There is currently a protection gap of around 90% due to the uncertain nature of systemic risk. The cyber risk landscape is rapidly evolving, with cyberattacks increasing in severity and sophistication. Hackers now use triple extortion techniques and ransomware-as-a-service has lowered entry barriers for cybercriminals. In addition, increased digitalisation of critical infrastructure has made it more vulnerable to cyber threats – with the potential for systemic fallout should a cyberattack interrupt the provision of clean water, energy or internet services for an extended period of time.
Critical infrastructure systems like those driving power generation, water treatment, electricity production and other platforms are interconnected to form the energy “grid”. Although beneficial to the public this grid is vulnerable to cyber-attack by “hacktivists” or terrorists.
- Power generation and distribution is more complex and connected than ever before
- Vulnerability of critical infrastructure and technical failures is a real concern among security specialists and insurers
- Main targets of hacktivists are energy, transportation, public services, telecommunications and critical manufacturing sectors
- Loss prevention is key to incenting insurers to offer higher limits to encourage customers to buy cyber protection insurance
During a particularly harsh winter, a group of hacktivists spreads panic by bringing down the US power grid. Millions of homes and businesses are plunged into darkness, communications are cut, banks go offline, hospitals close and air traffic is grounded. Such a scenario sounds apocalyptic, but it is a realistic threat, according to Idan Udi Edry, Chief Executive Officer at Nation-E, a provider of cyber security solutions that safely allow customers to connect their infrastructure to the internet, thereby enabling them to connect and control critical assets remotely and safely.
This new risk era requires a different approach to cyber insurance, a new Swiss Re Institute study suggests. Jérôme Haegeli, Swiss Re group chief economist, commented: “As cyberattacks have increased, so has awareness of the risk – and with it, demand for cyber insurance is growing. However, due to the high degree of uncertainty regarding expected losses and the evolving nature of the risk, its insurability is limited. This in turn restrains market capacity, leading to a protection gap of around 90%.”
Three areas of improvement where the re/insurance industry can help to manage cyber risk more efficiently and increase insurability: increasing contract consistency and clarity, using standardised data and better modelling, and identifying new sources of capital.
1. Standardising data and optimising modelling: Cyber risks are difficult to quantify due to a lack of standardised data and modelling constraints within a shifting risk environment. Future risks are typically inferred based on backward-looking data, but this approach is limited in the context of cyber risk for two reasons: a lack of standardised data and backward-looking information being less useful in a rapidly changing risk environment. Introducing cybersecurity standards should improve cyber data in terms of breadth and transparency to allow meaningful risk insights and enable more accurate pricing and modelling. Re/insurers must also invest in cyber talent to help strengthen the actuarial and technical skills needed for the forensic analysis that is part of underwriting and claims management cycles.
2. Updating policy language for clarity and consistency: The relative youth of the cyber insurance market and complexity of the risk are reflected in a lack of standardisation around exclusion clauses and terms and conditions. Uncertainty about responsibilities in the event of a cyber catastrophe remains a barrier for additional industry capacity. Stakeholders have taken steps to fix some of these issues, but factors such as attribution of cyber events remain a core problem. By clarifying responsibilities, as well as supporting risk understanding and mitigation efforts, contract clarity and consistency can lead to increased cyber capacity.
3. Identifying new sources of capital: Public and private sector collaboration is key to mitigating cyber threats to critical infrastructure. A public-private partnership (PPP) insurance scheme, where the coverage of systemic risks is split between insurers and a government(s)-backed fund is one option to address part of the protection gap. Another would be to tap into the market for insurance-linked securities.
Complexity of critical infrastructure
Critical infrastructure, like power generation and distribution, is becoming more complex and reliant on networks of connected devices. Just decades ago, power grids and other critical infrastructure operated in isolation. Now they are far more interconnected, both in terms of geography and across sectors. As the US power grid scenario highlights, the failure of one critical infrastructure could result in a devastating chain reaction, says Edry. Unsurprisingly, the vulnerability of critical infrastructure to cyber-attacks and technical failures has become a big concern. And fears have been given credence by recent events.
In December 2015, the world witnessed the first known power outage caused by a malicious cyber-attack. Three utilities companies in Ukraine were hit by BlackEnergy malware, leaving hundreds of thousands of homes without electricity for six hours. According to cyber security firm Trend Micro, the malware targeted the utility firms’ SCADA (supervisory control and data acquisition) systems and probably began with a phishing attack.
The blackout was followed two months later by the news that the Israel National Electricity Authority had suffered a major cyber-attack, although damage was mitigated after the Israel Electricity Corporation shut down systems to prevent the spread of a virus.
