Weir Group has disclosed that it was hit by a sophisticated ransomware attempt in the second half of September. Details were revealed to shareholders in the company’s Q3 trading update. While there was no impact on orders, the company shut down its IT systems, resulting in shipping and other delays.
In a statement, Jon Stanton, Chief Executive, Weir Group, commented: “We responded quickly and comprehensively to what was a sophisticated external attack on our business. The robust action to protect our infrastructure and data has led to significant temporary disruption but our teams have responded magnificently to this challenge and have managed to minimise the impact on our customers. We will continue to focus on the safe restoration of all our systems whilst strengthening our future resilience even further.
“More broadly, the continued strong demand across our markets in Q3, particularly for our more sustainable solutions, reinforces our view that Weir is ideally placed to benefit from a multi-decade growth opportunity, as the mining industry invests in expanding capacity while reducing its environmental impact.
“We remain on track to deliver our recently announced three-year performance goals that will see us increase revenues, expand margins and significantly reduce our environmental footprint.”
Weir Group releasing few details of the attack
The Weir Group has released few details of the attack and exactly what happened. The company is currently in the middle of a forensic investigation into the attack and wants to focus on that and the business. However, there are a few things that we do know from the statement:
- The attack was caught by the cybersecurity system and controls
- Those controls initiated the isolation and shutdown of all IT systems, including ERP and engineering applications
- The company has partially restored its ERP and engineering systems
- All other systems are being brought back online based on business priority
- There is no evidence that any personal or other business-sensitive data has been encrypted or exfiltrated
- The company is liaising with regulators and intelligence services
- The impact is expected to continue into Q4
- Nobody from or associated with Weir has been in contact with the attackers
The response seems pretty textbook. Weir will be happy that its defences triggered and behaved as planned. That it caused some business interruption is to be expected, but the damage could have been much worse. Importantly, the company has managed to maintain control over the whole incident. Its speed of response means it is unlikely to suffer any reputational damage.
All eyes will now be on the post-incident report and the forensics. Who was responsible? What ransomware did they use? How did the attack start? Is there any risk of parts of the attack surviving the restore? The latter is especially important. Cybercriminals have learned to infect and wait to ensure their attack is embedded in a targets backups. It makes quick restores risky with no guarantee that they will work.
What is the financial downside of the attack?
Far less than it could have been. While it seems that no ransom has been demanded, it would have easily been in the millions of pounds sterling given the size of the Weir Group. That cost would have been on top of any business interruption costs.
The company has estimated those interruption costs. It stated: “As a result of the rephasing of shipments caused by the cybersecurity incident, the Group experienced revenue deferrals of c.£50m in September alongside overhead under-recoveries in manufacturing and engineering. While the bulk of the missed September revenue is expected to be shipped in Q4 it is likely that the temporary disruption to our end-to-end value chain will cause some slippage of Q4 revenues into 2022 together with some overhead under-recovery.
“In order to reflect this incident, Weir is updating full year guidance. The full year operating profit impact of Q4 revenue slippage is expected to be between £10m and £20m, while the impact of overhead underrecoveries is expected to be between £10m and £15m. The majority of the impact is expected to be in the Minerals division due to its engineering and supply chain complexity relative to ESCO. The direct costs of the cyber incident are expected to be up to £5m. As a result, the Group now anticipates its full year PBTA will be in the range of £230m to £245m.”
Enterprise Times: What does this mean?
If faced with a ransomware attack, there are few companies who can be confident that their response will be as effective as the Weir Group. It is an endorsement of pre-planning for an attack and one that many CISOs will hope they can learn from. It will be a surprise if the Weir Group CISO is not called upon to talk at cybersecurity conferences over the next year to explain what they did right.
According to Ramses Gallego, CTO, Cyber Res: “The news that Weir Group will be losing up to £40 million in profits, following a ransomware attack in September, is a stark reminder of the sheer scale of impact cyber crime can have on a business.
“Given the potential effect on business as a whole, cybersecurity must extend beyond just IT teams. Protecting a business means making cyber resilience an integral part of the entire organisation’s life cycle – baked into every and all essential systems. It’s important to protect what matters most; people and data. Ultimately, cyber resiliency is about ensuring that people, processes and technology are safeguarded and the right culture, structure and strategy are properly communicated and deployed.”