Determining insurance's role for cybersecurity incidents

Cybersecurity is one thing, but figuring out where insurance fits into the big picture is not so simple these days with cyber-physical attacks becoming more sophisticated.

04/09/2017


ISSSource.comThere was a period of time not too long ago when insurers had an easier time deciding on how much protection a manufacturing operation needed. It was all very cut and dried.

Add today’s cybersecurity issues on top of the physical plant, and insurers are no doubt pulling out their hair because they just don’t know what to do. That is why cyber-physical attacks on critical infrastructure that have the potential to damage physical assets and cause widespread losses are keeping insurers wide awake at night.

A cyber-physical attack on critical infrastructure occurs when a hacker gains access to a computer system that operates equipment in a manufacturing plant, oil pipeline, a refinery, an electric generating plant, or the like and is able to control the operations of that equipment to damage assets or other property.

A major cyber-physical attack on critical infrastructure is a risk not only for the owners and operators of those assets, but also for their suppliers, customers, businesses and persons in the vicinity of the attacked asset, and any person or entity that may be adversely affected by it (e.g., hospital patients and shareholders).

Because damages caused by a cyber-physical attack can be widespread, massive, and highly correlated, affecting multiple sectors of the economy and many lines of insurance, the insurance industry is giving this risk heightened attention.

Cybersecurity is one thing, but figuring out where insurance fits into the big picture is not so simple these days.The UK insurance marketplace Lloyd’s, London and the University of Cambridge, for example, conducted a major study of the losses resulting from a hypothetical cyber-physical attack on 50 electrical generators in the Northeast U.S. Other insurance market participants have also published reports addressing cyber-physical risks to critical infrastructure. The insurance industry’s focus on cyber-physical risks perhaps should be action-guiding for corporate policyholders as well.

Two major attacks

To date, there have been only two major publicized cyber-physical attacks. The first was the use, in 2008 through 2010, of the Stuxnet virus to destroy approximately 20 percent of Iran’s centrifuges used to make nuclear materials. Stuxnet, as ISSSource reported was a joint effort between the U.S. and Israel to slow down or stop Iran’s nuclear program, damaged centrifuges at the Natanz nuclear facility in Iran by causing them to spin out of control while the operators thought everything was running normally.

In the second attack, in late 2014, hackers gained access to the computers of a German steel mill through a minor support system for environmental control. The attack led to the destruction of a blast furnace in the steel mill. German authorities did not allow the publication of many details of the attack, but they did describe the resulting damage as “massive.”

Several attacks on critical infrastructure did not result in property damage beyond the infected computers themselves, but apparently only because of fortuitous events or the narrow goals of the attackers.

Some cases of such attacks include:

  • An attack on the Ukraine power grid in December 2015. This was a multistage, multisite attack that disconnected seven 110 kV and three 35 kV substations and resulted in a power outage for 80,000 people for three hours. The attackers’ point of entry – a phishing scam.
  • In 2014 the “Energetic Bear” virus was in over 1,000 energy firms in 84 countries. This virus was for industrial espionage and, because it infected industrial control systems in the affected facilities, it could have damaged those facilities, including wind turbines, strategic gas pipeline pressurization and transfer stations, LNG port facilities, and electric generation power plants. It has been suggested that a nation-state “pre-positioned attack tools to disrupt national scale gas suppliers.”
  • A small flood control dam 20 miles north of New York City ended up hacked in 2013. The attacker would have been able to control the sluices but for their being taken off-line for maintenance. One report suggested the attackers intended to hack a dam of the same name in Oregon many times the size of the New York dam.
  • Last November hackers destroyed thousands of computers at six Saudi Arabian organizations, including those in the energy, manufacturing, and aviation industries. The attack was aimed at stealing data and planting viruses; it also wiped the computers so they were unable to reboot.  This attack was similar to a 2012 attack on Saudi Aramco, the world’s largest oil company, which destroyed 35,000 computers.

These are not isolated incidents.

The scope of the cyber risk to critical infrastructure is multiplied when those view cyber not as a discrete risk, but as “being an enabling and amplifying factor for existing categories of risk.” If the non-cyber risk of fire or explosion at an oil refinery is X, then including in the risk calculation the probability of that fire or explosion being caused by a cyberattack leads to a risk of multiples of X.


<< First < Previous 1 2 Next > Last >>

No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Additive manufacturing benefits; HMI and sensor tips; System integrator advice; Innovations from the industry
Robotic safety, collaboration, standards; DCS migration tips; IT/OT convergence; 2017 Control Engineering Salary and Career Survey
Integrated mobility; Artificial intelligence; Predictive motion control; Sensors and control system inputs; Asset Management; Cybersecurity
Featured articles highlight technologies that enable the Industrial Internet of Things, IIoT-related products and strategies to get data more easily to the user.
This article collection contains several articles on how automation and controls are helping human-machine interface (HMI) hardware and software advance.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Future of oil and gas projects; Reservoir models; The importance of SCADA to oil and gas
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me