Cyberattacks Reach the Physical Realm
When the Baku-Tbilisi-Ceyhan pipeline exploded in 2008 in eastern Turkey, it damaged the pipeline in Refahiye, spewed oil into the environment and posed physical harm to firefighters called in to quell the flames.
Cyber attackers apparently hacked into the pipeline’s control system and manipulated valves to increase pressure inside the pipe, while suppressing alarms that would have alerted operators to an error.
In 2014, an unnamed steel mill in Germany sustained extensive damage after hackers breached the plant’s computer network via a spear phishing email, then infiltrated industrial systems that control operational machinery. The attack compromised the system so that a blast furnace could not be shut down.
In another well-known incident the year before, the Stuxnet computer virus engineered by U.S. and Israeli forces damaged thousands of centrifuges at an Iranian nuclear power plant, again compromising system controls while making it appear everything was working normally. The virus was introduced through an employee’s thumb drive.
These are only a few examples of cyberattacks that caused physical property damage and potential bodily injury.
“The breaches and cyberattacks we see in the news are usually around the theft of personally identifiable information,” said Tracie Grella, global head of cyber risk insurance at AIG.
“We’ve seen ransomware events, DOS attacks. The data disclosure and business downtime are usually the results of a network breach. But the potential for extensive physical damage is an emerging risk.”
As cyber risk rapidly evolves, the insurance industry is working hard to keep up. However, gray areas remain and there are unanswered questions about how to underwrite and mitigate such a dynamic risk.
“Five to 10 years ago, cyberattacks were motivated primarily by financial gain and access to confidential data,” said Chris O’Byrne, cyber underwriting specialist at FM Global. “This has evolved into more attacks focused on causing business disruption, and others where the goal is physical damage.”
Though every type and size of company is susceptible to a cyberattack, those with industrial-control systems (ICS), such as manufacturers and energy suppliers, may be most vulnerable to an attack intended to cause physical damage. Industrial-control systems are comprised of many components relying on communication between separate computer networks. The less cohesive a system is, the more opportunities arise for hackers to find a way in.
“We’re seeing more reports of malware being written specifically to target these systems,” O’Byrne said.
“Companies first think to look at their GL or property policies for coverage … but these policies really were not designed to respond to cyberattacks.” — Tracie Grella, global head of cyber risk insurance, AIG
“The intent may not be to expressly cause physical damage, but that could certainly be a result.”
The physical damage that could result from an attack on ICS varies. It could be a fire that destroys equipment or a whole facility; it could be the simple wearing down and corrosion of machinery; it could involve environmental damage, or damage to any goods being produced.
“Hackers can spoof sensors by sending false data. They can force cyclical behaviors, like turning something on and off in rapid cycles, which causes machinery to wear out, fuses to be blown, leaking, and in some cases explosion and fire,” said Tom Harvey, product manager of cyber solutions at RMS, the risk modeling firm.
“It could be something as simple as disconnecting safety features,” he said. “Everything would be operating as it should, but there’s the increased risk for bodily injury.”
Spoofing sensors also can cause damaged goods, without harming any machinery or equipment. In a refrigerated truck, for example, hackers would feed sensors false data so they continually record a temperature of 0 degrees, even if it’s 70 inside the truck. An entire shipment of frozen goods would be ruined by the time it reaches its destination.
“It’s not that the refrigeration equipment was broken; it’s that the sensors were fed the wrong information, and no one had any indication that it was false,” said Robert Parisi, cyber product leader at Marsh. “These losses will not fall into the simple buckets in which the insurance community likes to put things.”
The scope of potential losses leaves risk managers wondering what insurance policy, if any, will cover the damage.
Looking for Cover
“The question in insurance becomes: where is that covered?” Grella said.
The industry has no uniform way to address these losses. Cyber coverage typically excludes physical loss. Property or general liability policies likely cover property damage, even if the underlying trigger was a cyber event. Companies also might find coverage in crime or fidelity policies, if the breach was perpetrated by an employee.
“Companies first think to look at their GL or property policies for coverage, and they may find it there, but these policies really were not designed to respond to cyberattacks,” Grella said.
“Finding silent coverage is not really where insurers or insureds want to be. Clients want to know what they’re buying and what’s covered, and carriers want to know exactly what they’re covering.”
Coverage for cyber-triggered physical losses could extend in two directions. Carriers could begin offering affirmative coverage for cyber events in property policies, or cyber policies could expand to include property damage and bodily injury, not just loss of data, business interruption and other non-physical losses.
“Market conditions will dictate that evolution to some degree,” Harvey of RMS said. “At the moment, the property market is very soft, which drives underwriters to try to win more business, which means they’ll be more generous with their cyber coverages. On the other hand, regulators want to ensure underwriting is done properly, with adequate controls in place, which could push property underwriters to move away from cyber endorsements.”
Property and cyber underwriters need to work together to ensure they are managing the risk appropriately. Marsh’s Parisi said some cyber insurers have offered to cover physical loss only if the insured’s property policy does not respond. This shows the industry is recognizing the widening coverage gaps.
“Cyber policies expanding to take in this exposure is the cleanest way to do it,” he said. “We are seeing greater flexibility on the part of the cyber market to adapt to changing loss scenarios that don’t have actuarial data behind them or underwriting standards.”
AIG, Marsh and FM Global are among insurers and brokers offering expanded cyber products designed to affirmatively cover physical harm.
“We’re starting to get more inquiries about our coverage and how it intersects with other cyber policies,” FM Global’s O’Byrne said. “What clients really want is contract certainty.”
RMS has spent the past year modeling the severity of physical losses triggered by a cyberattack, but nailing down the frequency remains a challenge.
“We have developed models to confidently help insurers assess what the severity of cyber-physical events might be,” Harvey said. “RMS are continuing to explore methods of assessing the probability of these rare events as we know both the frequency and severity are critical components of quantifying the risk.”
With cyber risks evolving and uncertainties in the type and scope of losses and coverage gaps, the best approach risk managers can take is to treat cyber like any other operational risk and apply enterprise risk management.
“The best companies approach cyber risk the same way they do currency risk, or political unrest, or weather risk — like any other standard risk,” Parisi said. “Tech-based risks are really no different that any other risk and you need to manage them through the normal risk management channels. Make sure that technology risk is part of the ERM discussion.”
“If you are targeted by a sophisticated group of hackers, they will find a way in. You have to make sure you’re properly covered.” —Tom Harvey, product manager, cyber solutions, RMS
Cross-functional teams including risk management, IT, operations and security should work with senior executives to assess the scope of cyber risk and develop a multi-pronged strategy, O’Byrne said.
“Buying the newest, shiniest piece of technology won’t necessarily solve your exposure. Assuming that the IT guys will somehow fix it ignores the fact that technology has crept into everything that we do. It’s an active risk to be managed, not a problem to be solved,” he said.
Patching cyber vulnerabilities in industrial-control systems, and separating critical control systems from business networks and other non-critical functions can make it harder for hackers to access machinery and production controls.
Risk managers also should conduct gap analyses to determine if and where they have coverage for physical damage from a cyberattack.
“Your broker or a third-party vendor can provide this service,” Grella of AIG said. “You want to make sure you have a primary policy that provides coverage for physical damage from cyber on an affirmative basis.”
Given the near impossibility of gauging and defending against all cyber exposures as the risk takes on new forms, closing coverage gaps will be the most critical risk management technique.
“If you are targeted by a sophisticated group of hackers, they will find a way in,” Harvey said. “You have to make sure you’re properly covered.” &