Cyber insurance faces 'turning point' on industrial systems attacks

March 9, 2021

The risk of physical damage or injury due to cyberattacks on industrial control systems is becoming. “increasingly likely,” and poses a real threat to the cyber insurance world, according to a new study from Lloyd’s of London, CyberCube, and Guy Carpenter.

Information technology and operational technology are coming closer together, due in large part to increased use of internet-connected devices to run systems. A cyberattack on a critically significant industrial site could lead to property damage, particularly in the manufacturing, energy, transportation, or shipping sectors. This is extremely dangerous, and could lead to injury or loss of life.

“As bridges are being built between IT and OT and there is increased automation and greater sophistication of threat actors seeking new avenues to create disruption, incidents are increasingly likely."

Three potential scenarios for major insured losses include: a targeted supply chain malware attack; a targeted attack on an Internet of Things vulnerability; and infiltration of industrial IT networks to gain access to “air-gapped” OT machines. The report outlines the pathways to each scenario as undertaken by nation-state actors, which are viewed as the mostly likely culprit in terms of resources and sophistication.

The scenarios could produce property damage and destruction, loss of life, business interruption, contingent business interruption, loss of shareholder value and data, and bricking of devices. A wide range of insurance lines of business would see an impact, well beyond standalone cyber coverage.

None of the proposed scenarios are without historical precedent – researchers cited the 2020 SolarWinds hack as a targeted supply chain event; Stuxnet and NotPetya as attacks that crossed the divide between IT and OT, and an April 2020 attack on Israeli water facilities as a targeted IoT attack.

The report marks a “call to action” for the insurance industry – while affirmative cyber insurance continues to grow as a market, there is “a comparative lack of understanding and awareness of cyber-physical risks.” Lloyd’s advised its syndicates to monitor products carefully for exposure to cyber-physical threats, especially in portfolios with significant industrial concentrations.

MIT Cybersecurity Clinic

The new MIT Cybersecurity Clinic (11.274 and 11.074) will be offered in both the fall and spring semester at MIT.

The Cybersecurity Clinic will consist of four-modules : Cybersecurity for Critical Urban Infrastructure: Understanding the Problem; How the MIT Cybersecurity Clinic Makes Initial Contact with potential Client Agencies; Onsite Assessment of Cybersecurity Vulnerability by MIT Clinic Staff; and Prepare and Submit a Final Cybersecurity Vulnerability Assessment to a Client Agency. MIT students who want to take on field assignments with the Cybersecurity Clinic (for academic credit) must pass the certification examination offered at the end of the fourth module.

Students who have achieved certification, will work in teams supervised by advanced doctoral and post-doctoral students during the last nine weeks of the spring semester to collaborate with an assigned client agency to prepare a Cyberattack Vulnerability Assessment for a client agency.

Social Cyberdefense of Critical Urban Infrastructure

MIT Cybersecurity Clinic

Who We ARe

Resources

About this Blog

Recent Blogs