Steel Products

Cybersecurity in Steel: Crowe Shows How Not to Be the Low-Hanging Fruit
Written by Michael Cowden
October 1, 2021
Steel and metals companies need to up their cybersecurity game as digital thieves increasingly shift their focus from sophisticated data breaches to high-volume ransomware attacks.
And doing so isn’t just the right thing to do, it might soon be required for insurance purposes and to qualify for Defense Department work, said Mike Del Giudice, principal in the consulting group at Crowe, a Chicago-based public accounting, consulting and technology firm.
“It’s not so much that they are targeting metals, it’s more, ‘I just want to look for that low-hanging fruit,’” Del Giudice said.
The attitude of steel and other companies had been, “If a bear walks into the room, I don’t want to be the fastest person, I just don’t want to be the slowest.” But that’s not enough anymore, he said.
Cyberthieves used to hunt for high-value targets. And it took time and resources to breach a financial institution’s firewalls, for example, stay long enough to learn the network, find valuable data, and then get that data out to be sold on the dark web.
A ransomware attack is easier. A cyberthief doesn’t need to breach the castle walls. They need only to find a single weak spot – one user duped into doing the wrong thing, clicking on a link in an email that takes them to a malicious site.
“That’s all you need. And then it will explode into something more significant,” Del Giudice said.
That’s what happened with Colonial Pipeline, which is rumored to have paid millions in ransom to recover their computer systems. While Colonial might have been unique in terms of the steep ransom it is said to have paid, it is hardly alone in falling victim to a ransomware or cyberattack.
Canadian flat-rolled steelmaker Stelco temporarily suspended production last October following a criminal cyberattack. Evraz North America also fell victim to a cyberattack in March 2020 that impacted its operations in the U.S. and Canada. And Australian steelmaker BlueScope Steel likewise saw production halted because of a ransomware attack in May 2020.
Those are just a few of the cyberattacks that have been made public. Steel Market Update has heard rumors of ones at smaller or private steel or metals companies that did not become public knowledge. The result: “We are definitely seeing an uptick in awareness about this in metals,” Del Giudice said.
And so it’s time for all firms to make sure they’re doing “basic hygiene” when it comes to cybersecurity, including keeping security patches up to date, making sure data is backed up, and having good email filters to keep most ransomware from making it through to employees’ computers in the first place, he said.
As for employees, they should know how to make a strong password, be savvy enough to identify ransomware that makes it past filters, and they should use multifactor authentication – verifying their identity on another device such as a cell phone. And it’s also important to make sure that employees working from home don’t misuse administrative privileges, something that became a problem in the rush to work from home following the pandemic.
Such protections might require a few extra clicks for employees filing expenses. But think of it from your insurance company’s perspective. They wouldn’t insure a house with knob and tube electrical wiring. And they probably won’t insure your company against cyberattacks unless you have updated security processes in place.
“Premiums are going up a lot, and insurance providers won’t insure unless you have certain cybersecurity controls, such multifactor and backups,” Del Giudice said.
One of the reasons premiums might rise: Ransomware attacks carry few risks for the attacker, and so enterprising cybercriminals have increasingly focused not on one big heist but on hitting as many soft-targets – such as small- and mid-sized steel companies – as they can. “There are not a lot of people arrested on ransomware charges,” Del Giudice said. “The opportunity cost is low. They almost look at it from a business angle – so as the attacker, I am just going to increase my volume.”
Government agencies, notably the the Department of Defense, are taking cybersecurity more seriously too. That’s not just for top-secret technology such as artificial intelligence for advanced weapons systems but also for more routine business, such as fabricated plate for armored Humvees.
Digital security requirements for an AI company might be very, very high. But even providers of more routine services will need to certify that they’re keeping up on the basics under the Defense Department’s Cybersecurity Maturity Model Certification (CMMC) standard. The program, in the works for some time, is expected to be officially rolled out later this year, Del Giudice said.
“So you need to be certified to be able to bid on RFPs,” he said.
And cybersecurity is increasingly important not only when it comes to day-to-day business but also as tensions increase between the U.S. and other world powers such as China and Russia. Nation states might not be the ones carrying out the ransomware attacks, but they might be willing to look the other way as long as cybercriminals don’t attack anyone within their borders, Del Giudice said.
Also, the next Pearl Harbor, if there is one, will probably be digital. “If there were a large-scale event or a war, I think cyber would be a big part of it- you would see power and supply chains be a target,” he said.
So what’s in it for Crowe? It can be difficult for small and mid-sized companies to attract, retain and pay for a full-time cybersecurity officer – especially when even cybersecurity companies themselves struggle with such issues. Third-party companies such as Crowe can take on that burden.
Editor’s note: Crowe is hosting a free cybersecurity webinar on Oct. 7 at 1 pm ET. You can register to join by clicking here.
By Michael Cowden, Michael@SteelMarketUpdate.com

Michael Cowden
Read more from Michael CowdenLatest in Steel Products

Nucor keeps HRC price unchanged
Nucor paused its weekly hot-rolled (HR) coil price this week, keeping it flat for the first time since Jan. 21. This comes after a nine-week rally that saw the company increase prices by double-digits for eight of those weeks.

Nucor increases plate prices by $40/ton
Nucor aims to increase prices for steel plate by $40 per short ton (st) with the opening of its May order book. The Charlotte, N.C.-based steelmaker said the increase was effective with new orders received on Friday, March 28, in a letter to customers dated the same day. The company said the price hike applied […]

US CRC price gains ground over imports
US cold-rolled (CR) coil prices increased again this week, while offshore prices declined.

SMU Steel Demand Index momentum slows
Steel Market Update is pleased to share this Premium content with Executive members. Contact info@steelmarketupdate.com for information on how to upgrade to a Premium-level subscription. Growth in SMU’s Steel Demand Index eased in March after reaching a four-year high in late February. Despite a moderate gain, the index remains in expansion territory. The Steel Demand […]

Leibowitz: Impact of tariffs on US manufacturers
On February 10, President Trump announced a massive restructuring of tariffs on steel and aluminum. Those changes took effect on March 12, and they will impact US manufacturing. What will the impact be? Bye-bye exclusions Perhaps the most important change, which hits imports from all countries, is the loss of a product exclusion process to […]