Lloyd’s and reinsurance broker Guy Carpenter finds vulnerabilities for industrial and manufacturing businesses.
As cyber threats continue to evolve and become more sophisticated, it is crucial for insurers to understand these emerging risks in order to keep pace with their clients’ exposures.
The recently released report, The Emerging Cyber Threat to Industrial Control Systems, considers potential real-world scenarios which visualise a range of cyber-attacks causing physical damage to major industrial and manufacturing organisations.
Cyber-attack risks have previously been considered unlikely to materially impact the physical market, with cyber perils traditionally emerging in the form of non-physical losses.
However, the report looks at how physical risks have become a rapidly growing concern for industrial businesses as shown by recent high-profile breaches. As bridges are increasingly being built between information technology (IT) and operational technology (OT), along with increases in automation and sophistication of threat actors, it is paramount that (re)insurers carefully consider where major losses may occur.
British financial institution Lloyd’s, CyberCube and Guy Carpenter have conducted an analysis detailing three scenarios which represent the most plausible routes by which a cyber-attack against industrial control systems (ICS) could generate major insured losses.
The report considers four key industries dependent upon ICS:
- Manufacturing
- Shipping
- Energy
- Transportation and assesses precedent and potential impact on each.
Designed to aid individual syndicates’ understanding of the impact of emerging cyber risks on their portfolios of business, the report focuses on three potential routes of attack by organised hackers:
- A targeted supply-chain malware attack, in which malicious actors breach a device manufacturer and compromise that manufacturer’s products before distribution
- A targeted attack, in which attackers exploit a vulnerability in widely used Internet of Things (IoT) devices found in industrial settings
- The infiltration of industrial IT networks to cross the OT “air-gap”.
In one scenario, malware is introduced into the industrial site via malicious software updates and/or installation of new (infected) devices. A logic bomb in the malware delays the activation with specified conditions that can be programmed for maximal impact. Other scenarios could, for example, lead to attackers gaining control of water pumps or temperature regulation systems.
Kirsten Mitchell-Wallace head of portfolio risk management at Lloyds said its market is advanced when it comes to insuring cyber risks.
“It’s therefore vital Lloyd’s syndicates underwriting this class of business have the ability to analyse their portfolios against the most sophisticated and technologically advanced risk scenarios,” she said.
Mitchell-Wallace noted that the risk of ICS-based cyber-physical events is increasing.
“Because of this, we’ve partnered with CyberCube and Guy Carpenter to create these illustrative scenario pathways based on highly realistic threats and modes of attack,” she said.
The foundation for researching this threat was to assess its relevance as a scenario that could result in market-wide physical loss on an aggregated basis. Following careful consideration of the most relevant current threats and those on the horizon for Lloyd’s, Lloyd’s decided to investigate development of a scenario based on an IoT supply chain event impacting the industrial/manufacturing industries.
To meet the criteria for Lloyd’s-wide scenario development, it would need to be measured as an aggregable and insurable event affecting a significant number of syndicates. Upon initial reflection on the premise for this scenario, we examined the potential for the following characteristics:
(1) exploitation of an IoT vulnerability
(2) impact on supply chains
(3) targeting of industrial/manufacturing industries
(4) resulting physical damage from the incident Through researching the idea of this being an IoT scenario, we determined that a common understanding of what is meant by “IoT” was needed, differentiating the wider technological phenomenon from its common association with wearables.
The defined scope included networks of devices and machines – “things” – embedded with sensors and software that enable those things to exchange data over the Internet, as well as various administrative systems and associated instrumentation such as devices, networks, and more which are used to operate and automate industrial processes.
As is true with all scenario development, one of the first steps in designing this scenario was to find and understand any precedents. As this report will uncover, each one of these incidents is part of the foundation for building a cyber scenario, however, a critical part of scenario development is to take these learnings from past precedents and introduce scalability beyond isolated incidents.
Although the affirmative cyber insurance product is well established, there is a comparative lack of understanding and awareness of cyber-physical risks. Cyber has been traditionally viewed as a non-physical peril, but this is demonstrably no longer the case.
Use of the CZ risk code in the Lloyd’s market acts to help focus attention on cyber-physical risk, but it is important that the market builds a foundation of expertise and experience in this emerging area of risk.
Syndicates should monitor product coverages carefully across classes for relevance to the cyber-physical peril. This requires an active strategy to consider different potential cyber-physical scenarios, and where the losses may fall from these. As part of this, attaining coverage clarity across traditional classes is key.
The findings of this report can be used to aid the development of bespoke cyber-physical scenarios for different classes of business for stress testing purposes.
While an imminent mass-scale cyber-physical attack may be unlikely, the threat is evolving very rapidly. Precedents strongly point to continual targeting of strategic industrial sectors, as described in this report.
Currently technology implementation and vulnerabilities can be fairly bespoke in many cases, but attackers are aided in this respect by the increasing interconnection of systems and the homogenisation of technology.
This will act to heighten the risk significantly over time which requires a comprehensive response. As part of a risk mitigation strategy, syndicates need to monitor the correlation potential for risks stemming from attacks bridging the IT/OT gap.
This is particularly a concern for portfolios with concentrations of comparable large industrial risks. Insurers should consider commonalities of exposure within industry segments and identify the increasing uniformity of components in supply chains. In practice, syndicates can improve awareness by building a technology inventory for their insureds. This might include identifying leading PLC components and investigating the use of common industrial OT and IoT assets. It is important for syndicates to focus on procedures as well as components.
Among other aspects, this should encompass the extent of air-gapping between IT and OT systems, the nature of risk management protocols such as automated patch updates, and the presence of known industrial component vulnerabilities.
In addition to technological safeguards, information should be gathered to ascertain from insureds in relation to business-critical system dependence and operational resilience should an incident occur. Beyond understanding exposure, syndicates should monitor the threat landscape carefully. Attack incidents, precedents, and near-misses can all be cross-examined to understand active risks and how they might be aligned to portfolios.
Malicious actors routinely target specific sectors or institutions, and these evolving trends can be examined in real-time to help inform the view of the risk.
Finally, it is crucial that syndicates recognise that cyber-physical risks are growing and require considered and committed action. The question of a significant event occurring is one of “when”, and not “if”. The response required from the market is to build a comprehensive and sustainable base across underwriting, product development, pricing, and exposure management.