Last Updated on May 19, 2021
In speaking with a client this week about the Colonial Pipeline Attack I referred back to the Maersk attack as they both illustrate the interconnected nature of critical suppliers. What is particularly concerning to me is how we are four years post-Maersk and while our recognition of the risk has risen, I don’t believe our general preparedness for the risk occurrence has. In re-reading my blog I think the guidance to “re-assess the cyber liability of your supply chain” was spot-on. But I didn’t close the loop. Once that risk is understood you need to ask “What are the steps necessary to mitigate the impact to us if (when?) it does happen?” Perhaps the only good to come out of the Covid Pandemic, is a broader awareness that once in a lifetime type events, do occur, and investing in preparation may indeed be cost and time justifiable.
I have written a couple of blog posts in recent months that touched on keys to avoiding ransomware and I stand by the recommendations that I’ve made regarding ISO 27001 scoping, security awareness training, and more.
That being said, the story that recently broke regarding global shipping company Maersk incurring $300 million in damages due to a NotPetya malware attack (so-called because it “masquerades” as the Petya cryptoworm) has me rethinking ransomware a bit:
Ransomware is a Denial of Service Attack
We need to better recognize that ransomware is intentionally or unintentionally a Denial of Service attack. While in most cases it is a Denial of Service to a file or group of files, it can also be a Denial of Service to other types of computing assets, either directly or indirectly caused by lack of access to files. Unfortunately, in Maersk’s case, those impacted assets had an enormously disruptive impact on operations.
Re-Assess the Cyber Liability of Your Supply Chain
We need to reconsider the indirect risk that ransomware poses to us via critical suppliers/partners. Our Enterprise, Information Security, and Vendor Risk Assessments need to be revisited independently and in concert with each other to address this evolving threat agent. Our Cyber Liability policies need to be reviewed to re-assess third-party coverage and incident response requirements.
That stems from the fact that the Maersk attack “disrupted operations for two weeks,” and that for “up to two days, Maersk’s affected terminals couldn’t move cargo.” How many downstream companies were also notably impacted by these delays? How vulnerable is your company to an upstream (vendor) ransomware event of this nature? Further, how much liability might you incur if an upstream event impacts your downstream (clients)?
Transparency Helps Us All
I applaud Maersk’s transparency and know firsthand it has positively impacted other companies in the logistics and supply chain vertical, as we have had several notable introductory calls with potential clients that explicitly referred to the Maersk situation as a driving force to their new information security initiatives.
If you too are looking for ways to mitigate the risk ransomware and other types of malicious software may directly (or indirectly) affect your organization, reach out!