Claroty reports 25% of organizations using cyber-physical systems lost over $1 million from cyber attacks

Cyber-physical systems protection company Claroty revealed that in the past year, one in four organizations using CPS suffered financial losses exceeding US$1 million due to cyber attacks. These breaches resulted in significant operational downtime, substantial financial damage, and prolonged recovery periods, severely impacting business operations. Ransomware demands are severe in healthcare, with 78 percent reporting payments over $500,000 due to ongoing ransomware attacks.

In its report titled ‘The Global State of CPS Security 2024: Business Impact of Disruptions,’ based on a global independent survey of 1,100 professionals about the business impacts of cyber attacks on their organizations in the past 12 months, Claroty identified a significant financial impact, with over a quarter (27 percent) of organizations reporting a financial impact of $1 million or more from cyber attacks affecting cyber-physical systems. Several factors contributed to these losses, the most common being lost revenue (selected by 39 percent of respondents), recovery costs (35 percent), and employee overtime (33 percent).

Claroty also highlighted that cyber insurance continues to gain momentum as companies attempt to offset some of the costs associated with attacks. Brokers and insurance providers, however, are becoming stringent about requiring certain controls to be in place before providing coverage. Gaps in cybersecurity programs such as a lack of standardized practices, a lack of incident response plans, and other shortcomings could render some companies, especially small businesses and midmarket enterprises, uninsurable. Yet, globally, respondents reported hefty payouts from post-incident cyber insurance coverage, helping offset some of the steepest recovery costs. 

Advanced attackers such as Russia’s Sandworm APT and Iran’s Revolutionary Guard Corps have launched very public cyberattacks against the electricity infrastructure in Ukraine and water treatment facilities in the U.S. and Israel, respectively. Ransomware, meanwhile, remains a clear and present threat to hospitals and the sanctity of patient care. Hundreds of attacks have impacted healthcare delivery organizations (HDOs)—most notably the Change Healthcare incident detected in February—and millions of dollars in ransom and extortion demands have been sent to attackers in the hopes of regaining access to, and control of, impacted patient data and medical devices.

Ransomware continues to be the worst scourge plaguing companies in critical infrastructure sectors. Losses and downtime pile up quickly, and recovery efforts such as backups are rapidly put to the test under the most stressful of circumstances. Costs here are also quantifiable with organizations—despite recommendations from law enforcement and cybersecurity experts alike—often making the difficult business decision to negotiate with and meet an attacker’s ransom demands. These attacks, meanwhile, have evolved. 

Claroty observed that no longer are these attacks that encrypt critical systems and information; they are often secondary attacks paired with data breaches and theft of intellectual property. “The stolen data is held over a victim’s head with the attacker threatening to leak patient data or lost business information in an attempt to extort even more from the compromised company. Meanwhile, ransom demands and related recovery efforts continue to be among the costliest impacts from cyberattacks, especially against mission-critical infrastructure such as CPS.”

The research revealed that the most financially impacted sectors are chemical manufacturing, power and energy, and mining and materials, with 54 to 55 percent of respondents in each sector reporting more than $500,000 in losses from incidents in the last 12 months. 

Over half of respondents (53 percent) met ransom demands of more than $500,000 to recover access to encrypted systems and files to resume operations. This problem is particularly severe in the healthcare sector where 78 percent reported ransom payments over $500,000, as ransomware and extortion-based attacks on hospitals and clinical environments continue to run seemingly unabated. 

Claroty reported that nearly half of respondents globally (49 percent) experienced more than 12 hours of operational downtime resulting from a cyberattack in the last year, and one-third (33 percent) reported at least a full day of downtime. About half (49 percent) said the recovery process took a week or more and nearly a third (29 percent) said recovery took over a month.

The research revealed that industrial, manufacturing, and other processes that are disrupted or manipulated can severely affect system availability or the safety of operators or the public. This can force production shutdowns or delays in product delivery, adding up to costly financial losses. The most common cybersecurity impacts are process manipulation (selected by 38 percent of respondents) and process disruption (37 percent), which go hand-in-hand with operational downtime.

Claroty said that beyond lost revenue, respondents cited recovery costs as the second most significant factor contributing to the financial impact of cyberattacks on cyber-physical systems. “Incidents impacting manufacturing, power and energy, or healthcare organizations, for example, can result in long recovery times. Organizations are often faced with recovering from known, good backups in the case of disruptive ransomware attacks or destructive attacks from a state actor. Servers must be re-imaged, mitigations applied, and remediation steps such as patching and firmware updates must be taken.” 

Claroty research revealed that 45 percent of respondents said at least half of their organization’s cyber-physical systems assets are connected to the internet, as increased connectivity and convergence have exacerbated the need for remote access to cyber-physical systems. The most common connection method is through a virtual private network (VPN)—selected by 36 percent of respondents—which lacks cyber-physical systems-specific security controls. 

