OTORIO CEO and Co-founder
Amidst massively high-profile ransomware attacks against healthcare and other targets – like the one that directly resulted in a fatality – there’s been a rise in such attacks against industrial targets this year.
Most recently, the SCADA/ICS networks of local subsidiaries of multinationals Honda and Enel Group were hit with the Snake ransomware. Various other examples of operational technology (OT) environments being targeted by ransomware hackers are not hard to find.
We’ve discussed the reasons industrial and OT networks are particularly vulnerable to cyberthreats in previous blog posts. From some inherent limitations of OT infrastructure to the cyber-physical connection that is not a factor in IT network cybersecurity, and especially the fact that OT networks control the operations of the planet’s most sensitive and large industrial facilities – it’s clear that OT networks are a unique and sensitive breed.
And this is what makes the issue of cyber insurance for industrial environments so interesting. Because if OT network cybersecurity is a unique domain, then how should insurance companies better treat it as such? More specifically, how can insurers better prepare and respond to ransomware attacks on industrial networks?
Cyber insurance industry critics claim that insurers encourage paying off ransomware hackers to ensure business continuity – and the cynics would argue - and their revenues from higher premiums. But this is an oversimplification of a complex issue with financial, ethical and liability implications.
What’s more, savvy cyber insurers have begun to change their approach. Here’s why:
Recent research has revealed that ransomware costs to the manufacturing sector have never been higher. In 2019, industrial companies spent more than any other sector on ransomware payments – some $6.9m in payouts to hackers which was 62% of the over $11m in ransomware payoffs in that year, despite the fact that manufacturing made up just 18% of ransomware cases. Thus, paying off cyberattackers is clearly still an option for many insurers.
Yet research firm Gartner predicts that the financial impact of attacks on industrial systems resulting in fatal casualties will reach over $50 billion by 2023. Furthermore, Gartner believes that CEOs will start to carry personal liability for cyber-physical security incidents, placing cyber-security responsibility on management and Boards rather than on the CISO. And as ransomware threats to the industrial sector continue to grow, paying hackers off becomes less and less viable.
Today, insurers are recognizing that a more proactive and preventative approach, leveraging technological partnerships with industrial cybersecurity specialists, may be a smarter way to go.
Long used to partnering with IT cybersecurity firms, cyber insurers are beginning to internalize that IT and OT cybersecurity are vastly different fields.
IT cybersecurity specializes in securing bits and bytes – inarguably crucial for business. OT cybersecurity, on the other hand, specializes in securing both data and physical systems – and especially the intricacies of OT components that communicate via industry-exclusive protocols, that are not even visible to IT networks.
Since OT cybersecurity is focused on physical systems, OT cybersecurity teams prioritize safety and production continuity first. IT cybersecurity, on the other hand, places greater emphasis on data privacy. Thus, in a breach of a network at a critical infrastructure facility – for example – IT cybersecurity will rush to secure intellectual property and personal information and only then ensure uptime, whereas OT cybersecurity prioritizes critical safety systems, then production continuity, and then IP. Given the sensitive physical consequences of OT network breaches, this critical prioritization can literally mean the difference between life and death.
Clearly, securing industrial networks that control dangerous physical domains demands a different type of cybersecurity approach. It’s an approach that OT cybersecurity companies like OTORIO know well.
We offer the world’s first end-to-end, portfolio of next-generation OT cybersecurity solutions together with a rich portfolio of field-proven professional services including Incident Response, Risk Impact Assessment, Penetration Testing Services, and Training. We have been and are successfully helping Fortune 1000 industries to better prepare and fearsomely respond to Ransomware incidents.
This enables our insurance partners to leverage attack mitigation tools that were designed and built from the ground up for OT ecosystems with operational production processes and continuity as their number one priority. The result: less attacks (because of better preparedness) and faster resolution and recovery where attacks do occur - which translates to lower payouts and better service to satisfied customers.
The explosion of ransomware attacks against industrial networks demands a rethinking of cyber insurance ransomware response policy. To facilitate a viable and economical response to industrial network ransomware, insurers need to seek out partners with proven experience in mitigating OT risk.