Determining insurance's role for cybersecurity incidents
Cybersecurity is one thing, but figuring out where insurance fits into the big picture is not so simple these days with cyber-physical attacks becoming more sophisticated.
There was a period of time not too long ago when insurers had an easier time deciding on how much protection a manufacturing operation needed. It was all very cut and dried.
Add today’s cybersecurity issues on top of the physical plant, and insurers are no doubt pulling out their hair because they just don’t know what to do. That is why cyber-physical attacks on critical infrastructure that have the potential to damage physical assets and cause widespread losses are keeping insurers wide awake at night.
A cyber-physical attack on critical infrastructure occurs when a hacker gains access to a computer system that operates equipment in a manufacturing plant, oil pipeline, a refinery, an electric generating plant, or the like and is able to control the operations of that equipment to damage assets or other property.
A major cyber-physical attack on critical infrastructure is a risk not only for the owners and operators of those assets, but also for their suppliers, customers, businesses and persons in the vicinity of the attacked asset, and any person or entity that may be adversely affected by it (e.g., hospital patients and shareholders).
Because damages caused by a cyber-physical attack can be widespread, massive, and highly correlated, affecting multiple sectors of the economy and many lines of insurance, the insurance industry is giving this risk heightened attention.
The UK insurance marketplace Lloyd’s, London and the University of Cambridge, for example, conducted a major study of the losses resulting from a hypothetical cyber-physical attack on 50 electrical generators in the Northeast U.S. Other insurance market participants have also published reports addressing cyber-physical risks to critical infrastructure. The insurance industry’s focus on cyber-physical risks perhaps should be action-guiding for corporate policyholders as well.
Two major attacks
To date, there have been only two major publicized cyber-physical attacks. The first was the use, in 2008 through 2010, of the Stuxnet virus to destroy approximately 20 percent of Iran’s centrifuges used to make nuclear materials. Stuxnet, as ISSSource reported was a joint effort between the U.S. and Israel to slow down or stop Iran’s nuclear program, damaged centrifuges at the Natanz nuclear facility in Iran by causing them to spin out of control while the operators thought everything was running normally.
In the second attack, in late 2014, hackers gained access to the computers of a German steel mill through a minor support system for environmental control. The attack led to the destruction of a blast furnace in the steel mill. German authorities did not allow the publication of many details of the attack, but they did describe the resulting damage as “massive.”
Several attacks on critical infrastructure did not result in property damage beyond the infected computers themselves, but apparently only because of fortuitous events or the narrow goals of the attackers.
Some cases of such attacks include:
- An attack on the Ukraine power grid in December 2015. This was a multistage, multisite attack that disconnected seven 110 kV and three 35 kV substations and resulted in a power outage for 80,000 people for three hours. The attackers’ point of entry – a phishing scam.
- In 2014 the “Energetic Bear” virus was in over 1,000 energy firms in 84 countries. This virus was for industrial espionage and, because it infected industrial control systems in the affected facilities, it could have damaged those facilities, including wind turbines, strategic gas pipeline pressurization and transfer stations, LNG port facilities, and electric generation power plants. It has been suggested that a nation-state “pre-positioned attack tools to disrupt national scale gas suppliers.”
- A small flood control dam 20 miles north of New York City ended up hacked in 2013. The attacker would have been able to control the sluices but for their being taken off-line for maintenance. One report suggested the attackers intended to hack a dam of the same name in Oregon many times the size of the New York dam.
- Last November hackers destroyed thousands of computers at six Saudi Arabian organizations, including those in the energy, manufacturing, and aviation industries. The attack was aimed at stealing data and planting viruses; it also wiped the computers so they were unable to reboot. This attack was similar to a 2012 attack on Saudi Aramco, the world’s largest oil company, which destroyed 35,000 computers.
These are not isolated incidents.
The scope of the cyber risk to critical infrastructure is multiplied when those view cyber not as a discrete risk, but as “being an enabling and amplifying factor for existing categories of risk.” If the non-cyber risk of fire or explosion at an oil refinery is X, then including in the risk calculation the probability of that fire or explosion being caused by a cyberattack leads to a risk of multiples of X.
- Events & Awards
- Magazine Archives
- Digital Reports
- Global SI Database
- Oil & Gas Engineering
- Survey Prize Winners
- CFE Edu