We're unaware if last month's WannaCry ransomware affected any food or beverage companies. But WannaCry wannabes and other industrial malware are out there, actively infiltrating processes in other industries. Oil & gas, power and pharmaceutical industries have been favorite targets, according to Eric Byres, a longtime cyber security expert who now runs the bespoke consulting business ICS Secure (www.ics-secure.com).
"The food and beverage industry has been fortunate, but as a result is further back on the learning curve -- which means food & beverage is less secure than those other industries," he says. But it needs to catch up fast – according to IBM Managed Security Services data, attacks targeting industrial control systems (ICS) increased 110 percent in 2016 over the previous year’s numbers.
A food plant blowing up would not be as catastrophic for the surrounding area as a chemical plant exploding, nor would the resulting shortage of Twinkies create the havoc that the loss of power to a major city would. But tainted Twinkies, not detected until they were being consumed all across the country, certainly would qualify as terror.
Does your business purchase cyber or data breach insurance coverage? If so, would it cover you in such events? Maybe, but given what's transpired, it's worth checking into. "Cyber insurance coverage hasn't matured or become standardized yet, so what's covered in one policy may not be covered in another," warns Dan Zastava, director of product development at Sentry Insurance (www.sentry.com).
Most cyber or data breach policies will cover typical data breaches, such as the theft of employee or customer information (credit card numbers, Social Security numbers), he says. That usually means reimbursement for the cost of notifying customers (by email or mail) and perhaps even the credit monitoring services. But Zastava points out three things that may not be covered that companies may want to ask for in shopping for cyber coverage:
- Business interruption – If a security breach halts your production for a period of time, it will cover your loss of income.
- Cloud-based coverage – While many policies will cover data breached in your own company's servers, not all cover problems with third-party servers, especially when data is stored in the cloud.
- Cyber extortion – This comes to mind as a result of last month's WannaCry ransomware. Generally, ransomware requires a payment to be made in bitcoins, in order to obtain a decryption key that will (hopefully) unlock your computer system and data. Coverage can be purchased to reimburse such a payment, and is typically subject to preapproval.
"Sometimes it may seem like the advantages of being online are outweighed by the threats, but being prepared with the right coverage will help make it easier to recover if you are targeted," says Zastava.
Byres, along with John Cusimano of aeSolutions, offers a seven-step process that will not make you impervious to cyber attacks, but will start you on the right path:
- Assess Existing Systems – Determine the risks that an attack on your control and computer systems poses to your business. Rank these risks so you can prioritize spending.
- Document Policies and Procedures – Once you have an understanding of the risks facing your systems, start creating policies and procedures to mitigate those risks. Start with preventing what will hurt your company the most.
- Train Personnel and Contractors – Make employees, suppliers and contractors aware of your policies and procedures starting with an awareness program and then formal training.
- Segment the Control System Network – This is arguably the most important tactical step. Partition your computer and control systems into distinct security zones and implement layers of protection to isolate the most critical parts of your process.
- Manage Access to the System – Once you've partitioned your systems, the next step is to control access to the assets within those zones. Create both physical and logic access controls.
- Manage the Components – Deploy software tools that allow you to efficiently keep all your equipment backed-up, patched and monitored. Where possible, this should include updating antivirus and white-listing tools. Companies used to focus only on their Windows computers, but with the new malware, continuous management is essential for anything that has an IP address.
- Monitor and Maintain System Security – Remain vigilant by monitoring and maintaining security throughout the life of your system. Install software that will warn you of suspicious activity.
"Effective security for industrial control systems is not a one-time project," Byres sums. "It is an ongoing, iterative process. You will need to repeat the seven steps and update procedures as systems, people, business objectives and threats change.
"The reward for your effort will be maximum protection against process disruption, safety incidents and business losses from today’s cyber criminals."
This document is of a general nature and is not intended to address the circumstances of any particular individual or entity. No one should act on the information contained in this document without advice from a local professional with relevant expertise.