VIEW 16
Industry connectivity
Systemic risk is intimately associated with the concept of connectivity, or correlation. Diversifying an investment portfolio requires seeking out uncorrelated assets, though this can be thwarted when unexpected correlations emerge as disaster strikes.
The systemic risk inherent in connected systems like the power grid or transport networks is fairly plain to see. An electric power substation blowout or a shipping port disaster will send ripples of disruption through the whole network. But in the cyber world, systemic risk is amplified by two factors: tight coupling and vertical stacking.
First, essential infrastructure is more tightly coupled than before. In the past, the telephone system was separate from, say, the banking SWIFT network. Today, communications, banking, energy, and transport networks all rely on the same underlying internet infrastructure.
Think of electric cars guided by cell phones and GPS, or computerized container ports. Second, connectivity exists at almost every level in the notional technology stack. The national power grid can be thought of as a single horizontal plane, while in the cyber domain we have a whole stack of planes, as shown in the diagram. Each of these planes exhibit high degrees of connectivity.
Hardware: Companies in a particular industry normally use the same hardware. A good example is the point-of-sale card readers whose commonality was exploited by the Target breach in 2013. In operational technology, some manufacturers have a 100% market share for a particular type of machine tool used throughout an industry like auto manufacturing. This could become a single common point of failure.
Networks: Economies of scale mean only a few cloud service providers dominate the industry. The three top companies, Amazon Web Services, Microsoft Azure, and Google Cloud, control two thirds of the market between them, concentrating outage risk.
Websites: Websites are natural industry aggregators. Common interest groups gathering on these sites, or subscribing to industry-specific blogs, are the targets for watering hole attacks.
Software: Operating systems are probably the greatest risk aggregators. Counting both cell phones and computers, the seven billion devices in use today use only three types of operating systems: Microsoft, Apple OS, and Android. But industry-specific enterprise software for, say, dentists can also be dominant in specialist niches.
People: At the top of the stack are the users—people who share common interests. For example, a list of the emails of all attendees at a particular industry conference is fairly easy to acquire. This provides an excellent starting point for a sector-specific phishing campaign.
