“DISRUPTING” traditional business models might be hot talk for start-ups pitching investors, but in the world of manufacturing, transportation, energy and similar sectors, real “disruption” of production and facilities due to cyberattacks can have devastating safety and financial consequences.

The old concepts of malware wreaking havoc in a system for monetary gain are still present, but a new breed of attacks that we call “disruptionware” is wreaking havoc in networked industrial control system (ICS) and operational technologies (OT) environments.

These attacks are becoming increasingly consequential for the operator community because of the immediate disruption to operations and the potential safety impact to employees.


A joint report with Forescout and the Institute for Critical Infrastructure Technology, a cybersecurity think tank in Washington, D.C. digs into this concerning trend. The report titled The Rise of Disruptionware: A Study on How Disruptionware like LockerGoga Significantly Impacts Critical Infrastructure examines the attack patterns targeting critical industry sectors like manufacturing, including ransomware, disk-wiping malware and similarly disruptive malicious code.

Some key points:

Modernising the shop floor but forgetting cybersecurity

  • The attack surface was narrower when you had to scale walls or cut fences to get at a manufacturer’s network. But operators today are making massive investments in newer, more productive and efficient equipment that relies on connectivity to receive orders, self-diagnose issues and scale to demand.
  • In the typical IT security world, a ransomed file or infected laptop can be quickly restored thanks to strong back-up and recovery postures. But manufacturing assembly lines or water pumps damaged by malware or the ripple effects of a cyberattack don’t have that luxury. You cannot simply restore those physical goods with a cloud back-up.

“Disruptionware” is more than just a nuisance

  • Disruptionware is about more than just preventing access to systems and data. It is about suspending operations, disrupting continuity, and crippling a business’s ability to engage in operations, gather resources, and disseminate deliverables.
  • In the past year, relatively low sophistication ransomware like LockerGoga has plagued a variety of industries. One manufacturing company that became infected with LockerGoga estimated the impact to its business to be north of $40m just after one week of downtime.
  • Forescout expects the wave of “disruptionware” to continue to impact critical infrastructure with malicious actors having a variety of goals, which can include receiving a ransom, exfiltrating data to sell, leaving a backdoor to allow further attacks, or even suspending operations just long enough to allow another company to obtain a high profile contract.

Recommendations to improve resiliency

  • Utilities, shipping companies and factories look and operate very differently, but our report with ICIT argues that these sectors all have more in common than you might think. When it comes to approaches for mitigating disruptionware’s risks – the basics matter the most.
  • Operators need to understand the degree to which physical equipment, control systems, office IT and other assets touch each other and ultimately, the Internet using visibility and control solutions. Otherwise they risk having security blind spots.

In the world of pipelines, factories and power plants, digital hazards consist of much more than just malicious intruders – any type of outage or disruption, even if due to false-positives or errors, still causes harm.

But there is common ground that can be found under security and modernisation as these disruption-sensitive industries push toward new software and connectivity technologies.