Cybersecurity and ICS Ransomware

By Charles Parker, II

Ransomware can be directed at any company. The bigger, the better for the number of targets, accessibility, and vulnerable points. The subject company may manufacture industrial control systems (ICS), physical security systems, and facility related tech.

Another successful ransomware attack took place in September 2023. This was recently reported in the company’s quarterly filing with the SEC. For this issue the company spent $23M. This massive amount was for the response; however, they also included the remediation. That’s not all. They reported $4M in lost and deferred revenues attributed directly to the attack. This issue was the result of unauthorized access. The bad actors were able to then exfiltrate data and deploy the infamous ransomware. Fortunately, the ransomware was deployed only to a section of the company’s IT infrastructure.

This is an example of the perils of third-party/supply chain access. Not enough information has been gathered to quantify a holistic view of the issue. There have been efforts on improving security with more companies asking for ISO27001 certificates, SOC2 reports, and asking vendors to complete cybersecurity questionnaires, however requesting is different than requiring. Too often the vendors passively refuse to honor the requests. This will continue to be an issue and a vulnerable point until more safeguards are put in place