Cyber-criminals are seeking out new prey. Industries that previously had a lower threat profile – such as oil-and-gas, manufacturing, and shipping – are now falling victim to cyber-attacks at an increasing rate. In some cases, the cyber criminals are using the supply chains of companies in these industries as entry points for the attacks. In other cases, the criminals target these companies directly. In either case, the organizations these companies are third parties to – their clients – are often impacted.
As a result of this new trend, governments are stepping up with new efforts – laws, regulations, and guidance – to help create national supplier ecosystems that are more resilient to cyberattack. Industries are also creating their own working groups and other types of infrastructure to help increase communication about cyber risk – to share experiences as well as information on prevention and resilience. The evolution of cybercrime is rapid – governments, industries and individual companies are working hard to stay ahead of the threat.
Expanding their horizons
While most industries have had some level of cyber-criminal activity over the past decade – no one is really immune – some industries have seen an uptick in both frequency and severity over the past 12 months. Impacts have included disruption of operations and theft of proprietary information. Industries are finding themselves under increasing threat include:
- Oil and gas – Five natural gas pipeline operators in the US had their operations disrupted when a third party supplier of electronic data and communications services, Energy Services Group, was hacked in the spring of this year. While customer data was not compromised, Bloomberg reported that Duke Energy left Energy Services as a customer shortly after the hacking incident, over concerns that its client data could be compromised.
- Manufacturing – The hacking of a third party vendor to more than 100 manufacturing companies was discovered in July 2018. According to UpGuard Cyber-Risk, a cybersecurity consultancy, some 157 gigabytes of data that Level One Robotics was holding was exposed via rsync, a common file transfer protocol used to mirror or backup large data sets. Sensitive documents included more than 10 years of assembly line schematics, factory floor plans and layouts, robotic configurations and documentation, ID badge request forms, and VPN access request forms. Corporates who had data exposed included VW, Chrysler, Ford, Toyota, GM, Tesla and ThyssenKrupp.
- Shipping and transport – Major cyberattacks at shipping and trucking companies have hit the headlines in recent months. In late July 2018, a ransomware attack at the China Ocean Shipping Company (COSCO) crippled the company’s internal communications. This follows on from the 2017 NotPetya malware outbreak, which forced shipping giant Maersk to replace 4,000 new servers, 45,000 new PCs, and 2,500 applications over a period of 10 days. Cyberattacks are also up within the trucking industry, although these companies are keeping these attacks private. Trucking companies are vulnerable to third parties, and of course they are also essential third parties to their clients.
Most industry experts believe that these attacks are just the tip of the proverbial iceberg – that cyber-criminals will continue to expand the range of firms types they attack, as well as further develop their arsenal of cyber weaponry. Supply chains are now considered to be on the front lines of this cyber-warfare – disrupting a single organization may only be a means to an end, with the end being the disruption of all of that company’s client operations.
US government takes action
Governments are boosting their efforts to protect both their economies and their citizens from this escalating cyber-warfare. This is taking a variety of forms, including the protection of the government’s own supply chain; reaching out to industries that are seeing growing levels of cyberattacks with regulations as well as information; and emphasizing the importance of supply chain protection for all businesses.
In the United States, several initiatives are underway to help protect the government’s own supply chain – and particularly those of civilian agencies. For example, two senators introduced a bill in June 2018 that focuses on improving the resilience of civilian agencies, alongside other US government supply chain cyber issues. The Federal Acquisition Supply Chain Security Act (FASCSA) would enable the creation of a Federal government-wide approach to supply chain security risk for IT products and services. For example, it would enable US civilian Federal agencies to work with each other, as well as defence and intelligence agencies, to mitigate IT security issues.
The US Federal government is also looking to enhance its support for businesses across the country that face cyber risks. For example, the US Congress is working on the Small Business Advanced Cybersecurity Enhancements Act. Hearings were held in February on this bill, which amends the Small Business Act. It directs the Small Business Administration, jointly with the Department of Commerce, to create a central small business cybersecurity assistance unit, as well as satellite units in small business development centres. The goal is to help smaller businesses – are often in the supply chains of larger companies – better manage their cyber risk.
