Control systems are in cyber criminals’ crosshairs, warns report

Lloyd’s of London has warned that the world is now at an inflection point where the potential for cyber threats arising from the prolific use of digital systems to control physical processes will bring IT and operational technology (OT) risks closer together.

The market collaborated with broker Guy Carpenter and analytics specialist CyberCube to create The Emerging Cyber Threat to Industrial Control Systems, a report that considered potential real-world scenarios that visualise a range of cyber attacks causing physical damage to major industrial and manufacturing organisations.

It said cyber attacks and incidents that affect the confidentiality, availability and integrity of data and information systems have become increasingly ingrained into society.

“The fast-paced evolution of today’s cyber security threat landscape, combined with increased reliance on internet-connected technologies in critical industrial operations, has the potential to give rise to an increased number of cyber incidents,” it explained.

“In response to this, the standalone cyber insurance market has grown significantly, to a point where it will soon move beyond a $10bn market threshold.”

As such, the (re)insurance sector needs to proactively consider dynamics that are likely to affect the way that businesses should manage cyber risk.

(Re)insurance awareness

The report added that to date, the overwhelming majority of cyber incidents have related to IT rather than being based on physical processes.

“However, we now find ourselves at an inflection point where the potential for cyber threats arising from the prolific use of digital systems to control physical processes will bring IT and OT risks closer together,” it cautioned.

“The potential for physical perils represents a major turning point for the broader cyber (re)insurance ecosystem.

“This risk has previously been considered unlikely to generate insured losses, with cyber perils traditionally emerging in the form of non-physical losses. However, as bridges are being built between IT and OT and there is increased automation and greater sophistication of threat actors seeking new avenues to create disruption, incidents are increasingly likely.”

Jamie Pocock, Guy Carpenter’s head of GC cyber analytics, international, said: “A major industrial controls system attack could impact a broad range of industrial businesses and classes of insurance.

“As these attacks cross the divide between information technology and operational technology, they could conceivably involve significant property damage and loss of human life.

“The key is continued research, surveillance and risk selection, to help improve underwriting standards and portfolio management.”

The report detailed three scenarios which represent the most plausible routes by which a cyber attack against industrial control systems (ICS) could generate major insured losses. All three scenarios have historical precedents.

It described how more severe events could unfold across four key industries – manufacturing, shipping, energy and transportation – dependent upon ICS and assessed precedents and the potential impact on each sector.

“The potential for physical perils represents a major turning point for the broader cyber (re)insurance ecosystem,” explained the report.

“This risk has previously been considered unlikely to materially impact the market, with cyber perils traditionally emerging in the form of non-physical losses.

“However, crossing the divide between information technology (IT) and operational technology (OT), along with increases in automation and the sophistication of threat actors, means it is paramount that (re)insurers carefully consider how major losses may occur and the potential impacts.”

Adapting to cyber-physical risks

The report said there were key issues the market needed to consider on this topic:

• Only a nation-state or nation-state affiliated actor is likely to possess the resources and level of technical sophistication necessary for a malicious ICS-oriented attack.
• Three plausible scenarios consider: (1) a targeted supply chain malware attack, in which malicious actors breach a device manufacturer and compromise that manufacturer’s products before distribution; (2) a targeted Internet of Things (IoT) vulnerability attack, in which attackers exploit a vulnerability in widely used IoT devices found in industrial settings; and (3) the infiltration of industrial IT networks to cross the OT “air-gap”.
• An OT event could conceivably trigger a loss that leads to property damage and loss of life in one entity and lead to extensive forensics, remediation and product recall as necessary to limit further damage. However, an event leading to widespread property damage, business interruption and human costs across multiple sites is currently less likely to occur.
• A targeted attack against an industrial site in an industry with outsized strategic, economic or societal importance (or any combination of those factors) would be hugely significant. The key industries considered include manufacturing, energy, transportation and shipping.
• Continued trends of increased cloud adoption in industrial operations, the convergence of IT and OT and the proliferation of IoT and “smart manufacturing” can exacerbate security concerns and increase exposure profiles.

Kirsten Mitchell-Wallace, Lloyd’s head of portfolio risk management, said: “The Lloyd’s market is advanced when it comes to insuring cyber risks and it is therefore vital Lloyd’s syndicates underwriting this class of business have the ability to analyse their portfolios against the most sophisticated and technologically advanced risk scenarios.”

The report concluded: “We recommend continued research and focus on developing and improving exposure management and underwriting standards in an emerging area of cyber risk [where] boundaries are yet to be defined.

“Furthermore, we recommend continued diligence around the increasing aggregation potential that could transition the groundwork laid for a threat specific to individual portfolios to one that may aggregate across the market.

“The insurance market has a rich legacy of adapting to emerging risks and changing trends. As the risk of cyber-physical losses grows, it is essential that the market develops products and expertise to service this.”