Determining insurance's role for cybersecurity incidents

Cybersecurity is one thing, but figuring out where insurance fits into the big picture is not so simple these days with cyber-physical attacks becoming more sophisticated.


ISSSource.comThere was a period of time not too long ago when insurers had an easier time deciding on how much protection a manufacturing operation needed. It was all very cut and dried.

Add today’s cybersecurity issues on top of the physical plant, and insurers are no doubt pulling out their hair because they just don’t know what to do. That is why cyber-physical attacks on critical infrastructure that have the potential to damage physical assets and cause widespread losses are keeping insurers wide awake at night.

A cyber-physical attack on critical infrastructure occurs when a hacker gains access to a computer system that operates equipment in a manufacturing plant, oil pipeline, a refinery, an electric generating plant, or the like and is able to control the operations of that equipment to damage assets or other property.

A major cyber-physical attack on critical infrastructure is a risk not only for the owners and operators of those assets, but also for their suppliers, customers, businesses and persons in the vicinity of the attacked asset, and any person or entity that may be adversely affected by it (e.g., hospital patients and shareholders).

Because damages caused by a cyber-physical attack can be widespread, massive, and highly correlated, affecting multiple sectors of the economy and many lines of insurance, the insurance industry is giving this risk heightened attention.

Cybersecurity is one thing, but figuring out where insurance fits into the big picture is not so simple these days.The UK insurance marketplace Lloyd’s, London and the University of Cambridge, for example, conducted a major study of the losses resulting from a hypothetical cyber-physical attack on 50 electrical generators in the Northeast U.S. Other insurance market participants have also published reports addressing cyber-physical risks to critical infrastructure. The insurance industry’s focus on cyber-physical risks perhaps should be action-guiding for corporate policyholders as well.

Two major attacks

To date, there have been only two major publicized cyber-physical attacks. The first was the use, in 2008 through 2010, of the Stuxnet virus to destroy approximately 20 percent of Iran’s centrifuges used to make nuclear materials. Stuxnet, as ISSSource reported was a joint effort between the U.S. and Israel to slow down or stop Iran’s nuclear program, damaged centrifuges at the Natanz nuclear facility in Iran by causing them to spin out of control while the operators thought everything was running normally.

In the second attack, in late 2014, hackers gained access to the computers of a German steel mill through a minor support system for environmental control. The attack led to the destruction of a blast furnace in the steel mill. German authorities did not allow the publication of many details of the attack, but they did describe the resulting damage as “massive.”

Several attacks on critical infrastructure did not result in property damage beyond the infected computers themselves, but apparently only because of fortuitous events or the narrow goals of the attackers.

Some cases of such attacks include:

  • An attack on the Ukraine power grid in December 2015. This was a multistage, multisite attack that disconnected seven 110 kV and three 35 kV substations and resulted in a power outage for 80,000 people for three hours. The attackers’ point of entry – a phishing scam.
  • In 2014 the “Energetic Bear” virus was in over 1,000 energy firms in 84 countries. This virus was for industrial espionage and, because it infected industrial control systems in the affected facilities, it could have damaged those facilities, including wind turbines, strategic gas pipeline pressurization and transfer stations, LNG port facilities, and electric generation power plants. It has been suggested that a nation-state “pre-positioned attack tools to disrupt national scale gas suppliers.”
  • A small flood control dam 20 miles north of New York City ended up hacked in 2013. The attacker would have been able to control the sluices but for their being taken off-line for maintenance. One report suggested the attackers intended to hack a dam of the same name in Oregon many times the size of the New York dam.
  • Last November hackers destroyed thousands of computers at six Saudi Arabian organizations, including those in the energy, manufacturing, and aviation industries. The attack was aimed at stealing data and planting viruses; it also wiped the computers so they were unable to reboot.  This attack was similar to a 2012 attack on Saudi Aramco, the world’s largest oil company, which destroyed 35,000 computers.

These are not isolated incidents.

The scope of the cyber risk to critical infrastructure is multiplied when those view cyber not as a discrete risk, but as “being an enabling and amplifying factor for existing categories of risk.” If the non-cyber risk of fire or explosion at an oil refinery is X, then including in the risk calculation the probability of that fire or explosion being caused by a cyberattack leads to a risk of multiples of X.

<< First < Previous Page 1 Page 2 Next > Last >>

The Top Plant program honors outstanding manufacturing facilities in North America. View the 2015 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
Pipe fabrication and IIoT; 2017 Product of the Year finalists
The future of electrical safety; Four keys to RPM success; Picking the right weld fume option
A new approach to the Skills Gap; Community colleges may hold the key for manufacturing; 2017 Engineering Leaders Under 40
Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
The cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Power system design for high-performance buildings; mitigating arc flash hazards
VFDs improving motion control applications; Powering automation and IIoT wirelessly; Connecting the dots
Natural gas engines; New applications for fuel cells; Large engines become more efficient; Extending boiler life

Annual Salary Survey

Before the calendar turned, 2016 already had the makings of a pivotal year for manufacturing, and for the world.

There were the big events for the year, including the United States as Partner Country at Hannover Messe in April and the 2016 International Manufacturing Technology Show in Chicago in September. There's also the matter of the U.S. presidential elections in November, which promise to shape policy in manufacturing for years to come.

But the year started with global economic turmoil, as a slowdown in Chinese manufacturing triggered a worldwide stock hiccup that sent values plummeting. The continued plunge in world oil prices has resulted in a slowdown in exploration and, by extension, the manufacture of exploration equipment.

Read more: 2015 Salary Survey

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.
The maintenance journey has been a long, slow trek for most manufacturers and has gone from preventive maintenance to predictive maintenance.
This digital report explains how plant engineers and subject matter experts (SME) need support for time series data and its many challenges.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.
Maintenance Manager; California Oils Corp.
Associate, Electrical Engineering; Wood Harbinger
Control Systems Engineer; Robert Bosch Corp.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me