Cybersecurity in Steel: Crowe Shows How Not to Be the Low-Hanging Fruit

“It’s not so much that they are targeting metals, it’s more, ‘I just want to look for that low-hanging fruit,’” Del Giudice said.

The attitude of steel and other companies had been, “If a bear walks into the room, I don’t want to be the fastest person, I just don’t want to be the slowest.” But that’s not enough anymore, he said.

Cyberthieves used to hunt for high-value targets. And it took time and resources to breach a financial institution’s firewalls, for example, stay long enough to learn the network, find valuable data, and then get that data out to be sold on the dark web.

A ransomware attack is easier. A cyberthief doesn’t need to breach the castle walls. They need only to find a single weak spot – one user duped into doing the wrong thing, clicking on a link in an email that takes them to a malicious site.

“That’s all you need. And then it will explode into something more significant,” Del Giudice said.

That’s what happened with Colonial Pipeline, which is rumored to have paid millions in ransom to recover their computer systems. While Colonial might have been unique in terms of the steep ransom it is said to have paid, it is hardly alone in falling victim to a ransomware or cyberattack.

Canadian flat-rolled steelmaker Stelco temporarily suspended production last October following a criminal cyberattack. Evraz North America also fell victim to a cyberattack in March 2020 that impacted its operations in the U.S. and Canada. And Australian steelmaker BlueScope Steel likewise saw production halted because of a ransomware attack in May 2020.

Those are just a few of the cyberattacks that have been made public. Steel Market Update has heard rumors of ones at smaller or private steel or metals companies that did not become public knowledge. The result: “We are definitely seeing an uptick in awareness about this in metals,” Del Giudice said.

And so it’s time for all firms to make sure they’re doing “basic hygiene” when it comes to cybersecurity, including keeping security patches up to date, making sure data is backed up, and having good email filters to keep most ransomware from making it through to employees’ computers in the first place, he said.

As for employees, they should know how to make a strong password, be savvy enough to identify ransomware that makes it past filters, and they should use multifactor authentication – verifying their identity on another device such as a cell phone. And it’s also important to make sure that employees working from home don’t misuse administrative privileges, something that became a problem in the rush to work from home following the pandemic.

Such protections might require a few extra clicks for employees filing expenses. But think of it from your insurance company’s perspective. They wouldn’t insure a house with knob and tube electrical wiring. And they probably won’t insure your company against cyberattacks unless you have updated security processes in place.

“Premiums are going up a lot, and insurance providers won’t insure unless you have certain cybersecurity controls, such multifactor and backups,” Del Giudice said.

One of the reasons premiums might rise: Ransomware attacks carry few risks for the attacker, and so enterprising cybercriminals have increasingly focused not on one big heist but on hitting as many soft-targets – such as small- and mid-sized steel companies – as they can. “There are not a lot of people arrested on ransomware charges,” Del Giudice said. “The opportunity cost is low. They almost look at it from a business angle – so as the attacker, I am just going to increase my volume.”

Government agencies, notably the the Department of Defense, are taking cybersecurity more seriously too. That’s not just for top-secret technology such as artificial intelligence for advanced weapons systems but also for more routine business, such as fabricated plate for armored Humvees.

Digital security requirements for an AI company might be very, very high. But even providers of more routine services will need to certify that they’re keeping up on the basics under the Defense Department’s Cybersecurity Maturity Model Certification (CMMC) standard. The program, in the works for some time, is expected to be officially rolled out later this year, Del Giudice said.

“So you need to be certified to be able to bid on RFPs,” he said.

And cybersecurity is increasingly important not only when it comes to day-to-day business but also as tensions increase between the U.S. and other world powers such as China and Russia. Nation states might not be the ones carrying out the ransomware attacks, but they might be willing to look the other way as long as cybercriminals don’t attack anyone within their borders, Del Giudice said.

Also, the next Pearl Harbor, if there is one, will probably be digital. “If there were a large-scale event or a war, I think cyber would be a big part of it- you would see power and supply chains be a target,” he said.

So what’s in it for Crowe? It can be difficult for small and mid-sized companies to attract, retain and pay for a full-time cybersecurity officer – especially when even cybersecurity companies themselves struggle with such issues. Third-party companies such as Crowe can take on that burden. 

Editor’s note: Crowe is hosting a free cybersecurity webinar on Oct. 7 at 1 pm ET. You can register to join by clicking here.

By Michael Cowden, Michael@SteelMarketUpdate.com