Empowered Expertise

Why cyber physical damage attacks may increase - Reason 2

by Paul Gooch, Cyber Underwriter on

Reason 2: The Proliferation of Industrial Control System Malware

In the second of a series of expert blogs, TMK Cyber Underwriter Paul Gooch explains why cyber Physical Damage attacks could increase in 2020 and beyond.

While Stuxnet is probably the best-known and most widely discussed Industrial Control System (ICS)  malware strain, there are several more recent examples that are less well-known outside of the cyber security community.

In December 2015, an ICS malware strain known as ‘Black Energy was used in the attack against three Ukrainian electricity-distribution companies, resulting in a number of substations being taken offline and 200,000+ customers losing power. By gaining unauthorised access to the ICS environment, hackers remotely opened circuit breakers, causing a power cut. One year later, the lights went off in Ukraine again. This time due to the transmission system in Kiev being targeted by a more sophisticated piece of malware known as ‘CrashOverride’.

While neither of the Ukraine electricity outage attacks resulted in physical damage, this was only  avoided because the attackers chose to open the circuit breakers, thereby cutting the power, and but not to re-close them. As demonstrated in the 2007 Aurora test, if they had been re-closed out-of-phase, catastrophic physical damage is likely to have resulted.  

Most recently, and perhaps most disturbing of all, was the discovery of a malware strain known as Trisis or TRITON, which is the first publicly reported example of ICS malware specifically designed to target the Safety Instrumented System (SIS) of an ICS network. Safety controllers are used to protect human life at an industrial plant, enforcing operational shutdowns when unsafe conditions are detected. In August 2017, the Petro Rabigh oil refinery in Saudi Arabia was partially taken offline when a Triconex safety controller was tripped. First believed to be a malfunction, it was later discovered to be the result of a malware infection and part of a cyber operation that, according to FireEye, was aimed at developing the capability to cause physical damage.

Click here to read Reason 1 - It has already happened

TMK has released an enhanced cyber insurance policy to include coverage for Property Damage and Ensuing Business Interruption resulting from a cyber-attack. Visit for more information.

Sign Up

Get notified when a new post is published.

Email is required Email must be valid It appears you have already signed up

Media Contacts

If you have a media enquiry, please contact

Laura Guerin
Head of Marketing & Communications
T+44 (0)20 7767 2111

Out of hours or urgent media enquiries only:
M +44 (0)7557 152722