BRP, Inc., best known as the maker of Ski-Doo snowmobiles, reported a cyber attack in August, 2022, that forced production shutdowns at factories in four countries for about a week after a malware infiltration from a third-party service.
The company said that some information about employees and suppliers had been compromised but characterized the loss as minor. In a press release, BRP said it was working to “restore all internal systems from its back-up repositories,” suggesting this wasn’t a catastrophic ransomware attack.
In other recent cyber attacks on manufacturing companies…Bridgestone had to shut down tire production in North America and Latin America in an attack claimed by the LockBit ransomware gang, and the construction materials maker Knauf was knocked off production by the BlackBasta gang.
IBM Security’s annual X-Force Threat Intelligence Index for 2021 found that in attacking manufacturing, ransomware actors “wagered on the ripple effect that disruption on manufacturing organizations would cause their downstream supply chains to pressure them into paying the ransom.”
Estimate of Probable Costs for BRP from a System Intrusion Incident
Using the RiskLens My Cyber Risk Benchmark tool, we can estimate the effect of a system intrusion incident on an organization of BRP’s size:
- $57.2 million for Primary Response Costs (incident management)
- $23.7 million for Lost Revenue
- $114,500 for Secondary Fines & Judgments (levied by government regulators, for instance)
- $81 million Total
Manufacturing Industry Cyber Incidents Count
According to the 2022 Verizon DBIR, manufacturing was hit with 2,337 cyber incidents in 2021, including 338 data breaches. That placed this industry at number six for total incidents, also number six for data breaches, out of 21 surveyed.
Most Probable Cyber Risks by Incident Frequency and Loss for Manufacturers
The RiskLens data science team estimates risk for companies in an industry category based on the cyber events history plus a wide range of parameters such as revenue, number of employees and number of database records.
In RiskLens modeling, system intrusion for a company of BRP’s size and type comes in as a relatively mid-range risk at a 4.7% chance of occurring in a year with an expected cost of about $81 million. As shown in this chart, insider misuse poses the most serious risk both in probability and impact. But note that an incident based on social engineering, at a relatively low likelihood, would probably cost around $120 million.
For system intrusion cyber incidents, manufacturers come out quite well relatively speaking compared to organizations of comparable size in other industries, near the bottom of the list for both frequency and magnitude of probable attacks.
Database Size and Security Posture Make a Difference
Adjusting the parameters on the My Cyber Risk Benchmark tool gives clues on how to reduce cyber loss exposure.
For instance, reducing the number of records in a database, but leaving the other settings the same for a manufacturing company shows this $20M improvement for a system intrusion event
- 100K-1M Records = $81M Loss
- 10K-100K Records = $61M Loss
To rate security posture, the Benchmark tool incorporates grading by Security Scorecard. Here’s how the annual probabilities of a system intrusion attack go up for a manufacturer as security grades go down, suggesting the value of controls investments, such as improved access management.
- A rating = 2.4%
- C rating = 4.7%
- F rating = 7.1%