A recent report by FireEye’s Mandiant looked at attacks on operational technology control processes. Once viewed as complex due to access requirements, there are now many more internet-facing endpoints offering a wider attack surface.
Mandiant noted that attackers are not necessarily sophisticated, nor do they know what they are targeting. Graphical user interfaces have been accessed allowing attackers to modify variables without understanding the process being controlled.
The recent attack on Colonial Pipeline disrupted supply lines causing shortages is just one of a number of attacks against critical infrastructure networks.
Last year, in joint work, the NCSC released information for Critical National Infrastructure (CNI) organisations on effective use of the Security design principles and CISA, in the US, issued a summary of best practices for the security of Industrial Control Systems (ICS).
Cyber insurance adoption and premiums on the rise
The US Government Accountability Office reviewed the current cyber insurance market. Their report found:
- Global take-up of cyber insurance rose from 26% to 47% between 2016 and 2020
- Increased demand for insurance has coincided with more frequent cyber attacks
- The cost of insurance premiums has risen (typically 10%-30% in late 2020)
- Insurers are changing the cover they provide depending on perceived risk in some sectors
- Specific policies covering cyber risk are being introduced rather than cover being packaged with other business insurance
- Lack of common definitions for terms used within cyber insurance, and historical data on which to base and compare policy prices
- Businesses have limited understanding of what protection is offered by their insurance policies
The NCSC has produced guidance for businesses on what to consider when buying cyber insurance. The cyber security toolkit for boards and the recently revised 10 steps to cyber security will also be of use to businesses wanting to make cyber security a priority.