New You can now listen to Carrier Management articles!

When people think of cyber attacks, they might think of things like phishing, ransomware or data theft. But increasingly, something called cyber-physical attacks are making their way into the conversation — particularly in the critical infrastructure industry — and experts on this episode of The Insuring Cyber Podcast say they are likely to continue growing.

“The days of attacking on zeros and ones, personal information, and otherwise confidential information needs to give way now to the thought of how interconnected we are and how problematic the issues will be with respect to property damage and bodily injury if third parties are able to intercept these devices, infiltrate them and cause problems,” said Marc Voses, partner at Clyde & Co.

A cyber-physical attack means a bad actor can take over computer systems for things like electrical, water or natural gas infrastructure, among other things, to cause physical damage — sometimes manifesting as bodily harm or property loss.

“Think about tangible things, things you can touch,” Voses said. “They’re going to be machinery. They’re going to be computer components themselves. They’re going to be Internet of Things devices. They’re going to be industrial items. They’re going to be doors. They’re going to be heating elements — a whole bunch of physical things.”

Cyber-physical attacks are creating a particular challenge for the critical infrastructure industry, according to Gartner, a Stamford, Conn.-based consulting, research and advisory firm. The firm cited research from Temple University in a recent article on its website, stating that the critical infrastructure industry is particularly susceptible to ransomware attacks, with attacks on organizations in this sector rising from less than 10 in 2013 to almost 400 in 2020. Part of the problem is the abundance of legacy systems within critical infrastructure.

“Over time for reasons of competitiveness and productivity, a lot of these systems have started to become connected, not only to each other but increasingly to enterprise IT systems and to the Internet, for instance. And so, that makes them cyber-physical systems,” said Katell Thielemann, VP analyst at Gartner, later in this episode. “And unfortunately, particularly as more and more ransomware has evolved, the bad actors realize that if they can shut down plants or pipeline operators — for instance, like Colonial Pipeline last year — they can compel them to pay their ransom a lot faster than just exfiltrating data.”

“I recently talked to a CISO (chief information security officer) for a state department of transportation, and he has a staff of about 245 people. Well, only three are deployed to support cyber-physical systems — that includes all of the signage on the roads, the tollways, the bridges, you name it — for an entire state. Three people. Everybody else is in IT security.”

— Katell Thielemann

She said from her perspective, a better balance between resources being deployed to IT and enterprise-level systems versus cyber-physical systems in operations or critical environment sites could be one way to tackle the issue.

“I recently talked to a CISO (chief information security officer) for a state department of transportation, and he has a staff of about 245 people. Well, only three are deployed to support cyber-physical systems — that includes all of the signage on the roads, the tollways, the bridges, you name it — for an entire state,” she said. “Three people. Everybody else is in IT security.”

With this in mind, her advice for cybersecurity leaders is to “go out there, visit the field, visit the plants, visit the warehouses, visit the workers, visit the operations teams, and start building a rapport with them so that you have a real-life understanding of the operational environment that all of these systems live in.”

With that knowledge, she said cybersecurity professionals can build a security program that helps a business create resilience as opposed to trying to shoehorn existing IT systems into non-IT environments.

“We need to deploy an asset-centric view of security and not a traditional information-centric view of security or network security, because we really need to put these cyber-physical systems at the center of that mental model for security and really understand the dimensions having to do with cyber threats, physical world threats, supply chain threats and all of these things,” she said.

However, that still doesn’t solve all of the challenges. One key challenge for insurers with cyber-physical attacks is that it can be difficult to identify them as cyber attacks right away.

“Even though something physical might happen, it might be quite some time before someone identifies the causation of what really was the root of this physical attack and how did it manifest itself,” Voses said.

He pointed to one example of a 2014 cyber-physical attack on an unnamed German steel mill, in which the mill lost control of its blast furnace after hackers had infiltrated its control system, PBS reported.

“If there are businesses out there that have insurance policies but no cyber policy – they might have a CGL policy or they might have a professional liability policy – don’t rely on that to respond to your cyber event. I think that’s a risk that you don’t want to take.”

— Marc Voses

“Now, I’m quite certain that if this happened a hundred times, you wouldn’t be able to automatically say this is a cyber attack. You would really need to examine the machinery, the computer control systems, to really find out whether or not it was the fault of a component of the industrial complex itself or whether it was the act of a third party,” he said. “And guess what? Sometimes, there might not be any traces left over to identify that this was, in fact, a cyber attack.”

This can bring with it questions around insurance coverage for these attacks.

“So, then the question is going to be: ‘Well, is there coverage for the attack? Is there coverage for the fire? Does the policy exclude coverage for both?’ And these are some real tough questions that need to be asked in evaluating the claim,” Voses said. “You might have a property loss, but at the inception, it might look like a fire. When you look at it deeper, it was caused by a threat actor that actually caused the fire, and there might be an exclusion within the policy excluding the acts of a third party affecting the computer system which results in property damage.”

This means a non-standalone cyber policy should never be relied upon to do what a cyber policy was intended to do, Voses said.

“If there are businesses out there that have insurance policies but no cyber policy – they might have a CGL policy or they might have a professional liability policy – don’t rely on that to respond to your cyber event,” he said. “I think that’s a risk that you don’t want to take.”

To see what else Marc and Katell had to say, be sure to check out the rest of the episode and check back for new episodes of The Insuring Cyber Podcast publishing every other Wednesday on Insurance Journal TV, Google and Apple Podcasts along with the Insuring Cyber newsletter. Thanks for listening.