In July 2018, the Department of Homeland Security announced the formation of a new National Risk Management Center, to specifically engage in cyber risk and to work more closely with the private sector. Other US legislation is in the works, which if passed would give the Department of Homeland Security the ability to bar suppliers which would pose a cyber threat to the civilian government supply chains. Chinese and Russian companies are thought to be of particular focus here.
UK provides targeted programs
In the UK, the National Cyber Security Centre (NCSC) launched its first set of cybersecurity advice to law firms, and a new legal threat report, in July. The threat report indicated that £11 million of client money was stolen over the past 12 months via cybercrime, and that 60% of law firms reported suffering from an information security incident in the past year. The report points out that law firms are an attractive target for cyberattacks because they have “sensitive client information, handle significant funds and are a key enabler in commercial and business transactions.” Earlier in the year, the NCSC published guidance for protecting the supply chain within companies. A report on cyber security in the UK, published to coincide with a conference sponsored by the NCSC in April 2018, also discusses significant supply chain incidents that happened between October 2016 and December 2017.
Industry collaboration increases resiliency
While governments seek to deliver improvements on cybersecurity resilience across their economies, individual industries are also taking action at a more grassroots level. Many of the new targets of cyber criminals are industries that are as highly regulated as financial services, health care, and utilities – early cyber targets – are. For governments, it’s easier to step in and increase cyber resilience in highly regulated industries because there is a structure already in place through which it can deliver new cyber resilience rules. For less regulated or unregulated industries, governments can struggle to communicate and to provide assistance to firms.
As a result, industry organizations and associations are beginning to play a key role in the fight against cybercrime. For example, in April the American Trucking Associations launched FleetCyWatch to help members exchange information about cyberattacks and threats. The shipping industry has also put in place a range of guidance and rules around cybersecurity, although some don’t come into force until as late as 2021. Various efforts are afoot in both the manufacturing and oil and gas industries, too.
All of these programs to combat cyberattacks and improve resiliency are important. However, companies should not wait for outside instruction – or worse, a cyberattack. They should be prepared – by understanding the cyber risks within their own supplier network, as well as the risks that the effects of a cyberattack could create for their clients. Key steps include:
- Discussing third party risk at the board level – Boards should be receiving regular reports and having frequent discussions on these topics – focusing on both the risks in the supply chain, as well as how an event could impact clients.
- Conducting risk assessments – Organizations that actively assess the cyber risks within their supply chain – as well as the risks they may create within the supply chains of their clients – are much more likely to be able to detect and prevent potential harm. They will also be more resilient in the event of an attack, potentially preserving revenue.
- Using outside intelligence – While it’s important to have open and frank conversations with suppliers about cyber risk during assessments and other conversations, cyber risk ratings and other tools can be very valuable. A good rating tool will include analysis by cyber experts, which can provide additional insight.
- Building information security into contracts – Make sure information security requirements – particularly those backed by either legislation or regulation – are built into supplier contracts. Make sure prompt notification of cyber events is included, as well as the right to review or audit information security programs. Cyber elements of contracts should be regularly reviewed – more frequently if there are emerging threats.
- Playbooks – Ensuring you have a playbook in place for if you have an attack or breach. Test them – run through them as part of a mock scenario. This helps build resilience and also ensures that people know the roles they play, lines of escalation etc. This becomes particularly important for some of the regulatory time-frames in place for reporting (such as 72 hours to report a breach to the Data Privacy Authority under GDPR).
- Training employees – Even basic cybersecurity training can have a big impact – teaching staff the importance of not opening certain emails, for example. Employees who work with third parties regularly should receive training geared toward that role. For the best effect, provide training regularly in bite-sized chunks.
- Consider how your third party risk management technology can support reporting – For instance can your suppliers notify you of a breach via a collaborative online portal which tracks, communicates and escalates according to your business rules, capturing an audit trail along the way.
In short, the cybersecurity environment continues to rapidly evolve. A broad range of industries are now under attack – sometimes through their own third parties. In other cases, the attack impacts a company’s own clients, leading to significant reputational and financial damage.
Organizations today – no matter what industry they are in – need to be cyber-aware, and take the appropriate actions to build resilience for when an attack or breach takes place.