Insurers must be alert to the threat of physical damage from cyber attacks

In the middle of the night on 27 June 2022 – after workers had gone home – molten metal began to spray across a steel factory floor in Iran. The result was costly damage to industrial equipment, as well as a fire that had to be extinguished quickly.

This was no accident. A hacking group called Predatory Sparrow claimed responsibility for the incident and said it had carried out another two cyber attacks against Iranian steel makers on the same night.

Iranian state media confirmed that cyber attacks had affected the IT systems of some of the country’s steel plants, saying it had been attacked by “foreign enemies”.

It is rare that cyber attacks cause physical or kinetic damage – the vast majority employ ransomware with the intention of extorting money from a business – but there are famous examples bucking cyber criminals’ status quo.

Stuxnet was a malicious computer programme discovered in 2010 that targeted Iranian infrastructure.

This caused significant damage to the country’s nuclear programme by targeting supervisory control and data acquisition (Scada) systems - this led to centrifuges tearing themselves apart by spinning too quickly.

This tactic managed to disable the programme without causing a catastrophe - it remained undiscovered for many years.

In a report entitled Shifting powers: Physical cyber risk in a changing gepolitical landscape – published last month (30 June 2022) – Lloyd’s of London warned that cyber attacks which caused physical damage were becoming increasingly commonplace. 

According to the report, the number of cyber attacks targeting critical infrastructure rose from fewer than 10 in 2013 to almost 400 in 2020. 

Lloyd’s noted that there were serious potential material impacts on businesses from these sort of attacks – including explosions, flooding and bodily injury – that risk managers should be aware of. 

Philippa Berry, cyber product leader at CFC, said: “The market has seen only a few examples of cyber attacks resulting in physical damage to property, as experienced by the Iranian steel factories.

“When they have occurred, they tend to be highly targeted, sophisticated attacks that are often politically motivated.”

These sorts of attacks require “a huge amount of effort” that evidences the probable involvement of a nation-state actor, added Richard Hodson, director at UKGlobal Broking Group.

That is not to say that Western firms can safely be ignorant to the threat of kinetic damage caused by cyber attacks, however.

Hodson explained that conflicts – such as the ongoing war in Ukraine – were causing a proliferation in cyber weapons that could eventually “end up in the wrong hands and be turned on more commercial targets”.

A vast array of businesses are open to this sort of attack. Hodson explained: “Most operations are now computer controlled – pharmaceutical production, water processing, car manufacturing or food processing, for example. Anything that has Scada risks, robotic processes or some computer automated processes is open to vulnerabilities.

“Imagine what would happen if someone was able to take control of a sewage plant and started releasing raw sewage into drinking water, or if an attacker messed with the concocting of pharmaceutical drugs.”

Threat mitigation

Avoiding this threat involves paying close attention to security protocols. Berry said: “When considering damage to tangible assets resulting from a cyber attack, good cyber hygiene and security maturing between IT networks and operational technology (OT) infrastructure is essential to mitigate against such attacks.”

OT refers to the hardware and software used to detect or cause changes in industrial equipment via monitoring or control.

Berry continued: “Ensuring secure protections between the two networks – with information only flowing in one direction and ensuring OT is not internet facing and, where it is, using the correct technology to secure this – will help minimise the potential for a cyber attack against the IT network impacting OT and ultimately causing physical damage.”

Providing effective cover

The issue of kinetic damage caused by a cyber attack is somewhat complicated where coverage is concerned – while the risk originates from a virtual source, the damage caused is very much situated in the real world.

This means that cyber policies are often not activated. Berry explained: “The result of the attack on tangible assets can be significant and this is most typically still insured by the non-cyber market, as the cyber insurance market focuses on protecting against non-physical damage to intangible assets.

”When we are considering infrastructure, such as oil rigs, steel plants or other physical assets of scale, significant capacity is required to be able to provide meaningful cover and – at present – the cyber insurance market is not able to meet this demand, as capacity is limited to circa $500m (£415m).”

Berry noted that the cyber market was not best placed to cover these risks in any case. She added: “You wouldn’t think of calling your cyber insurer if your factory was burning down.

“We think it’s appropriate that the traditional property market covers physical damage costs and any other related business interruption.”

Hodson agreed that the property market was best placed to cover this specific risk, despite its cyber origin.

“The most important takeaway from this is that we must ensure that property policies are picking up on physical damage following a cyber attack,” he said.

“If a fire is caused by a cyber attack, the loss is still a fire. As a broker, I need to be sure that – if I have these manufacturing risks – I can confidently say that a property policy will respond to this type of exposure.”

Manufacturers, including smaller firms, should check whether physical losses following a cyber attack are covered under their property policies, Hodson advised.

While these attacks remain uncommon for the moment, Hodson noted that this may not remain the case forever.

He explained: “Many insurers’ clients are not likely to be targeted in this sort of concerted attack, but they could suffer damage as a consequence of these military-grade cyber weapons becoming accessible to criminals.”