Cyber Risk Threats to Utilities and Manufacturers

Bookmark and Share Thousands of utility companies and manufacturing businesses across the United States rely on computers. Cyber attacks can disrupt service and severely inhibit business, though. Learn more about cyber risk threats to utilities and manufacturers and potential solutions.

Common Cyber Threats  

Almost seven in 10 utility companies around the world has experienced at least one security compromise in the past year. These compromises have disrupted operations and affected confidential information. However, less than 30 percent of companies place security as a priority.

According to the Manufacturers Alliance for Productivity and Innovation (MAPI), four in 10 manufacturing companies experienced a cyber incident this past year. Their losses exceeded $1 million. Additionally, less than 50 percent of manufacturing executives trust that their assets are safe from external threats.

While utility and manufacturing companies each face unique cyber risk threats, potential threats generally fall into several categories.  

  • Phishing/pharming
  • Abuse of information technology systems
  • Computer viruses or malware
  • Errors and/or omissions
  • Financial theft
  • Security breaches
  • Vulnerable critical infrastructure
  • Intellectual property theft (primarily manufacturing)
  • Targeted attacks on executives for access to company strategies or financial gain
The Effects of Cyber Risk Threats

The effects of cyber threats on utilities and manufacturing companies are astronomical and affect millions of people.

Imagine the devastation if a utility were infiltrated and held for ransom by hackers or if the customers' personal data was stolen. Natural gas, water, electric or sewer services could be compromised now and well into the future.

Likewise, manufacturing companies thrive on expensive, cutting-edge technology that assists them in automating production, developing intellectual property and connecting with their supply chains. If that technology is compromised by a cyber threat, the business could come to a standstill.

Protecting Utilities and Manufacturing

Both utility and manufacturing companies are responsible for implementing protective cybersecurity measures. However, implementing those measures can require services to be shut down for a time, and they're expensive.

Despite the inconvenience and cost, utilities and manufacturers and their customers, clients and supply chain benefit from several detection and prevention measures.

  • Employ a full-time cyber risk monitor.
  • Train and organize the IT and operational technology staff to work together to detect and secure data.
  • Partner with the supply chain, employees and customers to ensure they implement data security precautions.
  • Upgrade equipment regularly.
  • Secure all devices, including mobile devices.
  • Train all employees on cyber security protocols.
  • Plan for a breach and be prepared to recognize and neutralize threats quickly.
  • Be willing to disrupt service temporarily to perform system upgrades and other necessary security measures.
Cyber risk threats to utilities and manufacturers can have devastating effects on the economy and individual lives. Preparing for these threats limits disruption of services and protects utilities and manufacturers.

Cyber Risks are Real, Protect Your Business

Bookmark and Share The federal Internet Crime Complaint Center received more than 330,000 complaints in 2009, and more than a third of them ended up in the hands of law enforcement. The damages from those referred to the authorities totaled more than a half billion dollars. The Government Accountability Office estimated that cyber crime cost U.S. organizations $67.2 billion in 2005; that number has likely increased since then. With so much of business today done electronically, organizations of all types are highly vulnerable to theft and corruption of their data. It is important for them to identify their loss exposures, possible loss scenarios, and prepare for them. Some of the questions they should ask include:

What types of property are vulnerable?

The organization should consider property it owns, leases, or property of others it has in its custody. Some examples:
  • Money, both the organization’s own funds and those it holds as a fiduciary for someone else

  • Customer or member lists containing personally identifiable information, account numbers, cell phone numbers, and other non-public information

  • Personnel records

  • Medical insurance records

  • Bank account information

  • Confidential memos and spreadsheets

  • E-mail

  • Software stored on web servers
Different types of property will be susceptible to various threats, such as embezzlement, extortion, viruses, and theft.

What loss scenarios could occur?

The organization needs to prepare for events such as:
  • A fire destroys large portions of the computer network, including the servers. Operations cease until the servers can be replaced and reloaded with data.

  • A computer virus infects a workstation. The user of that computer unknowingly spreads it to everyone in his workgroup, crippling the department during one of the year’s peak periods.

  • The accounting department discovers a pattern of irregular small funds transfers to an account no one has ever heard of. The transfers, which have been occurring for almost three months, were small enough to avoid attracting attention. They total more than $10,000.

  • A vendor’s employee strikes up a casual conversation at a worker’s cubicle and stays long enough to memorize the worker’s computer password, written on a post-it note stuck to her monitor. Two weeks later, technology staff discovers that an offsite computer has accessed the human resources database and viewed Social Security numbers, driver’s license numbers, and other personal information.
In addition to taking steps to prevent these things from happening, the organization should consider buying a Cyber insurance policy. Several insurance companies now offer this coverage; although no standard policy exists yet, the policies share some common features. They usually cover property or data damage or destruction, data protection and recovery, loss of income when a business must suspend operations due to data loss, extra expenses necessary to maintain operations following a data event, data theft, and extortion.

However, each company might define these coverages differently, so reviewing the terms and conditions of a particular policy is crucial. Choosing an appropriate amount of insurance is difficult because there is no easy way to measure the exposure in advance.

Consultation with the organization’s technology department, insurance agent and insurance company might be helpful. Finally, all policies will carry a deductible; the organization should select a deductible level that it can afford to pay and that will provide it with a meaningful discount on the premium. Once management has a thorough understanding of the coverages various policies provide in relation to the organization’s exposures, it can fairly compare the costs of the policies and make an informed choice.

