Malware is no longer a front office IT issue. Today malware is an evolving business model focused on generating continuous revenue streams—and the criminals using it are increasingly turning their attention to oil refineries, manufacturing sites and power grids.

When we first started seeing malware target industrial control systems, attackers used a 'spray and pray' approach: Spray out as many infected download links or portable drive malware attacks as possible in an attempt to get users to spread their ransomware and generate a quick payout. When successful, ransoms were relatively small: between $250 - $1,000.

Today, cyber criminals have discovered it is much more lucrative to target specific enterprises and their vulnerable legacy systems, or propriety software. With the ability to shut down production lines and hijack industrial systems, attackers are demanding $100,000 and up, and they don’t go away. By infiltrating multiple systems, they keep their victims on the hook longer.

What type of attacks are you up against?

The first type of malware attacks on industrial controls we see are CryptoLocker / ransomware style attacks. This malware encrypts files and 'holds them for ransom.' You pay the ransom with the expectation the attacker will go away, but they don’t. New variants have successfully eluded anti-virus and firewall technologies; it’s reasonable to expect more will emerge that are able to bypass preventative measures.

For example, a client in 2019 paid ransoms twice before contacting us for help. Each time they updated their antivirus protection measures thinking it would safeguard them, but it didn’t. Once attackers had gained entry to the client’s systems, they set about changing existing client security measures and controls to guarantee continued access. The client simply failed to understand how much of their network had been compromised and how sophisticated their attackers were.

A second type of attack uses installers on industrial manufacturing equipment. Attackers use these installers once they have a good foothold on your environment to place crypto-mining or botnet software on devices. In essence, the client hardware is hijacked on demand by the attacker, or a portion of the computing power is used to benefit the attacker. The intent is to have a long-term financial stream rather than a one-time ransom payment.

Attackers are spending more time watching and learning

Once into your network, attackers now dwell and research in ways they haven’t before. Thus, sophisticated attack teams are taking their time and may be, at this very moment, carefully watching your business and your people. An attacker would launch probes to find out what operating systems and equipment are on your network and observe how you operate - all in an effort to determine how many opportunities there are in your environment to exploit. We’re also seeing a lot of data and intellectual property exfiltration being used to steal internal processes and IP during this time, which can then be sold after the ransom is paid.

Attackers are also monitoring your communications to see if they have been detected.

For example, a medium-sized manufacturer was preparing to replace all its virus detection software. Unbeknownst to the company, attackers had infiltrated their network months prior and were monitoring the company email web portal through a poorly protected administrative account. When the attackers discovered the company’s planned upgrade, hackers launched their attack the weekend before countermeasures were planned to be deployed.

Don’t wait to do something until you suspect something is amiss in your environment. If you wait until you think something is wrong, it’s too late.

Why you should take action now

The Benjamin Franklin adage, “An ounce of prevention is worth a pound of cure” is just as true today.

When trying to justify the time and cost to develop and implement a successful recovery plan, IT people often find it difficult to translate technology and security knowledge into business language. This translation is best focused on a realistic cost of an attack versus the cost of prevention -- including the risk to your business were the control infrastructure to stop operating in a full shutdown. Those numbers typically include:

  • Lost revenue from a shutdown of four to six weeks. In our experience this is how long it typically takes a poorly prepared company to restore its systems and get back up and running.
  • Cost of labor to restore and rebuild your tech stack (every workstation, server and process controller in your factory).
  • An estimated $500,000 investment in new security technology. A breach often causes companies to hastily buy a security tool to fix the problem.
  • Security consulting fee to ensure your environment is clean.

The total amount varies depending on the size of your environment, but can easily add up to millions of dollars.

<<< Start >>>


<<< End >>>

Case in point: In March 2019, Norwegian aluminum manufacturer Norsk Hydro was forced to halt some production and switch other units to manual operations after hackers blocked its systems. Their post-response analysis showed that attackers had been present in their network since December 2018 when somebody clicked on the wrong email. The forced shutdown cost the company $52 million (USD) in the first quarter of 2019.

Prevention is the most cost-effective strategy

You can invest in a cyber insurance policy, also referred to as cyber risk insurance or cyber liability insurance coverage, to provide reimbursement for a ransom payment and related payments. Each policy is unique, so carefully review your coverage. Expenses that exceed the coverage limits on the policy are typically not covered so don’t underestimate what a breach might actually cost.

Also, consider that incident response, remediation, and rebuilding costs far outweigh preventative measures. Incident Response fees are some of the highest costs in the cybersecurity industry. Working with a security company skilled in your technology field - before an attack happens - can help you understand your specific risks and environment, as well as manage costs by having them on retainer. This can also help reduce your chances of being attacked through identification of gaps and gain you an ally that already understands your environment, with a better rate structure, should an event happen.

One of the easiest and most cost-effective solutions to malware recovery is good backups

Make sure you have a solid recovery plan with good data backups for your industrial environment, and test it in practice, not in theory.

One of our customers, an oil and gas company, had a good recovery plan, validated backups, and a strong leadership team determined not to pay a ransom. When they got hit, they were able to get back up and running in less than one week. On the other hand, another manufacturing customer who had not been validating their backups and had some broken pieces to their recovery process took six weeks to recover from an attack. Let that sink in—six weeks of 100% idled factories. Can your business sustain that type of loss?

It’s not a matter of if you’ll get attacked, but when. When you weigh the pros and cons to being proactive versus reactive to an attack, you can quickly see “an ounce of prevention is worth a pound of cure.”


Accenture Security helps organizations build resilience from the inside out, so they can confidently focus on innovation and growth. Leveraging its global network of cybersecurity labs, deep industry understanding across client value chains and services that span the security lifecycle, Accenture help organizations protect their valuable assets, end-to-end. With services that include strategy and risk management, cyber defense, digital identity, application security and managed security, Accenture enables businesses around the world to defend against known sophisticated threats, and the unknown. Follow us @AccentureSecure on Twitter or visit us at

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

Copyright © 2021 Accenture. All rights reserved.

Jon Taylor

Security Senior Manager

Subscribe to Accenture's Cyber Defense Blog Subscribe to Accenture's Cyber Defense Blog