Why companies underestimate the physical damage of cyber attacks

Cyber attacks can sabotage control of major industrial security systems, causing substantial physical damage and business interruption. Are you prepared, asks Sarah Stephens of JLT.

Much of the focus on cyber risks from businesses and their insurers has been on data protection, particularly protecting consumer details. This focus is likely to increase in Europe as the forthcoming European Union (EU) General Data Protection Regulation nears implementation.

But other cyber risks are being ignored by many firms. Privacy breaches and consumer data losses are just one small element of cyber-risk. The prospect of cyber-attacks causing physical damage is significant, yet it has been largely ignored. 

Unreported losses

This relative neglect is partly due to the small number of reported losses. Yet there are good reasons to take the threat seriously. 

First, the potential impact is huge. Lloyd’s Business Blackout report estimated the economic impact from the scenarios it examined would be from $243 billion to $1 trillion, with insured losses estimated between $21.4 billion and $71.1 billion. (The report describes all such theoretical scenarios as realistic, although some parties have queried this.)

Second, unlike data breaches, there is no regulation to compel businesses to publicise incidents, which means that many cases are likely to be unreported. It is not the kind incident that companies like to publicise.

 Who’s exposed?

Much of the attention on the physical damage caused by cyber-attacks has focused on the power and energy sectors. 

But the vulnerabilities stretch across utilities, telecommunications, oil and gas, petrochemicals, mining and manufacturing – any industry where industrial control systems (ICS’s – computer systems used to monitor and control physical processes) are found.

In the US, 245 cyber-incidents were reported on ICSs in the 12 months up to 30 September 2014, according to figures from the Department of Homeland Security. Sixty five of the attaks targeted manaufacturers.

“That’s a large number, especially since there is no legal requirement for incidents to be reported,” says David White, Chief Knowledge Officer at Axio Global, a cyber-risk specialist serving critical infrastructure owners and operators.

Many attacks will not have resulted in physical damage, admits White, but that provides little reassurance.

“Surveillance-style attacks, using malicious software are designed to gather information about the ICS. The only reason to gather that information is to give someone a strategic advantage at some point in the future.”

Why you’re exposed 

Both the threat and the range of businesses with vulnerabilities are likely to grow. The availability of viruses and other malware that specifically target ICSs. Once developed and released onto the dark web, Stuxnet, as well as more recent discoveries such as Havex and BalckEnergy, are all now available to be accessed, modified and used by future potential attackers.

Furthermore, the continuing drive towards connectivity, with ICSs increasingly put on-line to allow remote monitoring and control to drive operational efficiencies. Much of the software that underlies the ICS infrastructure was never designed to be connected to anything, so it was not built with security in mind.

Growing liabilities

The growth of the ‘internet of things’ will also increase companies’ potential cyber-vulnerabilities, with the number of connected devices expected to triple by 2020, according to consultants Juniper Research.

Understanding the online connections within an organisation is therefore essential to improving security. An inventory of your devices and systems, and what they communicate with, is the first step to determining your vulnerabilities.

Blurred lines

For all the distinctions made between traditional IT and ICSs, many of the same principles apply when it comes to mitigating the risks for ICS and operational technologies. In part this is because vulnerabilities often start on the IT side.

For example, cyber-attackers that gain entry to the corporate network – by discovering a user’s password – can frequently make their way into the control system despite the best efforts to segregate it. Similarly, many of the points of vulnerability are the same: for example, the Stuxnet virus was introduced through a USB stick.

Organisations should ensure efforts to separate their IT network and ICS or production systems do not undermine cooperation between the teams responsible for them. 

People – the weakest link

The other consequence of the similarities between ICS security and traditional IT security is that – just as on the IT side – training remains crucial for those involved with operational technologies. 

It is central to the response at global power group AES, according to Davy Elliott, Insured Risk Management and Ethics & Compliance Officer at AES. “People are the weakest link in everybody’s system if they are not properly trained,” Elliott says. 

“One of the biggest and best defences we have is to train our staff so they are aware of the risks and exercise caution around IT, websites, emails, USB sticks and network connections.” 

However, ultimately, total security is impossible, Elliot says. “Potential attackers are always there, and they only have to get lucky once.” 

For many organisations, a major attack that renders physical damage could be catastrophic. Cyber- insurance needs to start playing a bigger role in companies’ armoury, says White. 

“Alongside strong cyber-risk management, companies have to start viewing insurance as a key cyber-control, because it is the only control that can protect their balance sheet and ensure that such attacks can be survived.” 

Sarah Stephens is Head of Cyber, Technology and Media E&O at JLT.

Sarah Stephens of JLT