Organizations reliant on cyber-physical systems for their business face significant financial and business impacts in the event of a cyberattack disrupting these crucial, connected systems. Impactful cyberattacks are costing some companies a half-million dollars or more, not only in lost revenue, but also in recovery costs, and tangential costs such as employee overtime that would need to be paid out.
“These intangible, subtle, yet very concerning areas are the ones that need to be surfaced and thought about in terms of total cost of ownership and how you invest in cyber-physical systems protection programs to avoid these types of incidents so that you don’t spend as much on the response and recovery phases,” Geyer said during this episode of the Nexus Podcast.
Geyer recaps and provides important context to the results of a Claroty survey looking at the impact of business disruptions resulting from cyberattacks on cyber-physical systems. The survey queried 1,100 cybersecurity leaders and practitioners globally on questions about the disruptive impact of attacks on operational technology, connected medical devices and systems, building automation systems, and the internet of things.
A number of noteworthy trends came out of the results, starting with steep financial losses associated with attacks impacting CPS, including 45% reporting a financial impact of $500,000 USD or more and 27% of more than $1 million in losses. Part of the recovery costs that make up part of that financial impact includes ransomware payments. More than half of respondents said they met ransom demands of $500,000 or more, with that percentage jumping to 78% in healthcare delivery organizations.
As for operational impacts, 49% of respondents said their organizations experienced 12 hours or more of downtime, and about half (49%) said the recovery process took a week or more and nearly a third (29%) said recovery took over a month.
Victimized organizations also noted the insecurity of third-party connections and the connectivity required for partners, suppliers, and vendors as an avenue exposing them to breaches. 82% of respondents said at least one cyber attack in the past 12 months originated from third-party supplier access to the CPS environment.
“In many cases when the supplier has access—unless it’s done in specific ways where individual users are granted access to specific assets—you’re opening up their entire environment to your environment,” Geyer said. “Anyone with access has free reign into the environment, or if an attacker gets in, you are assuming their problem. I think that’s core to the challenge.”
Third-party access without the capability to log and record sessions, or auditing and oversight, Geyer notes, is one of the biggest risks and it becomes materialized and operationalized without a means of effectively controlling it.
The results, however, were not all gloom and doom. Many expressed growing confidence in their organization’s risk reduction efforts and resilience strategies. This indicates a growing maturity around the defense of CPS environments; most respondents (56%) said they have greater confidence in the ability of their organization’s CPS to withstand cyber attacks today versus 12 months ago.
For example, with regard to third-party breaches, victims were able to leverage these incidents to establish stringent security protocols with the third party or renegotiate pricing in some cases.
Organizations were also optimistic that their risk-reduction efforts were better than 12 months ago, and pointed toward a resilience-based approach to deploying technology and enforcing policies that better helped them withstand attacks.
“If I go back four years ago, people really didn’t understand the problem space,” Geyer said. “The fact that operators are now seeing this as trending in the right direction, it’s suggestive that even though these projects take time to operationalize and the actual risk mitigated, it shows that actual progress is being made.”
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.
