Why cyber physical damage attacks may increase - Reason 2
Reason 2: The Proliferation of Industrial Control System Malware
In the second of a series of expert blogs, TMK Cyber Underwriter Paul Gooch explains why cyber Physical Damage attacks could increase in 2020 and beyond.
While Stuxnet is probably the best-known and most widely discussed Industrial Control System (ICS) malware strain, there are several more recent examples that are less well-known outside of the cyber security community.
In December 2015, an ICS malware strain known as ‘Black Energy’ was used in the attack against three Ukrainian electricity-distribution companies, resulting in a number of substations being taken offline and 200,000+ customers losing power. By gaining unauthorised access to the ICS environment, hackers remotely opened circuit breakers, causing a power cut. One year later, the lights went off in Ukraine again. This time due to the transmission system in Kiev being targeted by a more sophisticated piece of malware known as ‘CrashOverride’.
While neither of the Ukraine electricity outage attacks resulted in physical damage, this was only avoided because the attackers chose to open the circuit breakers, thereby cutting the power, and but not to re-close them. As demonstrated in the 2007 Aurora test, if they had been re-closed out-of-phase, catastrophic physical damage is likely to have resulted.
Most recently, and perhaps most disturbing of all, was the discovery of a malware strain known as Trisis or TRITON, which is the first publicly reported example of ICS malware specifically designed to target the Safety Instrumented System (SIS) of an ICS network. Safety controllers are used to protect human life at an industrial plant, enforcing operational shutdowns when unsafe conditions are detected. In August 2017, the Petro Rabigh oil refinery in Saudi Arabia was partially taken offline when a Triconex safety controller was tripped. First believed to be a malfunction, it was later discovered to be the result of a malware infection and part of a cyber operation that, according to FireEye, was aimed at developing the capability to cause physical damage.
Click here to read Reason 1 - It has already happened
TMK has released an enhanced cyber insurance policy to include coverage for Property Damage and Ensuing Business Interruption resulting from a cyber-attack. Visit http://www.tokiomarinekiln.com/our-business/enterprise-risk/cyber/ for more information.