On December 23, 2015, approximately 225,000 homes in the Ivano-Frankivsk region of Ukraine were left without electricity for several hours after what is believed to be the first-known instance of power stations being disabled by a cyber attack.
The as-yet-unknown attackers appear to have installed malware known as BlackEnergy on the systems of three regional power stations before launching a coordinated attack to cause maximum disruption. While the lights were back on within hours, the affected companies were still experiencing difficulties more than two months later. Three other organizations were also infiltrated in the same attack.
A report published in February by the Industrial Control Systems Cyber Emergency Response Team (part of a division of the U.S. Department of Homeland Affairs, which investigated the incident in Ukraine) notes that, “The cyber attack was reportedly synchronized and coordinated, probably following extensive reconnaissance of the victim networks. According to company personnel, the cyber attacks at each company occurred within 30 minutes of each other and impacted multiple central and regional facilities. The companies believe that the actors acquired legitimate credentials prior to the cyber attack to facilitate remote access.”
The attack echoed concerns first raised in 2014 by Admiral Michael Rogers, then head of both U.S. Cyber Command and the U.S. National Security Agency, that hackers acting as “surrogates” for foreign powers were developing the ability to infiltrate and disrupt critical infrastructure in the U.S.
It is very difficult to put an exact number on the potential cost of such an attack, though it has been speculated that a total disruption of the country’s utilities through other means, such as an electro-magnetic pulse from solar storms or nuclear attack, could cost nine-in-ten Americans their lives.
Separately, the World Economic Forum’s Partnering for Cyber Resilience initiative has begun to develop a preliminary value-at-risk model for calculating the potential financial impact of digital disruption through a cyber attack. Among the challenges of developing such a model is that it is difficult to predict how often hackers will succeed and to calculate the potential collateral damage from an attack.
A deficit of awareness
Given the risks, it would be reasonable to expect that cyber risks would consistently rank among the biggest challenges facing companies and governments today. These human attacks and natural impacts to the cyber infrastructure highlight the need to expand the focus of cyber resilience beyond data protection to minimizing the disruptions of a “business blackout. ” Today, a majority of functions, such as payroll, manufacturing lines, customer orders and supplier procurement are all run electronically, magnifying the potential downtime for organizations.
And yet, Global Risks Report 2016, a report published by the World Economic Forum (WEF) in collaboration with Zurich Insurance Group and other leading institutions, reveals that global leaders are more focused on other issues. The report draws on a survey of the WEF’s membership, which asked leading executives from around the world to identify the five global risks which concerned them most from a list of 28 potential risks. While cyber risks ranked highly in many countries, including the United States, overall they were superseded by concerns over geopolitics and climate change. In fact, the risk of data theft or fraud ranked eighth in terms of likelihood, while there are surprisingly no technological risks in the top 10 risks measured by impact.
Research recently conducted by Advisen on behalf of Zurich also reveals that while there is growing awareness of the threats, businesses are still struggling to understand the risks associated with cyber security issues, the full scope of their exposures and how best to protect themselves and their customers.
Separately, John McAfee, the controversial software entrepreneur who developed the McAfee anti-virus program, recently observed that cyber security is not ranked among the U.S. government’s top ten concerns listed on the White House website.
To some extent, this apparent shortsightedness reflects an increasingly complex and interconnected global risk landscape. With so much happening in the world today, it is perhaps natural that people will focus on the most visible challenges.
Nevertheless, the attack in Ukraine reveals that cyber risks now extend well beyond national borders and the effects can cascade beyond the assets and infrastructure of any single business. An attack may not affect your company or your country directly, but it could ripple and severely impair your ability to continue operating.
Many observers believe that the Ukraine incident is not unrelated to growing political tensions. This reflects the increasing interconnectivity between cyber risks and other exposures, particularly geopolitical tensions and social risks highlighted in the Global Risks Report 2016. The report highlights widening inequality and rising nationalism that may contribute to the erosion of international cooperation to combat cybercrime.
Rising to the challenge
In a joint report published in April 2015, the ESADE business school and Zurich argued that weak global governance is putting businesses at risk. The report, “Risk Nexus - Global Cyber Governance: Preparing for New Business Risks,” calls for greater cooperation between governments and the creation of international institutions to mitigate global cyber risks. A key element of any such collaboration will be partnership between the public and private sectors to identify and respond to emerging cyber risks and collateral effects, such as disruptions to business and infrastructure or social unrest.
In the absence of such cooperation, businesses need to develop a far more holistic understanding of the digital risks to their business and become far more proactive in addressing their resilience challenges.