In the first of series of expert blogs, TMK Cyber Underwriter Paul Gooch explains why cyber Physical Damage attacks may increase in 2020 and beyond.

From 1^st January 2020, all first-party property damage insurance policies issued by Lloyd's must explicitly affirm or exclude coverage for cyber events. Most cyber policies exclude cover for physical damage and ensuing business interruption. As a result, many policyholders could now find themselves with a gap in cover. Although cyber physical damage events have thus far remained infrequent, there are several reasons why this could change.

Reason 1 – It Has Happened Already

Cyber attacks that cause physical damage are not merely theoretical, they have happened already. The most high profile of these was the Stuxnet malware attack on the Natanz uranium enrichment plant in Iran. Despite it supposedly being 'air gapped' – i.e. having no direct connection to the internet – attackers were able to compromise the plant's Industrial Control Systems (ICS) by deploying malware on the systems of the plant's engineering vendors. Once on site, a physical connection was established by an engineer using a laptop or USB drive to carry out routine maintenance. Unbeknown to the engineer, this connection allowed the Stuxnet malware to be injected into and propagate through the plant's network.

The malware had two critical destructive components. Not only was it able to reprogram Programmable Logic Controllers (PLCs) to cause the plant centrifuges to operate at extreme levels and ultimately destroy them, it also obfuscated the telemetry data which might have allowed the plant engineers to detect and remediate the issue. This is known as a 'loss of view condition' because the information presented on the computer workstations gave the all clear, when in fact the plant was destroying itself.

A subsequent attack on a German Steel Mill, which resulted in damage to physical equipment, further demonstrated the vulnerability of ICS networks and that Stuxnet was not a one off. The attackers reportedly infiltrated the corporate network by utilising 'spear phishing' techniques - sending targeted emails purporting to come from a trusted source to industrial operators at the plant. These emails contained malware which activated a remote connection point allowing malicious actors access to the network, leading to the compromise of a multitude of systems including industrial components on the production network. This ultimately prevented the controlled shutdown of an industrial furnace which resulted in 'massive physical damage' at the plant.

TMK has released an enhanced cyber insurance policy to include coverage for Property Damage and Ensuing Business Interruption resulting from a cyber-attack: Cyber Ctrl PD+ Visit http://www.tokiomarinekiln.com/our-business/enterprise-risk/cyber/ for more information.

Reason 2: The Proliferation of Industrial Control System Malware

In the second of a series of expert blogs, TMK Cyber Underwriter Paul Gooch explains why cyber Physical Damage attacks could increase in 2020 and beyond.

While Stuxnet is probably the best-known and most widely discussed Industrial Control System (ICS) malware strain, there are several more recent examples that are less well-known outside of the cyber security community.

In December 2015, an ICS malware strain known as 'Black Energy' was used in the attack against three Ukrainian electricity-distribution companies, resulting in a number of substations being taken offline and 200,000+ customers losing power. By gaining unauthorised access to the ICS environment, hackers remotely opened circuit breakers, causing a power cut. One year later, the lights went off in Ukraine again. This time due to the transmission system in Kiev being targeted by a more sophisticated piece of malware known as 'CrashOverride'.

While neither of the Ukraine electricity outage attacks resulted in physical damage, this was only avoided because the attackers chose to open the circuit breakers, thereby cutting the power, and but not to re-close them. As demonstrated in the 2007 Aurora test, if they had been re-closed out-of-phase, catastrophic physical damage is likely to have resulted.

Most recently, and perhaps most disturbing of all, was the discovery of a malware strain known as Trisis or TRITON, which is the first publicly reported example of ICS malware specifically designed to target the Safety Instrumented System (SIS) of an ICS network. Safety controllers are used to protect human life at an industrial plant, enforcing operational shutdowns when unsafe conditions are detected. In August 2017, the Petro Rabigh oil refinery in Saudi Arabia was partially taken offline when a Triconex safety controller was tripped. First believed to be a malfunction, it was later discovered to be the result of a malware infection and part of a cyber operation that, according to FireEye, was aimed at developing the capability to cause physical damage.

TMK has released an enhanced cyber insurance policy to include coverage for Property Damage and Ensuing Business Interruption resulting from a cyber-attack. Visit http://www.tokiomarinekiln.com/our-business/enterprise-risk/cyber/ for more information.

Reason 3: The Increased Connectivity of Industrial Control System Environments

In the third of a series of expert blogs, TMK Cyber Underwriter Paul Gooch explains why cyber Physical Damage attacks could increase in 2020 and beyond.

While computerised industrial control devices have been commonly used since the 1970s, industrial control systems (ICS) networks were originally run in isolation from corporate IT office networks. They had no direct connection to the internet, initially because the internet didn't exist, later because there were no recognised benefits of ICS-internet connectivity. In recent years this has changed dramatically, however. The automation revolution of the 1970s is evolving into 'Industry 4.0' – translating data into information that can be consumed by machine learning algorithms and artificial intelligence platforms. The most obvious example of this is the 'Industrial Internet of Things' (IIoT), which allows any industrial device ('thing') to directly send data to a centralised hub, accessible by all business applications.

