Cleantech Market Intelligence
In Mergers, Security Risks Arise
While my colleagues analyze a couple of recent big acquisitions – GE’s announced acquisition of much of Alstom and Exelon’s announced acquisition of PEPCO – I’m going to examine mergers and acquisitions (M&As) from a cyber security perspective. This is one of those rare cases where security has a longer timeline than other disciplines. Usually we get the call just after the disaster.
An M&A, almost by definition, introduces a great amount of variance into what was once a stable environment. Two corporate cultures must merge. Two sets of business processes must merge, frequently with substantial overlap in areas such as back-office processes. Two sets of operational processes must merge. Two IT architectures must merge, or at least be made to coexist.
Each of these sub-mergers introduces variation and uncertainty that can create prime targets for cyber attackers. Sophisticated attackers are aware that stable, day-to-day operations are likely to be best protected. Exceptional situations, such as system mergers or transitions, can present attack windows where normal protections are not present.
A key attack point lies in the transition from old to new processes or systems. Many M&A transactions are justified in part by the reduced operating expenses of the combined entity. Redundant administrative functions can be eliminated, separate IT systems can be merged, control of operating networks such as SCADA can be centralized to a single control center. During these mergers, security is often lax because the transitional situation will only endure for a short time period. There is a temptation to overlook security and gamble that system conversions or migrations will be completed before anyone notices. But attackers start taking notes when the acquisition is first announced. When the M&A involves publicly traded companies, the transaction may take months to finalize – and all of this time can be used to plan an attack during the transition period.
Meanwhile, employees unfamiliar with new business processes can be susceptible to social engineering attacks, wherein the attacker may pose as someone performing the transition activities and ask for passwords or other sensitive information in the name of speeding up the conversion. As with many other social engineering attacks, this one often works because the scenario is plausible.
Watch the Exes
There are many steps to mitigate these risks. Here are three of the most important:
- Build security into all transitions – business processes, IT, control systems, everything. Think about what kind of protections will disappear when old processes or systems are decommissioned and plan for how those protections will remain present during the transition.
- Conduct a thorough employee awareness program to ensure that all employees of both companies understand what transitions are taking place and what their roles are in protecting the resulting merged entity during the transition. It is especially important to notify employees that no one will call them and ask for passwords or other sensitive data.
- Have a backup plan in case something goes wrong during the transition to ensure that the business can continue to operate. Like most business continuity planning, this is often an arduous but critical activity.
Usually transitions associated with M&As do not all happen at once. Enterprise IT systems and operations control systems sometimes are not merged until years after the transaction. Unfortunately, one of the first transaction activities is to terminate the employment of administrative employees made unnecessary by the M&A. Even in this case, there should be sufficient protection against hostile activities by disgruntled employees.