We tend to think that critical systems responsible for managing oil rigs, power stations, steel production plants, are somewhat immune to what happens in the “wild west” of cyberspace. News of cyberattacks tend to focus on data theft, financial heists, or bringing down websites; they are contained within IT systems. If cyberattacks are contained in the cyber world, then the logic goes that only cyber insurers should be concerned by the risk.
There is also a sense of security in the belief that critical control systems for “real world” assets and processes would either be too mechanical, too old, not connected to the same network as the wider Internet, or would run on their own networks. The reality is that industrial control systems (ICS) that manage energy, water, transport, communications, and manufacturing plants, are increasingly managed and controlled remotely or need to be networked. Wherever the systems need to use a network, the systems are exposed to vulnerabilities on that network. For non-cyber insurers, this risk needs to be assessed and managed.
Away from the world of industrial control systems, the operation of everyday appliances, building management, power systems, navigation, and even medical devices rely increasingly on the use of networked sensors and control systems for device management. And every day, more devices seem to require a network connection to function effectively. Even your refrigerator requires a Wi-Fi connection these days, so you can visualize whether you’re running low on hummus, with three in-fridge cameras beaming images live to your smartphone. With every network connection created, the cyber risk for non-IT related devices increases.
Assessing Cyber-Physical Risk
At recent RMS joint cyber and terrorism seminars held in London and New York, we outlined why we have introduced a suite of five new “cyber-physical” risk scenarios in the newly updated RMS® Cyber Accumulation Management System (CAMS) version 2.0. The term cyber-physical relates to how cyber threat extends to the physical world, and for the (re)insurance industry, how cyber threat extends to non-cyber specific insurers, and into more traditional lines within the property and casualty market.
Éireann Leverett, senior risk researcher at the University of Cambridge Centre for Risk Studies, showed seminar attendees how powerful the humble computer mouse can be in controlling the physical world. For instance, according to the U.S. Department for Homeland Security who conduct research on cyberattacks affecting ICS, 16 percent of attacks are targeted at energy facilities.
(Not So) Super Mario
Leverett told us the story of Mario Azar, an IT consultant, who in 2008 felt aggrieved after not being offered a permanent position in the network operations center (NOC) for Pacific Energy Resources in Long Beach, California. Still with access rights to the control systems, he disabled the offshore oil platform’s leak detection system for three major oil derricks off the Southern California coast. Undetected for several hours, the rigs were exposed to explosion risk, and once detected, the loss of telemetry resulted in a security shutdown of all three rigs. Azar pleaded guilty to charges carrying a maximum ten-year prison sentence.
Oil Drilling Platform in the Santa Barbara Channel, California. Source: Flickr/Mike Baird
A single NOC can control up to fifty oil rigs, providing a single point of entry to a huge number of targets. Once inside, a saboteur can access the Platform Control System (PCS), and take charge of pipeline monitoring, positioning, alarm, and safety systems to name but a few. One can only imagine how far Azar could have gone.
In the “PCS-Triggered Explosions on Oil Rigs” scenario included in CAMS v2.0, we believe a determined operative can cause complete loss of a rig, potential damage to other rigs, and a production shutdown of the rigs controlled by the NOC and model the losses to the insurance industry that would occur.
This is just one example where capability exists today for malicious actors to cause significant physical damage to property. The five cyber-physical scenarios built into RMS CAMS version 2.0 give (re)insurers more confidence to explore the threat to both affirmative cyber policies and now for more traditional policies such as commercial lines. Please download our 2017 Cyber Risk Landscape report, or find out more about RMS CAMS version 2.0.