Cyber attacks on the private sector and governments are growing year on year. Research firm Cybersecurity Ventures estimates that damage caused by cyber crime is expected to cost the world $8tn this year, up from $3tn in 2015. 

At the heart of this increase is growing digitisation. As more governments, companies and individuals shift their activities online, hackers’ attack surface grows. However a more recent game changer is the rise of Industry 4.0. Cyber attack and defence tactics have developed within the confines of IT systems. But the growing number of utilities and manufacturers using operational technology to automate industrial processes is giving threat actors new targets beyond IT. Cyber attacks are no longer confined to the online world. They are also bringing down physical operations, too.

Cyber arms race

At the forefront of this era of cyber–physical attacks is cyber security firm Dragos. Its co-founder and CEO, Robert Lee, helped lead the investigation into the Russia-linked attack on Ukraine’s power grid in 2015, which was the first time a cyber attack brought down a national electricity system — a tactic Russia has continued to use during the war. Dragos was also involved in the resolution of the 2021 attack on the US’s Colonial Pipeline, the world’s most famous cyber–physical attack, which suffered a six-day shutdown and prompted petrol shortages in the country’s south-east. 

Utilities like these were the first targets of operational technology attacks, and are often the work of government-backed hackers seeking to create disruption. With every example of critical infrastructure that is compromised, the potential threat becomes bigger. “Most state actors want to have parity with their geopolitical peers,” says Mr Lee. “Every large attack that becomes public and shows that it has some valuable impact ends up encouraging other military intelligence teams around the world to have that type of capability as well for their leadership.” 

Cyber criminals target manufacturing

From its headquarters in the US and its global network of offices, Dragos advises utilities alongside companies in a full swatch of industries using operational technology. These include data centres, oil and gas, and airports. But Mr Lee says that “by far” the industry that is most exposed to cyber-physical attacks is manufacturing. This is in line with research by IBM which shows that manufacturing was the industry suffering the most cyber attacks — counting both IT and operational technology — in 2021 and 2022.

Manufacturers’ vulnerability to operational technology attacks is partly down to them being further along the digitisation curve than other types of industrial processes. “Changing the profile of a carbon cracker at an oil facility is difficult, so that digitisation project may take a decade,” Mr Lee says. “To make a single manufacturing facility more virtual? That’s a couple of years project.” This has a domino effect, pushing their manufacturing competitors to automate their own factories to stay competitive.

In addition, manufacturers are targeted by private cyber criminal groups through ransomware attacks because they have little tolerance for downtime. “Non-state actors very much cause economic impact to those companies to get paid out faster,” says Mr Lee. “If you hit the [operational technology] side of the house versus the IT side of the house, you get paid faster because that’s where the revenue is usually getting generated.”

He says taking some manufacturing facilities offline would cost the company $10m a day. One of Dragos’s clients has a facility which would cost more than $1bn to restart. It is companies like this that underline the magnitude of cyber risks for industrial processes.

“If their website goes down, they’ve got a bad press day,” he says. “If their plant goes down, they’re looking at going out of business.”

This article first appeared in the October/November 2023 print edition of fDi Intelligence