Computer networks are a necessary part of any organization’s environment today. Loss prevention and reduction techniques, coupled with sound insurance protection at a reasonable cost, will enable an organization to get through a cyber loss event.

What is U.S. Cybersecurity Emergency Response Team?

Bookmark and Share Malware, viruses and worms are only a few of the cybersecurity threats that affect your online security, privacy and personal information. Learn what is U.S. Cybersecurity Emergency Response Team (US-CERT), a tool that protects you every day.

History of the U.S. Cybersecurity Emergency Response Team

The US-CERT began in early 2000. The federal government noticed an increase in cyber breaches and began investigating ways to respond to these threats. Congress cooperated and created the Federal Computer Incident Response Center (FedCIRC).

In 2002, Congress transferred FedCIRC duties to the newly created Department of Homeland Security. The FedCIRC was renamed US-CERT in 2003, and its mission also expanded. The organization now coordinated and shared information and provided boundary protection for the government and cybersecurity leaders.

Over time, US-CERT developed into an authoritative source and trusted security partner for the federal government and international organizations. Private industries like banks and businesses use US-CERT resources, too.

What Does the U.S. Cybersecurity Emergency Response Team Do?

The U.S. Cybersecurity Emergency Response Team performs several critical mission activities. They:

  • Analyze data about emerging cyber threats.
  • Collaborate with foreign governments and international entities to improve the U.S.'s cybersecurity position.
  • Detect intruders and prevent cybersecurity attacks for civilian executive branches of the federal government.
  • Develop actionable tips, actions and information for a variety of agencies including international organizations, federal departments, critical infrastructure owners and operators and private industries.
  • Respond to emerging cyber threats and incidents.
How Does US-CERT Handle Potential Threats?

When the US-CERT receives a threat report from any source, including civilians, they act quickly. The team must assess the threat, determine its viability and take steps to stop it.

The department partners with several international and national organizations to ensure security of the infrastructure, systems and assets that are critical to United States security. These partners include federal agencies, international entities, research communities and private sector organizations.

Find Out About US-CERT Threats

Stay updated on potential and founded cybersecurity threats with several resources.  

  • Weekly Vulnerability Bulletins - summaries of new vulnerabilities and any available patch information
  • Technical Alerts - information about incidents, vulnerabilities and trends that pose significant risk and the actions taken to minimize information loss or service disruption
  • Current Activity entries - concise descriptions of any issues and associated actions that help consumers and other entities remain safe
  • Tips - details about issues US-CERT’s constituents may find valuable, helpful or interesting
  • NVD - data that manages standards-based vulnerability
What is U.S. Cybersecurity Emergency Response Team? In a nutshell, it's the organization that keeps you, your bank, businesses and the country safe from computer attacks that threaten our national security and your personal information. You can sleep peacefully at night because US-CERT does their job behind the scenes every day.

Risks for Remote Employees

Bookmark and Share Modern technology has made it easier than ever for employees to work from home and still remain connected to their place of employment. Using remote employment has actually become a popular trend over the last ten years, especially since selling to the global market has become such an important factor in a business being competitive. Many businesses have found that they can minimize their expenses and attract international customers with more attractive prices if they decrease their overhead by allowing workers to remotely commute.

Despite the many benefits of using remote employees, there are downsides. Many employers considering this trend wonder how they can ensure workplace safety when the employee's physical workplace is their own home. Another consideration is the degree of employer liability in remote employment.

Fortunately, OSHA has addressed some of the safety issues surrounding remote employment. According to OSHA guidelines, employers are required to maintain a safe workplace, even for employees working from their own home. OSHA will not require an employer to inspect a remote employee's home worksite, nor inspect it themselves.

However, OSHA may inspect the worksite of an employee that's performing an at-home job on behalf of their employer if it possibly involves health or safety hazards and there's a complaint. A record of all occupational illnesses and injuries must be kept on all at-home workers if an employer is subject to OSHA record keeping requirements. Keeping in mind that OSHA compliance measures shouldn't involve controlling the home worksite of employees, employers might need to take some additional practical measures to ensure OSHA compliance.

As far as safety compliance goes, the absence of immediate supervision for remote workers is one of the main problems employers face. Experienced, highly-trained, long-term employers are generally the worst offenders when it comes to taking safety risks. This group of employees often become complacent due to the fact they're so accustomed and comfortable with their job, feel they're familiar with the job's hazards, and might have escaped disciplinary action when ignoring safety procedures or taking shortcuts in the past.

One of the best ways that employers can counteract the above dangerous attitude toward safety is by using a holistic approach to safety. Employers should focus and place great importance on each individual employee actively participating in the safety process and taking responsibility for their own safety. Whether at home, on the road, or at a remote jobsite, remote employees need to be ready, willing, and able to take the appropriate actions to protect themselves in any given situation.

Employers will need employee support to make any approach to safety successful, which means that employers must have total employee involvement in the safety process. Involve your remote employees in the process of determining what's needed to prevent injury to themselves and others during remote location work. Most employers find that the experience and firsthand knowledge of their employees is actually very advantageous in creating safe remote worksites.

Remember, employees that understand the value of safety are more likely to be motivated and willing participants. They're also more apt to embrace safety behaviors for the longevity of their employment. Employers can reinforce their employee's positive attitude about safety by having electronic or person-to-person safety counseling in place and ensuring safety managers are encouraging safety participation.