Further, 82 percent of respondents said at least one cyber attack – and nearly half (45 percent) said five or more attacks – in the past 12 months originated from third-party supplier access to the CPS environment. And yet, almost two-thirds (63 percent) admit to having only partial or no understanding of third-party connectivity to the cyber-physical systems environment.

Also, VPNs, jump boxes, and non-enterprise grade remote access solutions lack the session recording, auditing, and role-based access controls that would be necessary to properly defend an OT environment. Some lack basic security features such as multi-factor authentication (MFA) options or have been discontinued by their respective vendors and no longer receive feature or security updates. 

Claroty observed that defending cyber-physical systems from cyberattacks requires approaches that stray from IT security management. Organizations are strategizing to build resilient systems; they acknowledge that incidents are inevitable and architect systems and networks that can stand up to attacks, rather than try to boil the ocean by patching every vulnerability and addressing every known and unknown threat. 

Most cyber-physical systems environments recognize the need for accurate and ongoing asset inventory and visibility into connected assets, to detect threats and unusual access to systems, prioritize remediation according to critical known exploits, and comply with industry regulations by following accepted standards. 

When asked about any security capabilities they believed were missing that would have decreased the impact of cyberattacks in the past 12 months, the top answer was having a risk assessment to help manage risk more effectively (selected by 34 percent of respondents), followed closely by vulnerability management (32 percent) and asset, change, and/or lifecycle management (31 percent). However, respondents seem confident in their risk-reduction implementations in the past 12 months, indicating a growing maturity around the defense of cyber-physical systems environments, and an understanding of their impact on critical infrastructure. 

“The impacts from cyber attacks on asset-intensive organizations can be detrimental to operations, and, in reality, often require the level of loss like we saw in our study to make the necessary cybersecurity investments,” Grant Geyer, chief strategy officer at Claroty, said in a media statement last week. “To evolve from this reactionary process to a proactive one that will decrease losses, we also found that organizations are shifting their thinking—they are starting to consider it core to delivering on an organization’s mission.” 

He added that insights from the report validate that not investing in the unique challenge of protecting cyber-physical systems can lead to a serious hit to the organization’s bottom line and that, thankfully, organizations are beginning to see the payoff of making that investment.

CISOs are increasingly challenged with new regulatory and personal legal pressures as part of their day-to-day responsibilities. Any business disruptions linked to a cyberattack can cast a harsh light on a cybersecurity program’s effectiveness. Reducing risks to cyber-physical systems must be a priority for any cybersecurity leader given the ramped-up connectivity of industrial control systems, smart devices and systems, and connected medical devices, especially due to the impact that a compromise to these systems can have in the physical world.

Claroty advises organizations that robust cybersecurity hinges on comprehensive asset inventory and enhanced visibility. The value of CPS security programs depends on asset visibility quality. Organizations must identify network assets, including hardware, software, and data, to understand protection needs. Proper visibility aids in managing cyber-physical systems complexities, prioritizing exposure management, patching risky flaws, and reducing risk. 

Also, exposure management is crucial for cybersecurity, and organizations must identify and prioritize weaknesses based on exploitability, system importance, and access controls. Risk and business impact assessments help leaders understand vulnerabilities’ impacts. Security teams should reclassify high-risk devices by their internet connection security and known vulnerabilities, focusing on those most at risk to reduce priority devices.

Claroty research also identified that secure remote access for third parties is essential in modern cybersecurity to protect communications. Proper visibility and secure access strategies help ensure critical systems are protected with strong controls. Many organizations report frequent incidents due to weak third-party access and non-enterprise remote tools. It’s crucial to manage these areas to minimize disruptions, revenue loss, and compliance issues. A common solution is a single secure access hub for all vendors to standardize control and identity governance.

As CPS are used for efficiency, securing communications between machines and cloud workloads is vital to reduce cyber risks. Attackers exploit lateral movement by accessing one system and then others to steal data or deploy malware. Air gaps, once seen as isolation methods, are often breached for external connections. Digital transformation demands IT/cloud connectivity, requiring network segmentation to secure communications. This limits lateral movement and isolates sensitive data, aiding compliance. CISOs should define segments based on security needs, adjust firewalls, and prioritize threat detection based on segment sensitivity.

Lastly, Claroty suggested asset inventory and visibility into CPS assets are crucial for tuning firewalls, identifying network deviations, and detecting threats. Once threats are detected, organizations can respond to mitigate risks. Advanced attackers target CPS, so detecting threats and anomalies is vital. Security operations centers integrate with threat detection technologies to manage incidents. Visibility into CPS is essential for managing threats and ensuring system integrity.

In September, research by Claroty’s Team82 revealed that 55 percent of OT (operational technology) environments utilize four or more remote access tools, increasing the attack surface and operational complexity and providing varying degrees of security. Additionally, the study found that organizations aiming to boost efficiency in OT are inadvertently creating significant cybersecurity risks and operational challenges.