The days of manufacturers quietly cleaning up from the damage of successful cyberattacks and their financial ramifications are over—and shareholders are paying attention.
Clorox on Aug. 14 disclosed via a U.S. Securities and Exchange Commission filing that the company had “identified unauthorized activity on some of its Information Technology (IT) systems” that was “expected to continue to cause disruption to parts of the Company’s business operations.”
Then, on Sept. 18, Clorox filed another SEC report stating it believed the hack was contained but resulted in slower production rates and “an elevated level of consumer product availability issues.” News of the filing spread widely throughout the media and Clorox’s stock price dropped roughly 2% between market close on Sept. 18 and market open the following day.
It’s a textbook example for why no company wants to advertise a cybersecurity breach and also suggests why manufacturers are so likely to pay ransomware bounties and eliminate the problem behind the scenes. But Clorox’s disclosures are in keeping with new SEC rules that require disclosure of material cybersecurity incidents within four days of the incident.
“If it weren’t for the new SEC rules, it’s likely that this attack wouldn’t be making headlines right now. The incident was originally disclosed in August, but Clorox is just now disclosing that it will have material impact because of the new rules that went into effect" on Sept. 5, said Chaz Lever, senior director of security research at cybersecurity firm Devo.
“They’re one of the first companies to have to do this, and it’s definitely uncharted territory, which is why Clorox's string of updates and bulletins are drawing attention. Business leaders are watching and wanting to know how this is going to play out because they don't want to find themselves in a potentially similar state of confusion in the future,” Lever added.
Cybersecurity 'hygiene' matters
The Clorox hack may demonstrate the value of heeding cybersecurity experts’ most common recommendations—keep your digital house clean and disinfected. For example, the need to train employees about social engineering, how threat actors might try to trick them into giving up usernames and passwords, mandating minimum acceptable password complexity and changing them at specific intervals.
According to multiple reports, social engineering is one of the most common attack vectors used by threat actors and cyberattacks against manufacturers very often involve ransomware. Both seem to apply to the Clorox breach.
“Clorox’s attack has all the hallmarks of a ransomware attack. This is all part of an ever-growing threat on social engineering combined with ever more evasive and adaptive attack techniques and tactics,” said Mark Guntrip, senior director of cybersecurity strategy for Menlo Security.
“From the information we have, it’s very likely that the same threat actors [the UNC3944 or Roasted 0ktapus groups] behind some of the recent business-disrupting breaches [in the travel industry] might also have had a hand in this incident. If that’s the case, I would imagine that the adversaries used social engineering tactics to gain access to the company’s systems,” added Tyler Farrar, CISO at Exabeam.
“This likely would have either: A, allowed them to promptly deploy ransomware or B, Clorox locking down all systems before the ransomware could spread, resulting in immediate disruption to the business. As a result, the supply chain was disrupted which leads to backups in manufacturing and shipping,” Farrar said.
Pivotal aspects of cybersecurity hygiene include contingency plans to limit the damage in the event of an IT system compromise and the need for data backups and redundancy to aid in speedy recovery.
“While Clorox indicated in their August notification that they have activated their Business Continuity Plan [or BCP], the fact that they have still not recovered full operational capability indicates their BCP was not complete and did not account for this particular type of disruption," Avivi added. "If it did, then the indication is that Clorox may have failed to exercise and test its BCP. A good BCP should have a good indication of a Recovery Time Objective. RTOs are typically measured in hours, potentially days. It is very rare that an RTO will be longer than a month."
The specific nature of Clorox’s business adds wrinkles to the process of spinning production back up to normal levels.
“What makes this incident special is it involved changes to [GxP] regulated systems that have to be completely shut down and rigorously tested before production can be resumed. Resuming production itself is a very long process and can only begin after the incident has been resolved, the investigation completed, the necessary controls implemented or changed, and the relevant software updates have been written, tested and deployed,” said Nick Ascoli, founder and CTO at Foretrace.
Ongoing recovery from the hack
In its Sept. 18 filing, Clorox stated it was repairing damaged infrastructure and bringing systems back online and expected a return to normal automated order processing this week.
“We expect the ramp-up to full production to occur over time but do not yet have an estimate for how long it will take to resume fully normalized operations,” a Clorox representative told IndustryWeek, a Smart Industry sister publication.
“Recovery periods from ransomware can fluctuate due to various factors such as encryption, forensic investigations and system building. Given that Clorox was still in the midst of its forensic investigation, it might have contributed to a more prolonged financial impact and supply chain disruption,” Farrar said.
The Clorox hack may serve as an object lesson beyond validating common cybersecurity guidance, indicating how manufacturers need to address successful hacks in the new reporting environment dictated by the Sept. 5 change in reporting guidelines.
“It’s commendable that Clorox disclosed this incident just three days after discovering the breach. Clorox’s transparency is a testament to its strong crisis management policies and its commitment to learning from the incident," Farrar said. "While any organization can become a target of such an attack, how it handles the response will make or break its reputation in the future.”
This article originally appeared on IndustryWeek, a sister publication of Smart Industry at Endeavor Business Media.