The rise of the Internet of Things (IoT) is now posing a clear and present danger of cyber-attack on major industrial and manufacturing firms across the globe.
Lloyd’s has published a new report in conjunction with cyber analytics specialist CyberCube and reinsurance broker Guy Carpenter, which examines how ‘Internet of Things’ devices are posing an increasingly high risk of cyber-attack to industrial and manufacturing businesses.
The report warns Cyber-attack risks have previously been considered unlikely to materially impact the physical market, with cyber perils traditionally emerging in the form of non-physical losses. However, the report looks at how physical risks have become a rapidly growing concern for industrial businesses as shown by recent high-profile breaches.
As bridges are increasingly being built between information technology (IT) and operational technology (OT), along with increases in automation and sophistication of threat actors, it is paramount that (re)insurers carefully consider where major losses may occur, it adds.
The emerging cyber threat to industrial control systems examines potential real-world scenarios which visualise a range of cyber-attacks causing physical damage to major industrial and manufacturing organisations.
Kirsten Mitchell-Wallace, Lloyd’s Head of Portfolio Risk Management, said: “The Lloyd’s market is advanced when it comes to insuring cyber risks and it is therefore vital Lloyd’s syndicates underwriting this class of business have the ability to analyse their portfolios against the most sophisticated and technologically advanced risk scenarios. We know that the risk of ICS-based cyber-physical events is increasing and because of this, we’ve partnered with CyberCube and Guy Carpenter to create illustrative scenario pathways based on highly realistic threats and modes of attack.”
The report’s analysis examines three scenarios which represent the most plausible routes by which a cyber-attack against industrial control systems (ICS) could generate major insured losses. It also considers four key industries dependent upon ICS (manufacturing, shipping, Energy, and Transportation) and assesses precedent and potential impact on each.
Jamie Pocock, Guy Carpenter’s Head of GC Cyber Analytics – International said: “A major ICS attack could impact a broad range of industrial businesses and classes of insurance. As these attacks cross the divide between information technology and operational technology, they could conceivably involve significant property damage and loss of human life. The key is continued research, surveillance, and risk selection to help improve underwriting standards and portfolio management.”
The research highlights a range of issues for insurers and their clients.
- The risk of a cyber-physical ICS incident is increasing, especially for individual entities.
- Only a nation-state or nation-state affiliated actor is likely to possess the resources and level of technical sophistication necessary for a malicious ICS-oriented attack.
- Three plausible scenarios consider: (1) a targeted supply-chain malware attack, in which malicious actors breach a device manufacturer and compromise that manufacturer’s products before distribution; (2) a targeted Internet of Things (IoT) vulnerability attack, in which attackers exploit a vulnerability in widely used IoT devices found in industrial settings; and (3) the infiltration of industrial IT networks to cross the OT “air-gap”.
- An OT event could conceivably trigger a loss that leads to property damage and loss of life in one entity, and lead to extensive forensics, remediation, and product recall as necessary to limit further damage. However, an event leading to widespread property damage, business interruption, and human costs across multiple sites is currently less likely to occur.
- A targeted attack against an industrial site in an industry with outsized strategic, economic or societal importance (or any combination of those factors) would be hugely significant. The key industries considered include manufacturing, energy, transportation and shipping.
- Continued trends of increased cloud adoption in industrial operations, the convergence of IT and OT, and the proliferation of IoT and “smart manufacturing” can exacerbate security concerns and increase exposure profiles.
“We recommend continued research and focus on developing and improving exposure management and underwriting standards in an emerging area of cyber risk whose boundaries are yet to be defined,” warns the report. “Furthermore, we recommend continued diligence around the increasing aggregation potential that could transition the groundwork laid for a threat specific to individual portfolios to one that may aggregate across the market.
“The insurance market has a rich legacy of adapting to emerging risks and changing trends. As the risk of cyber-physical losses grows, it is essential that the market develops products and expertise to service this.”
Pascal Millaire, CyberCube’s CEO, said: “The potential for a major ICS attack is all too real today given several real-world examples of such attacks. As we roll out hundreds of billions of additional IoT devices, it will become even more important in the future and could eventually become a systemic risk for the global economy.”
The report concludes with a range of “strong” recommendations for the (re)insurance market to consider.
- Although the affirmative cyber insurance product is well established, there is a comparative lack of understanding and awareness of cyber-physical risks. Cyber has been traditionally viewed as a non-physical peril, but this is demonstrably no longer the case. Use of the CZ risk code in the Lloyd’s market acts to help focus attention on cyber-physical risk, but it is very important that the market builds a foundation of expertise and experience in this emerging area of risk.
- Syndicates should monitor product coverages carefully across classes for relevance to the cyber-physical peril. This requires an active strategy to consider different potential cyber-physical scenarios, and where the losses may fall from these. As part of this, attaining coverage clarity across traditional classes is key. The findings of this report can be used to aid the development of bespoke cyber-physical scenarios for different classes of business for stress testing purposes.
- Whilst an imminent mass-scale cyber-physical attack may be unlikely, the threat is evolving very rapidly. Precedents strongly point to continual targeting of strategic industrial sectors, as described in this report. Currently technology implementation and vulnerabilities can be fairly bespoke in many cases, but attackers are aided in this respect by the increasing interconnection of systems and the homogenisation of technology. This will act to heighten the risk significantly over time which requires a comprehensive response.
- As part of a risk mitigation strategy, syndicates need to monitor the correlation potential for risks stemming from attacks bridging the IT/OT gap. This is particularly a concern for portfolios with concentrations of comparable large industrial risks. Insurers should consider commonalities of exposure within industry segments and identify the increasing uniformity of components in supply chains. In practice, syndicates can improve awareness by building a technology inventory for their insureds. This might include identifying leading PLC components and investigating the use of common industrial OT and IoT assets.
- It is very important for syndicates to focus on procedures as well as components. Among other aspects, this should encompass the extent of air-gapping between IT and OT systems, the nature of risk management protocols such as automated patch updates, and the presence of known industrial component vulnerabilities. In addition to technological safeguards, information should be gathered to ascertain from insureds in relation to business-critical system dependence and operational resilience should an incident occur.
- Beyond understanding exposure, syndicates should monitor the threat landscape carefully. Attack incidents, precedents, and near-misses can all be cross-examined to understand active risks and how they might be aligned to portfolios. Malicious actors routinely target specific sectors or institutions, and these evolving trends can be examined in real-time to help inform the view of the risk.
- Finally, it is crucial that syndicates recognise that cyber-physical risks are growing and require considered and committed action. The question of a significant event occurring is one of “when”, and not “if”. The response required from the market is to build a comprehensive and sustainable base across underwriting, product development, pricing, and exposure management. Resources like this report should form part of the start of that journey.