Cyber Risk: The Emerging Cyber Threat to Industrial Control Systems

This report considers four key industries dependent upon ICS (Manufacturing, Shipping, Energy and Transportation) and assesses precedents and the potential impact on each. 

The potential for physical perils represents a major turning point for the broader cyber (re)insurance ecosystem. This risk has previously been considered unlikely to materially impact the market, with cyber perils traditionally emerging in the form of non-physical losses. 

However, crossing the divide between information technology (IT) and operational technology (OT), along with increases in automation and the sophistication of threat actors, means it is paramount that (re)insurers carefully consider how major losses may occur and the potential impacts.

Key takeaways: 

• The risk of a cyber-physical ICS incident is increasing, especially for individual entities. 
• Only a nation-state or nation-state affiliated actor is likely to possess the resources and level of technical sophistication necessary for a malicious ICS-oriented attack. 
• Three plausible scenarios consider: (1) a targeted supply-chain malware attack, in which malicious actors breach a device manufacturer and compromise that manufacturer’s products before distribution; (2) a targeted Internet of Things (IoT) vulnerability attack, in which attackers exploit a vulnerability in widely used IoT devices found in industrial settings; and (3) the infiltration of industrial IT networks to cross the OT “air-gap”. 
• An OT event could conceivably trigger a loss that leads to property damage and loss of life in one entity, and lead to extensive forensics, remediation, and product recall as necessary to limit further damage. However, an event leading to widespread property damage, business interruption, and human costs across multiple sites is currently less likely to occur.
• A targeted attack against an industrial site in an industry with outsized strategic, economic or societal importance (or any combination of those factors) would be hugely significant. The key industries considered include manufacturing, energy, transportation and shipping. 
• Continued trends of increased cloud adoption in industrial operations, the convergence of IT and OT, and the proliferation of IoT and “smart manufacturing” can exacerbate security concerns and increase exposure profiles. 

We recommend continued research and focus on developing and improving exposure management and underwriting standards in an emerging area of cyber risk whose boundaries are yet to be defined. Furthermore, we recommend continued diligence around the increasing aggregation potential that could transition the groundwork laid for a threat specific to individual portfolios to one that may aggregate across the market. The insurance market has a rich legacy of adapting to emerging risks and changing trends. As the risk of cyber-physical losses grows, it is essential that the market develops products and expertise to service this.