As the frequency and complexity of cyber attacks continue to escalate, industrial companies that rely on automated control and production systems — whether Internet- or software-based — face significantly greater risk of being attacked by hackers.

The Repository of Industrial Security Incidents reports that, globally, power and utilities; petroleum; transportation; water and waste management; food and beverage; chemical; electronic; and general manufacturing companies are among the industries most frequently attacked by cyber criminals, with consequences ranging from merely a nuisance to catastrophic.

Largely because of the difficulty in safeguarding technical information and resources on factory floors — and the relentless efforts on the part of competitors and nation states to engage in corporate espionage — experts foresee cyber threats against major industrial companies continuing to escalate in 2016 and beyond.

Hands-of-people-using-computer-mice-in-Internet-cafe-crop-738-415-AP_211758600897-Kin Cheung

(Photo: Kin Cheung/AP Photo)

Social engineering attacks: Costly and often uncovered

In fact, the National Association of Manufacturers estimates that unfair competition because of stolen software caused U.S. manufacturers nearly $240 billion in losses and 42,220 jobs between 2002 and 2012.

Although cyber criminals are using more sophisticated attack vectors, social engineering techniques or old-fashioned trickery remain the favorite means to gain access to corporate networks and control systems. From these access points criminals are able to steal proprietary data, and disclose or extort trade data, as well as potentially disrupt supply chains and other critical production processes.

Consequently, cyber experts are finding that the financial impact of social engineering attacks extend beyond expenses tied to the initial compromise or fraud. A social engineering attack could easily lead to an expensive business interruption event, disrupt a merger or acquisition, inhibit operations, and cause untold reputational harm — losses that may or may not be addressed in a standard Cyber insurance policy.

In other words, although the initial social engineering attack seeking a fraudulent payment could result in losses in the low six-figure range (the average amount of a social engineering loss), this amount can quickly balloon to several million dollars, depending on other related loss events.

Here are the four most significant cyber events facing industrial companies:

Robot-assembly-line-Ford-truck-plant-Claycomo-MO-crop-AP_95957759685-Charlie Riedel

(Photo: Charlie Riedel/AP Photo)

1. Business interruption

For industrial companies, the most financially devastating cyber attack is one that causes normal operations or the supply chain to shut down.

Indeed, surveys show business interruption losses often are larger than property claims. In a survey of more than 500 risk managers across 47 countries, Allianz Global Corporate & Specialty found that business interruption was the No. 1 peril. The study found that the average business interruption claim at $1.36 million is 32% higher than the average property damage claim at $1.03 million.

Take the case of a global auto parts maker whose corporate network is infiltrated by an advanced malware given the sophisticated nature of such an enterprise, it may take days, if not weeks, to get compromised networks and machinery back online. The cost for a manufacturer in this predicament can be astronomical — tens of millions of dollars depending on the production network attacked.

Iron-and-steel-plant-workshop-crop-ThinkstockPhotos-459919799-diaojianqing

(Photo: Thinkstock)

2. Physical damage and bodily injury

In a growing number of cases, a cyber attack against a manufacturer could cause physical damage or even bodily injury.

This happened in Germany in December 2014, when a malicious actor infiltrated a German steel facility, using a spear-phishing email to gain access to the corporate network and then moved into the production network gaining control of plant equipment. The attacker crippled multiple components, causing massive physical property damage (more than $50 million) as a result of the cyber attack on furnace controls.

This is just one example; however, there are more attacks on the horizon that present the risk of bodily injury and property damage (BI/PD) to manufacturers. The Cyber market offers limited solutions for this risk, and a knowledgeable, Cyber expert broker is a must for securing cyber BI/PD specifically for manufacturers.

Digital-abstract-background-with-Bitcoin-symbol-crop-738x415-ThinkstockPhotos-509805849-lolloj

(Photo: Thinkstock)

3. Cyber extortion risk

Cyber extortion, which involves a demand for money to avoid or stop a cyber attack or release of customer information, is rapidly spreading. In 2015, companies paid out millions of dollars to cybercriminals for the safe recovery of stolen or encrypted data. Organizations that have fallen victim to cyber extortion include Domino's, Nokia, Code Spaces and several police departments across the country.

In March 2015, hackers reportedly used ransomware to hijack a New Jersey organization's computer system, and demanded 500 Bitcoins (approximately $123,000) to restore the network to normal.

sony-cyber-breach-crop-262x170

(AP Pnoto)

4. Cyber terrorism

The destructive and sophisticated cyber attack against Sony Pictures, an event U.S. intelligence officials concluded was orchestrated by North Korea, makes a compelling case as to why all companies need to take cyber terrorism more seriously.

Since the hacking incident began in November 2014, the FBI has issued a bulletin cautioning a wide range of companies to be on the lookout for the same type of malicious software used against Sony. The warning is a wake-up call for small-to-midsize manufacturers with underdeveloped and underfunded IT security infrastructure.

Man-leading-business-seminar-with-diverse-audience-crop-ThinkstockPhotos-483661437-Ridofranz

(Photo: Thinkstock)

Educate your manufacturing clients

Many manufacturers, particularly small to medium-size entities, lack a basic understanding of the risks and potential impacts of a cyber breach. This is a major barrier to adopting robust cybersecurity risk management strategy, including insurance coverage. Also, too often, senior executives embrace a false narrative that their firms are not a target of cyber criminals or that they don't retain the sort of personal information (for example, credit cards) that hackers are interested in.

The truth is the thriving black market for confidential private information makes no distinction between data stolen from large corporations versus smaller ones. And, in fact, the fallout of a breach is more likely to put a smaller manufacturer out of business than a larger entity.

Partnering with an insurance broker with deep expertise in Cyber risk and privacy management is essential to a manufacturer's ability to protect its products, processes, facilities and customers, and is critical for their continued success.

Paul King is USI's senior vice president and cyber leader based in USI's Dallas office. Contact Paul at paul.king@usi.biz or 214-443-3107. Visit www.usi.biz for more information.

Check us out on Facebook and give us a Like.

________________

How can you transform your risk management preparedness and response strategy into a competitive advantage?

Introducing ALM's cyberSecure — A two-day event designed to provide the insights and connections necessary to implement a preparedness and response strategy that changes the conversation from financial risk to competitive advantage. Learn more about how this inaugural event can help you reduce risk and add business value.

NOT FOR REPRINT

© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.