Industry sectors vulnerable to cyber-attack
The energy sector is one of the main targets of cyber-attacks against critical infrastructure, but it is not the only one. Transport, public sector services, telecommunications and critical manufacturing industries are also vulnerable. In 2013, Iranian hackers breached the Bowman Avenue Dam in New York and gained control of the floodgates. Oil rigs, ships, satellites, airliners, airport and port systems are all thought to be vulnerable, and media reports suggest that breaches have occurred.
Cyber-attacks against critical infrastructure and key manufacturing industries have increased, according to US cyber-security officials at Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the US government body that helps companies investigate attacks against ICS and corporate networks. It reported a 20% increase in cyber investigations in 2015, and a doubling of attacks against US critical manufacturing. Over the years, a wide range of sectors have become more reliant on industrial control systems – such as SCADA, Programmable Logic Controllers (PLC) and Distributed Control Systems – for monitoring processes and controlling physical devices, such as pumps, valves, motors, sensors etc. The most high profile example of a cyber-attack against critical infrastructure is the Stuxnet computer virus. The worm, which targeted PLCs, disrupted the Iranian nuclear program by damaging centrifuges used to separate nuclear material. The incident caused concern because Stuxnet could be adapted to attack the SCADA systems used by many critical infrastructure and manufacturing industries in Europe and the US. In one of the only public examples of a SCADA attack, a German steel mill suffered major damage after a cyber-attack forced the shutdown of a furnace, the German Federal Office for Information Security reported in 2014. The attackers used social engineering techniques to gain control of the blast furnace systems.
Infrastructure cyber-attacks target control systems, not data
Cyber-attacks against critical infrastructure and manufacturing are more likely to target industrial control systems than steal data, according to the Organization of American States and Trend Micro. Their research found that 54% of the 500 US critical infrastructure suppliers surveyed had reported attempts to control systems, while 40% had experienced attempts to shut down systems. Over half said that they had noticed an increase in attacks, while three-quarters believed that those attacks were becoming more sophisticated. According to Edry, hackers are becoming much more interested in operational technology, the physical connected devices that support industrial processes. “The vulnerability and lack of knowledge of operational technology is the most dangerous thing today,” he says. As an example, he cites a cyber-attack against a New York City office block in which a hacker accessed the building management systems – which can control power, communications, security and environmental systems – via a connected vending machine. The building shutdown resulted in estimated damage of $350m from lost business, he says.
IT systems more secure than industrial control systems
However, the security of industrial control systems and connected devices has fallen behind that of IT systems. Many of the connected devices used by industry are based on serial communication technology – which Edry likens to the beeps and squeals associated with the old-style internet dial-up. Edry believes that operational technology is a vulnerable and poorly protected element of cyber security. While IT infrastructure has given rise to an army of cyber security consultants, products and services, industrial control systems by comparison are not well served, he says. The problem is not about to go away. In fact, cyber-attacks against physical operating technology look set to increase with the growing use of connected devices. For example, the convergence of the digital and physical worlds is set to accelerate with the “Internet of Things” (“IoT”), which will see more and more everyday devices embedded with electronics that collect information and connect to a network. Consumer devices are increasingly becoming connected – such as wearable technology, smart devices, domestic appliances and children’s toys. So, too, are our homes and cars. According to Edry, growing digitalization and the “IoT” could create a perfect cyber security storm. He notes that, where a company would once have control over its systems, physical networks and servers, the trend has been to run devices, software and data through virtual networks, such as cloud computing. “Even the network is now off the network,” he says.
Confidence in infrastructure security is key
Confidence in data and systems security is key if society is to benefit from the potential efficiencies that the “IoT” can bring. And public confidence is just as important for the SCADA systems that keep aircraft in the air as it is for the IT platforms that underpin mobile banking.
For example, in the past year a number of airlines have suffered from technical issues and cyber-attacks that erode consumer confidence. Polish national airline LOT grounded planes in June 2015 after its flight plan system was disabled by hackers in a Distributed Denial of Service (DDoS) attack. Weeks later in July, United Airlines grounded its fleet after suffering a technical fault.
“The digital age is here. We can’t prevent it. It is becoming part of us. But we see news headlines of breach after breach. We are losing our confidence in the digital age,” says Edry. He believes that more needs to be done to deter cyber criminals, and to protect operational technology. The cost of creating a successful attack is small for cyber criminals, which is why there are now so many attacks, explains Edry. “We have seen that as the cost of launching a successful attack has gone down, the number of attacks has risen. So we need to develop technology to increase the cost of successful attacks,” says Edry.
“We can’t stop 100% of attacks, but we can create technology to increase the cost so that the hacker says: ‘I don’t want to deal with this organization as it will cost me a lot of time and computer resource,” he says.
“If we can prevent the damage, it will incentivize insurers to offer higher limits and give customers more incentive to buy.”
