by Enrico Netti 29 January 2018
Damage amounting to some 20 million. This is the cost faced by a medium-sized manufacturing company with 120 million in revenue that falls victim to a ransomware attack or other deadly computer virus that completely stops all activity. An unlikely case? Absolutely not. In June 2017, the Petya ransomware struck multinationals and critical infrastructures around the world. The discovery of malware created to target the Internet of Things and Industry 4.0 is continuous. Threats absolutely not to be underestimated, as the powerful of the planet reiterated from the World Economic Forum in Davos last week.
How long does it take to restart a smart factory brought to its knees by malware? With what costs? How many weeks pass before production returns to full capacity? What are the consequences for the company? In order to answer these questions, Il Sole 24 Ore simulated the case of a medium-sized company with a turnover of 120 million that operates within a supply chain and produces mechanical components which, according to a programme order model, are supplied to a number of large companies that assemble them in their products.
One day a ransom demand appears on the company's computer screens, while the data is encrypted. Thus begins the 'shut down' of every activity, from administration to the warehouse.
"Access to production networks from the outside, via corporate or 'office' networks, in the case of SMEs, is a certainty," is the premise of Raoul Brenna, head of the Information Security & Infrastructures Practice of Cefriel, a company in which universities, companies and public administrations participate and which carries out digital innovation and training projects. "Often there are 'supply chain attacks', which exploit privileged access granted to suppliers or customers to overcome the external defensive perimeter. Hence, the imperfect isolation of production networks allows hackers to transit to CNC machines and industry 4.0 environments'. The ransomware attack is reported to the Postal Police, but for the moment it is difficult to speculate when the systems will be restored. According to cyber security experts consulted by Il Sole 24 Ore, the blackout can last from 7 days to several weeks. In one case, they report from Cefriel, it took as much as six months to eradicate the virus.
We start to take action to eliminate the attacker and then begin to restore the platforms and systems of the smart factoryInternet of Things and the thousands of sensors in the machinery. A similar situation also applies to numerical control (CNC) machinery, without forgetting the back office, the administrative part with customer and supplier accounting, and finally the research and development department. Here, data theft is very likely, because pirates are after patents and projects. "In May, with the entry into force of the General Data Protection Regulation, companies that fail to report data leakage will be sanctioned with a fine of up to 4% of turnover or up to 20 million," recalls Simonetta Candela, partner at Clifford Chance. "In this context, it is likely that insurance policies for cybersecurity risk management will become more widespread.
As far as personnel is concerned, there are different ways forward, depending on the different company realities. For clerks or production workers, for example, social shock absorbers can be used during the shut down, or overtime can be used to reduce the restart time. The same applies to office workers who have to rebuild and control administrative positions.
The company notifies its customers and suppliers of the business blockade and engages a company specialised in crisis management: a cost of EUR 1,500 per day.
Clients and suppliers can open up the legal front of non-performance disputes by making claims for damages. "In the case of a settlement it is prudent to set aside 30-35 thousand euros," warns Marco Torsello, partner at Arblit, "while if you go to court you can reach 80-150 thousand. This leads to an extremely hefty bill that is perhaps partly avoidable if the company's defence perimeter is up to date. "Among entrepreneurs, sensitivity to cyber security is very low: over half say they are concerned, but only 30% invest in managing and combating it," explains Luca Boselli, Kpmg partner and head of cyber security services.
In industry, the topic is becoming crucial: tomorrow the Industrial cyber security forum will be held in Milan, where the defence of companies that have embarked on a path of digital transformation will be addressed.
