Cybersecurity is comparable to the fortress of “Helm’s Deep” in the Lord of the Rings movie: Enormous stone walls can protect the interior of the castle from attacks. However, even in the strongest fortress, there is always a vulnerability somewhere (in the case of Helm’s Deep, it was a sewer system) that attackers can find and use to infiltrate the castle.
This analogy is drawn by Alexander Wörndl-Aichriedler, Vice President Global ICT at PALFINGER. The international technology and mechanical engineering company became a victim of a ransomware attack in early 2021. Ransomware is a type of malware that encrypts data, changes passwords, and/or alters permissions to prevent access to data, with the goal of demanding ransom.
As production facilities, such as those at PALFINGER, become increasingly interconnected, the impact of a cyberattack can be significant. The number of partner companies accessing the systems externally is increasing, as they perform maintenance or monitor systems, for example. “This opens up potential new entry points for hackers,” says Alexander Wörndl-Aichriedler. Additionally, PALFINGER’s products, such as cranes, are smart and connected. “An attacker could gain access to a crane and control it, which could have massive negative consequences.” Therefore, the access to interconnected systems must be made as secure as possible.
Attacks are targeted and planned
However, even with extensive security measures, there is no hundred percent guarantee of safety. “The question is how much effort is invested in finding a vulnerability in the system,” explains Alexander Wörndl-Aichriedler. In a ransomware attack, hackers do not randomly target companies but specifically search for the sewer system in Helm’s Deep.
When attackers penetrate a system, they do not immediately take action but rather explore and gain an overview of the IT environment: where are the data centers, what networks exist, and what sensitive data is present? Such an attack is planned approximately 2 to 6 months in advance.
The timing of the attack is also not random. In most cases, it coincides with a sensitive date to compel companies to pay the ransom. In the case of PALFINGER, it was a Saturday at the end of January: the year-end closing and salary payments were due. Typically, companies are not heavily staffed on weekends as well.
The bomb was detonated.
Data was encrypted, central systems were affected, with consequences for many PALFINGER plants around the world. As a result, the majority of production came to a halt.
How does one respond to such an attack? “First and foremost, we tried to contain or prevent the spread of the attack by disconnecting from other systems and locations,” says Alexander Wörndl-Aichriedler. Then PALFINGER’s IT staff assessed the damage. “Ransomware attacks have one thing in common: they target essential services. We gradually restored these services.” For example, after two days, email communication was functioning again.
Nevertheless, PALFINGER decided to pay the ransom. “This was primarily a commercial consideration: how long would it take to restore data from backup systems? It was a trade-off between potential data loss and the possibility of decryption with the help of the hackers.” The data volumes involved were in the range of hundreds of terabytes: design data, orders, invoices that had been issued, and much more. However, the decryption processes are time-consuming and not immediate. PALFINGER chose a mixed approach involving decryption, restoration from backup, and complete rebuilds. No data was lost in this chosen approach.
Security vs. Operational Efficiency
What were the consequences of the hacker attack for PALFINGER? “There has been no change in our cybersecurity strategy. The attack simply accelerated the processes by freeing up financial resources earlier for further measures,” says Alexander Wörndl-Aichriedler. He compares the process to a pendulum swinging between security and operational efficiency. The fact is, increased security measures slow down and complicate processes; they are resource-intensive and costly. However, at present, the pendulum is swinging towards security.
He advises other companies not to take the issue lightly. They should rely on external partners who regularly assess the IT environment and identify vulnerabilities. And if an attack does occur, transparency is crucial. Many companies conceal cyberattacks because they do not want to admit to being victims, for various reasons. PALFINGER has chosen a different approach and has received much appreciation for it. Alexander Wörndl-Aichriedler and his colleagues speak about it at numerous security events, so that other companies can better protect their sewer systems.
When should ransom be paid and when not?
“Whether a company should pay the ransom or not depends on the specific case,” says IT expert Dominik Engel from Salzburg University of Applied Sciences. In the case of PALFINGER, the cost-benefit analysis favored payment. However, it should always be the ultima ratio: “If there are other (economically) viable options, such as resorting to backup systems, those should be exhausted first.” Paying ransom strengthens the business model of hackers. But Dominik Engel believes that companies should not be burdened with this ethical aspect because “first and foremost, they need to maintain their own operations.”
A question that Dominik Engel frequently encounters is whether companies should stock up on cryptocurrencies to be able to pay quickly in the event of an attack (as ransom is usually paid in cryptocurrencies like Bitcoin). “No, absolutely not. That would practically invite hackers to attack the company.”
Visit Digitales Salzburg