crime Study
Ponemon Institute, August 2011

…Organizational Data Breach Costs Hit $7.2 Million and Show No Sign of Leveling Off
Symantec / Ponemon Institute, March 8, 2011

Data Loss Statistics
DataLossDB (Open Security Foundation), 2011

W32.Duqu: the Precursor to the Next Stuxnet
Symantec, Oct. 24, 2011

4 Tips Every Business Should Implement for Better Cybersecurity
by John Asi
IQMS, July 21, 2011

Manufacturing and Connected Products: A Dangerous Combination
by Chris Chiappinelli
Managing Automation, Oct. 24, 2011