|February 22, 2012|
Previously published on February 2012
The term "Industrial Threats" has been used to describe the emerging risk of cyberattacks with physical effects, including the manipulation or destruction of industrial control systems and the equipment and machinery that depend on them. Companies and their insurers, particularly those involved in critical infrastructure sectors, are challenged to assess their risks and take steps to mitigate their exposures from such attacks.
An Emerging Cyber Risk
Data breaches that compromise personal information and other data maintained by businesses have been widely publicized. But beyond these, another kind of threat is emerging. The security company McAfee identified “Industrial Threats” first on its list of 2012 Threat Predictions. These are cyberattacks with physical effects, including the manipulation or destruction of industrial control systems, and the equipment and machinery that depend on them. They can put property and lives at direct risk. They present challenges to businesses, especially within the critical infrastructure sectors, and their insurers.
Industrial threat cyberattacks can occur through malware intrusions. The malware takes control of industrial control systems, which are the combination of hardware and software used to monitor and control equipment and machinery, often referred to as Supervisory Control and Data Acquisition Systems (SCADA). The purpose of the attack can be sabotage, extortion, competitive business advantage, or simple mischief.
The Developing Danger
The potential impact of these attacks was demonstrated in March 2007, when the U.S. Department of Homeland Security conducted a cyberattack exercise called Aurora. It hacked into a network controlling a diesel power generator, and put the generator out of sync with the power grid. Video footage of the generator shows it shuddering, filling the room with steam and smoke, and halting.
The key, game-changing development was the appearance in 2010 of a virus known as “Stuxnet,” which successfully disrupted the logic control system for the centrifuges that Iran uses to enrich uranium, reportedly making about 1,000 of them unusable. It is believed that the virus was transmitted by a USB stick plugged into an otherwise secure computer.
A DHS official testifying before the House Subcommittee on Oversight and Investigations on July 26, 2011 said that copies of the Stuxnet code, in various iterations, had become publicly available, and could be modified to target other industrial control systems.
At the Black Hat computer security conference in August 2011, Dillon Beresford of NSS Labs revealed that he had created his own version of Stuxnet in less than 3 weeks of work, spending less than $10,000 to replicate his target hardware environment.
Companies in critical infrastructure industries are prime targets for industrial threat cyberattacks. Companies in the energy sector, notably those that supply electrical power, are especially inviting targets for sabotage or extortion. Most of the systems that operate the U.S. electrical power grid are connected to the internet, and are commonly understood to have nonsecure networks. Often the operators do not understand the extent of their vulnerability.
FBI Director Meuller revealed that in July 2008, a company known as Pacific Energy Resources reported that six computer servers had been rendered inoperable, disabling the leak detection systems on three off-shore oil platforms. The attacks were conducted by a 28-year-old former consultant to the company who was disgruntled because he was not hired for a permanent position. He conducted the attack from his home computer using his various user accounts. It could have been worse. In this instance, the systems were restored before any leak occurred. According to Jane’s Intelligence Review, “with many offshore rigs increasingly using unmanned robot platforms, hacking into control systems could cause major damage to systems and disrupt or potentially halt production.”
On September 28, 2011, DHS gave reporters the first tour of its Central System Security Program facilities in Idaho Falls. DHS official Greg Schaffer confirmed for the assembled reporters that the world’s utilities and industries are becoming increasingly vulnerable. He said that disgruntled employees, hackers and perhaps foreign governments “are knocking on the doors of these systems and there have been intrusions.”
Most industrial threat cyberattacks have been conducted by private individuals or criminal organizations. But they could also be conducted by governments, and these could include cyberattacks in support of traditional war or war-like hostilities. Terrorists are also seeking the capacity to launch cyberattacks with physical effects. Details of U.S. SCADA systems have been found on computers captured from al Qaeda.
In addition to physical effects such as property damage, industrial threat cyberattacks can cause business interruption, or give rise to liabilities for contract breaches or torts. If the disruption affects the target’s business associates, vendors or customers, they too may assert claims.
Some of these may generate claims for insurance coverage that differ from those typically arising from data breaches revealing personally identifiable information. Resolution of these claims will depend on the nature of the attack, the damages, the claims, the type of policy and its terms and exclusions. Questions of causation could complicate the analysis. So would the involvement of insiders. And industrial threat cyberattacks will certainly present issues of attribution among individuals, criminals, hacktivists, terrorist organizations, and governments.
Imagine an attack on power utilities in a Western country. U.S. intelligence agencies point to Iran, but Iran denies culpability. Al Qaeda claims responsibility, but there is no independent evidence of its involvement. A group of criminals believed to be in the U.S. also claims responsibility, and seeks to extort money by threatening future attacks. And short selling in foreign markets implies knowledge and involvement by foreign business or criminal actors. On these facts, determining the scope and effect of potentially applicable insurance coverages would raise many challenges.
Exposures to loss and theft of data impose significant cost and burdens on businesses, and can trigger claims under certain insurance policies. These continue to occur, and ongoing dedication of resources and attention is required to prevent them and mitigate the related exposures, such as notification of affected individuals and governmental agencies, costs of remediation, and reputational harms. But industrial threat exposures go far beyond the ordinary costs of breaches. They impose significant risks of physical harm and destruction, including potentially significant environmental damage, incapacitation of a nation’s ability to respond to more conventional threats, and loss of life. Companies and their insurers, particularly those involved in critical infrastructure sectors, are challenged to assess their risks from industrial threat cyberattacks and take steps to mitigate their exposures.