The Risk Factor

Ambitious digitisation, transformation and cloud migration programmes could be causing security and operational risks, long before the chemical and processing industry actually realises the intended efficiency and productivity gains. The successive phases involved in digital transformation and cloud migration programmes – such as assessing outdated data infrastructures and business processes and then re-engineering and automating them – could be exposing manufacturers and processors’ data and technology stacks to ransomware attacks, data loss or duplication as data migrations and process improvements go into extended production and testing.
Recent research highlights growing concerns among manufacturers over their data and technology stacks’ integrity. More than half of them in the 2021 Global State of Manufacturing Report said digitisation programmes were now increasing security risks. A UK government report estimated that cyber-attacks cost chemicals sector £1.3 billion a year. Senior executives from many sectors now understand that extended supply chains involving SME partners is a potential security risk – World Economic Forum 2022 data says that nearly nine in ten organisations are worried about their partners’ cyber resilience.
Ransomware gangs appear to be more sophisticated in their targeting of business-critical data and abusing it. In 2020, researchers at security company Unit 4 found more examples of ransomware gangs publishing stolen data from manufacturers on “leak sites” than any other sector. Research this year also indicates that one in seven ransomware attacks target operational technology data from process monitoring systems, potentially exposing manufacturers to future cyber attacks or undermining the efforts to optimise their increasingly-connected IT and OT data.
With cyber attacks growing as well as increasing cases of accidental leakage of company data by employees, it is understandable that many companies have been too embarrassed to report that they’ve fallen victim to criminal exploits or that mis-steps of their employees have inadvertently led to serious breaches.
But with bosses’ previous reluctance to investigate the full impacts of malicious attacks or accidental data loss on their organisation may be changing for several reasons. Firstly, while many have moved business-critical applications into the Cloud, others still haven’t got to grips with what a full Cloud storage strategy demands. CIOs need to determine whether cloud storage is needed for file data, file collaboration across multiple sites, or archiving file data that is less frequently used. IT teams also need to consider how they support their existing file infrastructures, including NAS and file servers, as well as the high likelihood of new supply chain, remote assess, backup, security and disaster recovery needs in a rapidly-changing global economy.
Industries such as manufacturing are also grasping that, amid rampant cyber-criminality, traditional approaches to disaster recovery may need a rethink. Many organisations fail to deal quickly with data leaks because they depend on their ‘on-premise’ IT set-ups featuring the duplication of file systems and data centres. Many companies’ backup systems are also at risk of failure because they still use software to copy their data to secondary networked-attached storage (NAS), or in some cases, to tape. Even firms using newer Cloud-based technology still rely on copying data from their primary storage. Executives are realising that ransomware attacks can cause lengthier and more costly recovery periods that they previously realised.
Security company Sophos’ Stage of Ransomware report 2021 found that the ransom demand itself is only the start of a whole cycle of multiple business costs. They include: business downtime, device and network repairs, missed business opportunities, as well as the ransom and any subsequent demands such as secondary ransoms over encrypted data or even that of its customers. Some attacks have disrupted companies’ core business processes run by outsourcers, as in the current Pfizer case. Sophos calculated that each ransomware attack in 2021 cost $1.85m, more than double the 2020 figure of $761,000.
While the ransomware attack on the Colonial Pipeline oil pipeline network and the company paying the ransom grabbed global headlines in 2021, incidents in the same year show the dangers for European chemical and pharma markets: Swiss pharmaceutical manufacturer Siegfried, Brenntag and Symrise temporarily halted manufacturing operations while the damage from an attack was assessed. German oil processor Oil Tanking Group faced disruption to operations after a ransomware incident blighted its IT systems and affected its operational data. After an attack in January this year, food manufacturer KP Snacks had anticipated losing two months of restricted trading.
With the relentless scale and growth of these new incidents, cyber insurance premiums are now already starting to increase rapidly. High-profile commercial organisations across Europe are now known to have taken months to recover from cyber-attacks, so manufacturers know that if passively accepting such incursions without rethinking their own disaster recovery planning could spell financial ruin for their organisation.
Organisations and their supply chains are now realising that they can achieve better cyber security hygiene and fewer data losses from the ever-present problem of staff error or data handling missteps if they put more resources into regular employee training and education and best security practice.

Changing times mean new priorities

Digitisation and cloud migration programmes have now become inevitable requirements for manufacturing and processing companies that had to rethink their working models and supply chains during Covid, write Russ Kennedy. And they are now having to carry out a similar exercise as a European energy supply crisis looms. But industry research and experience has alerted senior executives like never before to the need for their organisations to risk-assess their process modernisation, digitisation and cloud migration, so that they achieve their intended efficiency and productivity benefits without their organisation and its supply chain to even greater risks.