Increased Reliance on Technology Raises Risk of Cyber-Physical Losses

Business professionals look at documents with light bulb padlock and various icons

February 22, 2021

Business professionals look at documents with light bulb padlock and various icons

As information technology becomes more and more a part of operations technology and cyber criminals become increasingly sophisticated, the threat of physical losses resulting from cyber attacks is growing, according to a new report.

The study of the growing cyber threat to industrial control systems (ICS) was conducted by Lloyd's, Guy Carpenter & Company LLC, and cyber-risk analytics firm CyberCube.

Their report, Cyber Risk: The Emerging Threat to Industrial Control Systems, finds that the convergence of information technology (IT) and operations technology (OT) along with increases in automation and the sophistication of threat actors make it essential that (re)insurers consider how cyber attacks might produce major physical losses.

The trend toward increasing cloud computing adoption in industrial operations, the convergence of IT and OT, and the proliferation of the Internet of Things (IoT) and "smart manufacturing" can increase security concerns and exposures, the study found.

The report suggests that only a nation-state or cyber criminals affiliated with a nation-state are likely to possess the resources and technical sophistication necessary for a malicious ICS-oriented attack and describes three plausible scenarios to consider, as follows.

  • Targeted supply chain malware attacks in which malicious actors breach device manufacturers and compromise products
  • Targeted IoT vulnerability attacks in which the attackers exploit vulnerabilities in widely used IoT devices in industrial settings
  • The infiltration of IT networks to cross the operations technology "air gap"

An operations technology cyber event could possibly trigger a loss that leads to property damage and loss of life in a single entity, as well as the need for extensive forensics, remediation, and product recall to limit further damage, the report says. But an event leading to widespread property damage, business interruption, and human costs across multiple sites is less likely.

A targeted attack against an industrial site in an industry with outsized strategic, economic, or societal importance would be significant, according to the report, with key industries including manufacturing, energy, transportation, and shipping.

The rapid evolution of the cyber-security threat landscape along with increased reliance on Internet-connected technologies in industrial operations could potentially lead to an increased number of cyber incidents, according to the report. In response, the stand-alone cyber-insurance market has grown significantly.

Thus far, the vast majority of cyber attacks have involved IT rather than physical processes, the report notes. Now, however, there is the potential for cyber threats related to the use of digital systems to control physical processes, prompting a convergence of IT and OT risks.

For large industrial risks transferred into the insurance market, threats to OT could result in significant claims, the report suggests.

The convergence of IT and OT cyber risks means that many lines of insurance business could potentially be exposed to loss in a cyber attack beyond the stand-alone cyber-insurance market, the report says. Costs that could arise in such an attack could include material damage costs such as property destruction and loss of life and bodily injury, and nonmaterial damage costs including business interruption, contingent business interruption, loss of shareholder value, loss of data, and bricking of machines.

Given the study's conclusion that nation-state or nation-state-affiliated actors are most likely to be behind a malicious ICS-oriented attack, the report notes that several nations have been known to provide homes to cyber-criminal hacking groups, with the potential for cyber-attack activity to be unofficially condoned with uncertain links to the state.

The report considers the potential impact of ICS attacks causing physical losses across several industries.

Considering manufacturing, the report notes that security firm CrowdStrike reported in 2020 that the manufacturing industry has experienced a dramatic increase in cyber intrusions.

Manufacturing processes increasingly incorporate smart devices and embedded intelligence, the report notes, and the number of IoT devices in use in manufacturing continues to increase. With that increased digitization and reliance on IoT come new security vulnerabilities such as opportunities for cyber criminals to cross from IT to OT networks.

"Large scale attacks on manufacturing operations could cause large explosions or chemical spills impacting surrounding areas as well as supply chain disruptions," the report says.

In the energy sector—particularly in oil and gas production—operations rely on diverse and complex supply chains that can be exploited and are difficult to defend, the report says. Meanwhile, energy industry sites are incorporating new technologies including IoT and cloud computing to enable automation and intelligence. The result is that oil and gas companies are increasingly exposed to cyber threats, the report says.

The report notes that during the first half of 2020 the number of attacks on oil and gas industry computer systems increased significantly compared to the same period a year earlier. "Worst-case-scenario attacks on oil and gas systems could lead to explosions at refineries or offshore drilling units," the report says.

The transportation industry has also increased its reliance on IT and interconnectivity to improve efficiency, but that increased reliance has also increased cyber risks, according to the report. The number of transportation industry companies affected by cyber incidents annually—and the associated costs—are on the rise, the report says, though most transportation infrastructure attacks thus far have not been destructive.

The most common cyber incidents in transportation have been data breaches, the report says, though increased threat activity alongside the industry's digitization trends and rising susceptibility to cyber attacks suggest that future attacks causing physical damage to transportation infrastructure aren't unlikely.

"We can consider a disaster scenario in which attacks on control and navigation systems on passenger trains cause widespread stoppages, or in a worst-case scenario a cyber-induced multipassenger-train crash," the report says.

In the shipping industry, the industry and maritime assets such as ocean-going vehicles and port facilities are increasingly exposed to cyber attacks, the report says. The report cites the maritime cyber-security firm Naval Dome's finding of a 400 percent increase in attempted cyber attacks during 2020. Notably, the increase occurred during a period in which the maritime industry was forced to rely more on remote technologies due to the COVID-19 pandemic.

The report notes that according to the Cyber Risk Management (CyRiM) project, a Singapore-based public-private initiative that assesses cyber risks, of which Lloyd's is a founding member, losses of up to $110 billion would occur in an extreme scenario in which a computer virus infects 15 ports.

"With threats to the shipping industry on the rise, a plausible attack could arise against a large shipping vessel's ballast pump control system," the report says. "This could lead to capsizing or crashing in a major port, with major supply chain disruptions and physical damage."

Ultimately the report notes that while the threat of a mass-scale cyber-physical attack might be unlikely at present, the threat is evolving quickly. It's essential that the (re)insurance industry monitor the threat landscape carefully and recognize that cyber risks are growing and provide a considered and committed industry response.

"The question of a significant event occurring is one of 'when,' and not 'if,'" the report says. "The response required from the market is to build a comprehensive and sustainable base across underwriting, product development, pricing, and exposure management."

February 22, 2021