Industrial Cyber Security Shakedown

Digital transformation products (IoT platforms, predictive analytics, etc) are still largely considered a “nice to have” for industrial operators. Now don’t get me wrong, I’m a believer in the value of these technologies, and industrials that have not yet fully bought into digital transformation are going to have problems staying relevant – but by and large most industrials are not buying & deploying these things at scale.

That said, there is one solution set in this realm that has moved into the “need to have” category: cyber security tools for industrial control systems, SCADA, and OT environments. This is now a board-level topic, and most of the world’s industrial operators are either rolling out solutions globally or working hard right now to determine the best approach (time is critical here).

If a company loses access to email or a website, it’s annoying. If a company loses control over its factories or power plants or pipelines, it creates an existential crisis with potentially massive reputational & operational impact. As you’d expect, a bunch of startups have popped up to solve this problem, and exits are underway (notably Security Matters, Sentryo, and as of just a couple weeks ago, Indegy).

There are several other strong companies out there – the leaderboard includes a company we’ve worked closely with for years, Nozomi Networks, and then a handful of others (Claroty, CyberX, and Dragos). Traditional IT security vendors are creeping into the space (like Darktrace, for example). And of course the SCADA system vendors are all trying to pitch something or other, but nobody seems to be impressed with what Honeywell, Siemens, ABB, etc are pitching to protect their systems.

On an hourly basis, the threats continue to evolve, and we’ll certainly see more high-profile attacks in the coming years. Let’s take a look at history’s best (or worst) industrial cyber attacks…

Stuxnet is a pioneering example in the space. Roughly a decade ago, Stuxnet wormed its way into Iranian facilities that produced uranium for nuclear weapons – a key part of this nuclear production process is using centrifuges to enrich the uranium. Stuxnet initially targeted the programmable logic controllers (PLCs), specifically machines with Microsoft Windows operating systems that were running a certain Siemens controller software. Stuxnet then proceeded to force the centrifuges to spin so fast that they basically tore themselves apart, ruining a substantial fraction of these incredibly complex and expensive machines, with a costly impact on Iran’s nuclear program. Nobody has ever claimed responsibility, but the worm is generally believed to be a joint effort between the Americans and Israelis.

WannaCry is an attack that industrial cyber security vendors talk about when trying to scare customers into issuing purchase orders. WannaCry is a ransomware cryptoworm that targets Windows OS, encrypting data and then demanding ransom payments in Bitcoin. WannaCry hit the scene in May 2017, and although Microsoft had released patches for the vulnerability, many operators had either not applied these patches or were using unpatchable end-of-life systems. The ransomware compromised industrial Windows machines around the world, including the likes of Boeing, Honda, Petrobras, Renault, Telefonica, and many more. I still personally hear about operators finding WannaCry on machines today (in December 2019).

Petya is semantically confusing because the actual attack that devastated industrial systems in 2017 ended up being referred to as “NotPetya” in order to distinguish them from prior Petya attacks. We’ll focus on NotPetya in this article, since that one had a more significant impact on industrial systems. Using a similar exploit as WannaCry (EternalBlue), in June 2017 this ransomware predominantly targeted Ukrainian businesses, with an estimated 80% of infections occurring in Ukraine. The small payload was distributed through an accounting software update. Although NotPetya seemed to be ransomware and indeed prompted the victim for a Bitcoin payment, NotPetya in fact encrypted the data beyond repair, destroying the boot sector and effectively wiping any infected system. NotPetya escaped to countries outside of Ukraine due to a small (but not insignificant) amount of businesses outside of Ukraine using the accounting software.

Businesses outside of Ukraine were damaged by NotPetya: this WIRED article tags Reckitt Benckiser with $129M in damages, Mondelēz with $188M, Maersk with $300M, Saint-Gobain with $384M, and FedEx with $400M. Merck was famously devastated by the attack, with The Philadelphia Inquirer reporting $1.3B in damages, and with especially disastrous consequences for Merck’s manufacturing operations: “NotPetya so crippled Merck’s production facilities that it couldn’t meet demand that year for Gardasil 9, the leading vaccine against the human papillomavirus, or HPV, which can cause cervical cancer. Merck had to borrow 1.8 million doses — the entire U.S. emergency supply — from the Pediatric National Stockpile. It took Merck 18 months to replenish the cache, valued at $240 million.”

Stuxnet, WannaCry, and NotPetya are three of the most prevalent, but there are plenty of other fun ones out there. LockerGoga almost exclusively targeted industrial computers, and Norsk Hydro had to switch to manual operation or completely shut down numerous production lines, costing the firm at least $50M. Triton is quite terrible because it specifically disables safety systems in industrial environments, which can lead to catastrophic outcomes like explosions or the release of toxic chemicals. GreyEnergy, Sharpshooter, MuddyWater, Cloud Hopper, and Shamoon v.3 have all have ruined a lot of nights and weekends in recent months/years. And it’s only going to get worse!

If you’re looking for a promising area to invest, the industrial cyber security vendors will certainly see quicker growth and more fruitful exits than the generic Industrial IoT and Industry 4.0 solutions on the market. These industrial cyber companies are solving a real problem that is getting attention from boards and C-suites, with large budgets to boot. Nearly every industrial operator in the world will buy (or develop) and roll out one of these products in the next few years – and the ones that don’t are in big, big trouble.