Internet of Things (IoT) devices are increasing the risk of cyber attacks to industrial and manufacturing businesses, according to a report published by Lloyd’s in partnership with cyber analytics specialist CyberCube and reinsurance broker Guy Carpenter.
As cyber threats continue to evolve and become more sophisticated, it is crucial for insurers to understand these emerging risks in order to keep pace with their clients’ exposures, according to the report “The Emerging Cyber Threat to Industrial Control Systems.”
Cyber-attack risks have previously been considered unlikely to materially affect the physical market, with cyber perils traditionally emerging in the form of non-physical losses, said the report.
However, the report said physical risks have become a rapidly growing concern for industrial businesses as shown by recent high-profile breaches.
As bridges are increasingly being built between information technology (IT) and operational technology (OT), along with increases in automation and sophistication of threat actors, it is paramount that insurers and reinsurers carefully consider where major losses may occur, said the report.
The report considers four key industries dependent upon industrial control systems (ICS): manufacturing, shipping, energy, and transportation. It assesses precedent for cyber attacks and the potential impact on each.
Designed to aid individual underwriters’ understanding of the impact of emerging cyber risks on their portfolios of business, the report focuses on three scenarios, or potential routes of attack by hackers:
- A targeted supply-chain malware attack in which malicious actors breach a device manufacturer and compromise that manufacturer’s products before distribution,
- A targeted attack in which attackers exploit a vulnerability in widely used IoT devices found in industrial settings,
- The infiltration of industrial IT networks to cross the OT “air-gap”. (The report explained that the process of “air-gapping” describes the separation of OT machines onto a specific network so that those machines do not connect to the internet. However, inadequate air-gapping can occur with employees operating in IT environments on internet-facing networks that do not have adequate safeguards in place between the two systems, the report continued.)
In each scenario, if attackers gain access to a target firm’s IT system, they can exploit ICS to inflict physical damage on the plant – for example, gaining control of water pumps or temperature regulation systems.
Crossing the ‘Air-Gap’
The report described how an attack that crosses the OT air-gap could unfold:
- Step 1: Attackers successfully spear-phish IT administrators or other employees and gain persistent high level IT network access within the target industrial site.
- Step 2: With administrator-level access to the IT network, attackers can move laterally to find and exploit insecure devices that will serve as a bridge into the OT environment.
- Step 3: Once inside the OT environment, attackers are able to deploy self-spreading malware or ransomware. This could be used to escalate privileges in order to alter system controllers or safety configurations or cause sudden unplanned outages.
“The potential for a major ICS attack is all too real today given several real-world examples of such attacks. As we roll out hundreds of billions of additional IoT devices, it will become even more important in the future and could eventually become a systemic risk for the global economy,” said Pascal Millaire, CyberCube’s CEO, in a prepared statement.
Jamie Pocock, Guy Carpenter’s head of GC Cyber Analytics – International, commented: “A major ICS attack could impact a broad range of industrial businesses and classes of insurance. As these attacks cross the divide between information technology and operational technology, they could conceivably involve significant property damage and loss of human life. The key is continued research, surveillance, and risk selection to help improve underwriting standards and portfolio management.”
“We know that the risk of ICS-based cyber-physical events is increasing and because of this, we’ve partnered with CyberCube and Guy Carpenter to create illustrative scenario pathways based on highly realistic threats and modes of attack,” said Kirsten Mitchell-Wallace, Lloyd’s head of Portfolio Risk Management.
*This story ran previously in our sister publication Insurance Journal.