The risk of physical damage or injury due to cyberattacks on industrial control systems is becoming. “increasingly likely,” and poses a real threat to the cyber insurance world, according to a new study from Lloyd’s of London, CyberCube, and Guy Carpenter.
Information technology and operational technology are coming closer together, due in large part to increased use of internet-connected devices to run systems. A cyberattack on a critically significant industrial site could lead to property damage, particularly in the manufacturing, energy, transportation, or shipping sectors. This is extremely dangerous, and could lead to injury or loss of life.
“As bridges are being built between IT and OT and there is increased automation and greater sophistication of threat actors seeking new avenues to create disruption, incidents are increasingly likely."
Three potential scenarios for major insured losses include: a targeted supply chain malware attack; a targeted attack on an Internet of Things vulnerability; and infiltration of industrial IT networks to gain access to “air-gapped” OT machines. The report outlines the pathways to each scenario as undertaken by nation-state actors, which are viewed as the mostly likely culprit in terms of resources and sophistication.
The scenarios could produce property damage and destruction, loss of life, business interruption, contingent business interruption, loss of shareholder value and data, and bricking of devices. A wide range of insurance lines of business would see an impact, well beyond standalone cyber coverage.
None of the proposed scenarios are without historical precedent – researchers cited the 2020 SolarWinds hack as a targeted supply chain event; Stuxnet and NotPetya as attacks that crossed the divide between IT and OT, and an April 2020 attack on Israeli water facilities as a targeted IoT attack.
The report marks a “call to action” for the insurance industry – while affirmative cyber insurance continues to grow as a market, there is “a comparative lack of understanding and awareness of cyber-physical risks.” Lloyd’s advised its syndicates to monitor products carefully for exposure to cyber-physical threats, especially in portfolios with significant industrial concentrations.