Why cyber physical damage attacks may increase - Reason 1
In the first of series of expert blogs, TMK Cyber Underwriter Paul Gooch explains why cyber Physical Damage attacks may increase in 2020 and beyond.
From 1st January 2020, all first-party property damage insurance policies issued by Lloyd’s must explicitly affirm or exclude coverage for cyber events. Most cyber policies exclude cover for physical damage and ensuing business interruption. As a result, many policyholders could now find themselves with a gap in cover. Although cyber physical damage events have thus far remained infrequent, there are several reasons why this could change.
Reason 1 – It Has Happened Already
Cyber attacks that cause physical damage are not merely theoretical, they have happened already. The most high profile of these was the Stuxnet malware attack on the Natanz uranium enrichment plant in Iran. Despite it supposedly being ‘air gapped’ – i.e. having no direct connection to the internet – attackers were able to compromise the plant’s Industrial Control Systems (ICS) by deploying malware on the systems of the plant’s engineering vendors. Once on site, a physical connection was established by an engineer using a laptop or USB drive to carry out routine maintenance. Unbeknown to the engineer, this connection allowed the Stuxnet malware to be injected into and propagate through the plant’s network.
The malware had two critical destructive components. Not only was it able to reprogram Programmable Logic Controllers (PLCs) to cause the plant centrifuges to operate at extreme levels and ultimately destroy them, it also obfuscated the telemetry data which might have allowed the plant engineers to detect and remediate the issue. This is known as a ‘loss of view condition’ because the information presented on the computer workstations gave the all clear, when in fact the plant was destroying itself.
A subsequent attack on a German Steel Mill, which resulted in damage to physical equipment, further demonstrated the vulnerability of ICS networks and that Stuxnet was not a one off. The attackers reportedly infiltrated the corporate network by utilising ‘spear phishing’ techniques - sending targeted emails purporting to come from a trusted source to industrial operators at the plant. These emails contained malware which activated a remote connection point allowing malicious actors access to the network, leading to the compromise of a multitude of systems including industrial components on the production network. This ultimately prevented the controlled shutdown of an industrial furnace which resulted in ‘massive physical damage’ at the plant.
TMK has released an enhanced cyber insurance policy to include coverage for Property Damage and Ensuing Business Interruption resulting from a cyber-attack: Cyber Ctrl PD+ Visit http://www.tokiomarinekiln.com/our-business/enterprise-risk/cyber/ for more information.