VIEW 6
Systemic risk: Industry connectivity
Following on from the ‘buttons and threads’ model of systemic risk (View #5), let’s look at connectivity issues and risk aggregation across industries. The diagram shows a simplified layer model of an IT system from hardware at the base to people at the top. At each layer in this pyramid there are connectivity pathways that can bind companies in a particular industry together. This implies that systemic risk is rife throughout different industry sectors at all stages.
Hardware:
Companies in a particular industry normally use the same hardware. A good example is the point of sale card readers used by retailers. The notorious Target breach that exposed 40m credit card details in 2013 was based on a vulnerability in the RAM memory of the credit card readers. Note also that the machine tool industry is very fragmented. A small German mittelstand company can often have a 100% market share for a particular type of precision milling machine used in an industry vertical. Now that they are being connected to the internet through supervisory control and data acquisition systems and the Internet of Things (IoT), a new vector of systemic industry hardware risk is emerging.
Networks:
Cloud service providers, internet service providers and the national telecom infrastructure in general all have the obvious risk of being a single point of failure. Amazon Web Services dominates the cloud services market with a 50% market share (1). Adding the next three biggest providers, Microsoft Azure, Google Cloud and Alibaba Cloud makes this go up to 85% (2). A major failure at one of these four could cause significant disruption across all industries.
Application software:
Just as machine tool manufacturers dominate in micro-specific niches for plant and equipment, application software companies tend to dominate in particular small-scale industry verticals. So, for example, a software package specifically designed to help dentists run their practice could have a huge market share amongst dentists but not amongst doctors who have their own preferred software provider. The smaller the size of the specialist niche, the greater the likelihood that a single supplier will dominate it.
Websites:
Websites are natural industry aggregators. A widely read blog on an Industry Association website is a natural target for a ‘waterhole’ attack. In the 19th Century, big game hunters would wait at waterholes to pick off the animals that gathered there to drink at dusk. In the 21st Century, hackers do the same thing at popular industry websites.
People:
Industry conferences are another easy target for waterhole attacks. A list of the emails of all attendees is fairly easy to acquire, providing an excellent starting point for an industry specific phishing campaign.
