Cyber-attacks cost firms $300-400 bln annually: Schneider Electric

Cyber-attacks are costing companies worldwide an estimated $300-400 billion each year in unanticipated downtime and that number is projected to increase sharply, according to a senior executive of Schneider Electric.

"Some large industrial organizations estimate their cost of downtime in the millions of dollars per hour. When a plant shuts down unexpectedly, it takes 3 to 4 days to get everything started up again. These are sobering business continuity-related lost revenue numbers," said Philippe Carle, director of oil and gas and utilities – IT division, Schneider Electric.

"The more connected nature of oil & gas operations, driven in large part by the Industrial Internet of Things (IIoT) and related digitalization trends, although beneficial to bottom lines, introduces an element of cyber-risk that should be addressed. In fact, inaction is not an option. Cybersecurity is now a cost of doing business. The question is, what is the optimal approach?"

When considering the issue of cybersecurity and its impact on business continuity, Carle said several types of threats come into play.

The first is the exposure of employees to outside emails. Over 400 businesses every day are exposed to email “spear-phishing” schemes draining three billion dollars from businesses over the last three years, he said, adding, the percentage of emails that contain potential business disrupting malware today stands at one in 131, the highest rate in five years.

A second issue involves attacks by organized groups on critical infrastructure. Oil & gas facilities are increasingly considered critical national infrastructure. As such they are targeted not only by malevolent individuals but also by organizations that use cyberattacks as weapons to be used to weaken nation states and other global institutions.

A third element to consider when formulating a cybersecurity strategy is the proliferation of mobile devices.

Carle said cell phones, tablets, laptops and thumb drives in the hands of practically every oil & gas industry employee worldwide creates a need for the development of more modern and robust security policies.

The added connectivity of these devices makes it easy for outsiders who guess or steal passwords to penetrate the control environment, he added.

Oil & gas companies can pursue the below steps in order to minimize the threat to cyberattack-driven disruptions to business continuity:

The first step involves building firewalls to keep outsiders from entering the corporate network and gaining access to control systems. This will work in environments where entry points into the system are somewhat limited. However, in an IIoT world, cybersecurity will need to be built into every control system hardware and software component, protecting every node that has computing capability.

The second step requires a gradual approach to strengthening cybersecurity infrastructure. Responsible control systems manufacturers are now designing cybersecurity into every module they build and deliver so that clients don’t have to concern themselves with building in cybersecurity after they purchase a new product.

The third step includes the education of employees. A cybersecurity-aware culture needs to be developed within oil & gas organizations to help employees understand or appreciate the key risks, so that operations can be run in a secure manner (including basic password management or changeover management).