Although the advantages of Industry 4.0 are obvious, with increased connectivity comes increased risk. The more easily accessible ICS networks become, the larger the potential attack surface for malicious actors. While the traditional method of limiting ICS communication through discrete network layers was complex, expensive and inefficient, direct connectivity reduces the obstacles an attacker must hurdle before gaining access to critical devices. More than half of respondents to the 2018 SANS IIoT Survey said they used IIoT technology in devices which directly control operations and processes, meaning, should an attacker gain access to these devices, they could potentially cause physical damage to plant equipment. Even when IIoT is limited to data collection, as with Stuxnet, attackers can manipulate this data to prevent plant engineers from detecting unsafe operating conditions.

TMK has released an enhanced cyber insurance policy to include coverage for Property Damage and Ensuing Business Interruption resulting from a cyber-attack: Cyber Ctrl PD+. Visit http://www.tokiomarinekiln.com/our-business/enterprise-risk/cyber/ for more information.

Reason 4 : Industrial Control System Networks are Notoriously Difficult to Secure

In the fourth of a series of expert blogs, TMK Cyber Underwriter Paul Gooch explains why cyber Physical Damage attacks could increase in 2020 and beyond.

Industrial control systems (ICS) networks are increasingly vulnerable due to increased online connectivity and the proliferation of targeted malware. While the risk of unauthorised access can never be eliminated completely, it can be mitigated by improving security. However, due to characteristics inherent in ICS environments, this poses significant challenges.

Unlike corporate IT networks, which prioritise confidentiality of data, ICS networks were designed to prioritise availability, i.e. operational uptime. Historically, ICS networks were isolated from outside connections – which provided a high level of inherent confidentiality – and few foresaw a future in which a third party would want to intentionally disrupt operations. As such, the worst-case scenario in the 1970s would have been a random technical failure or a malfunction, rather than a cyber attack. For this reason, ICS communication protocols do not typically utilise encryption or authentication techniques found in IT networks.

Given their age, ICS networks often rely on legacy operating systems such as Windows XP which are no longer supported by the vendor with routine security updates or patches. Even when patches are available, installation is often a more complex process than for corporate networks, with the consequences of a failed patch much graver. Plant managers also have to take availability requirements into consideration – many industrial facilities operate 24/7 so do not have the luxury of overnight or weekend patching windows like their IT network counterparts. Consequently, ICS assets remain vulnerable for much longer.

As such, despite the worsening threat landscape, many companies struggle to adequately protect themselves against ICS attacks due to the very nature of them being insecure by design.

TMK has released an enhanced cyber insurance policy to include coverage for Property Damage and Ensuing Business Interruption resulting from a cyber-attack: Cyber Ctrl PD+. Visit http://www.tokiomarinekiln.com/our-business/enterprise-risk/cyber/ for more information.

Reason 5: Cyber Criminals Have a Proven Business Model

In the final of a series of expert blogs, TMK Cyber Underwriter Paul Gooch explains why cyber Physical Damage attacks could increase in 2020 and beyond.

Given their age, their rising levels of connectivity, and the escalation in malicious activity targeted against them, Industrial Control System (ICS) environments are increasingly vulnerable to cyber attacks. However, thus far, the frequency of such events has remained low. Having not yet faced the consequences of such an incident, risk managers may be reassuring themselves with the rhetorical question: "why would anyone attack us?" Others may have concluded that such an attack is only likely in the event of a full-scale military conflict and taken the fatalistic view that in such a scenario they have more to worry about than collecting on their corporate insurance policy. However, if the past 18-months have taught us anything, it's that criminals have carved out a lucrative niche in extorting millions of dollars from companies by literally holding their computer systems to ransom. growing

There are many examples and one of the most successful ransomware strains identified in recent months has been REvil aka Sodinokibi. In the past five months alone, researchers at KPN have detected over 150,000 unique infections and extracted ransom demands from 148 samples demanding more than USD38 million from its victims. This equates to an average extortion demand of over USD 250,000 per company affected. Cyber crime has become such a widespread problem that the FBI now maintains a 'Cyber Most Wanted' list and has conceded that, while it does not condone paying ransoms, "when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers."

Although it is not simply a case of 'ransomware getting into the control systems' that will lead to cyber physical damage attacks, it is the evolution of the ransomware 'business model' that is of critical concern. If companies are willing to pay millions of dollars to avoid operational disruption , how much (and how quickly) might they pay to avoid catastrophic physical damage or harm to human life? Even if ransoms are paid, botched decryption attempts have shown that attackers don't always get the recovery tools right, and the consequences of a botched Safety Instrumented System recovery could be disastrous.

TMK Cyber Ctrl PD+

In response to the growing threat and the retrenchment of cover in the property insurance market, TMK has released an enhanced cyber insurance policy to include coverage for Property Damage and Ensuing Business Interruption resulting from a cyber attack. Crucially, this is not a 'wrap' or 'write-back' product – TMK Cyber Ctrl PD+ provides affirmative cover for cyber physical damage incidents, providing clients with clarity of cover. The policy includes all standard cyber insurance coverages, including privacy liability and non-damage business interruption, and is modular, allowing clients to tailor the product to their specific requirements. http://www.tokiomarinekiln.com/our-business/enterprise-risk/cyber/