In 2017, a new malware was discovered at a Saudi Arabian petrochemical plant. Later labelled by the MIT Technology Review as the “world’s most murderous malware”, Triton had the ability to allow hackers to remotely take over safety systems and cause them to malfunction with dire consequences to equipment, the plant itself, and even people’s lives. In this instance the malware was discovered but it underlined the ongoing and growing vulnerability of operational technology to cyber attacks as criminals look for new weaknesses to exploit.
“It’s a vulnerability made worse by the growth in changed working practices post-pandemic,” says Hiscox’s Eddie Lamb – Cyber Education and Advisory, “with the opening of more indirect connections from the internet to operational technology, allowing opportunities for hackers to find and exploit. And for industries with a high dependence on operational technology – from manufacturers, to transport and logistics – there is a genuine risk of a cyber attack leading not just to a potential shutdown, but a physical risk of fire and explosion to people and property.”
“It’s a vulnerability made worse by the growth in changed working practices post-pandemic,” says Hiscox’s Eddie Lamb – Cyber Education and Advisory
The tech link to the ‘physical world’
Operational technology – or OT – encompasses the computer hardware and software used to control and monitor equipment. The UK’s National Cyber Security Centre defines it as “technology that interfaces with the physical world and includes industrial control systems (ICS), supervisory control and data acquisition (SCADA) and distribution control systems (DCS)”. In practice, OT could be responsible for switching on and off a pressure valve in a heating system, controlling a robot in an automated warehouse, or even the operation of an MRI scanner in a hospital. “In the past, OT – unlike IT systems – has been largely separate from a networked environment, making it less vulnerable to a cyber security incident but that is changing,” says Lamb. “The pandemic, for example, has encouraged more remote working which has meant opening indirect connections to the OT environment, but there is also a general trend for convergence between IT and OT systems to take advantage of the smart benefits from developments such as the internet of things.”
It's a growing cyber exposure that has not gone unnoticed at governmental level. In March 2023 the US government warned in its National Cybersecurity Strategy that as essential infrastructure sheds its old “analog control systems…rapidly bringing online digital operational technology” and moving essential systems online, it will make “cyberattacks inherently more destructive and impactful to our daily lives”. And while industries might be at the early stages of this ‘convergence’ there are already examples where malicious interference with OT has led to large scale property damage, or at least the threat of damage.
Operational technology failures
The most infamous example of a known cyber disrupted OT attack leading to a major physical event was the Stuxnet cyber attack on Iran’s nuclear capabilities over a decade ago, damaging the country’s nuclear centrifuges in what many believe to be the first major incident of a cyber attack designed to hit the OT of its target rather than the IT systems. In 2014, a German steel mill was targeted and unable to shutdown properly, causing “massive damage” to a blast furnace. Since then, the vulnerability of operational technology to cyber criminals has continued to grow. “There are numerous incidents of cyber attacked OT leading to major shutdowns of manufacturing plant and equipment and all the knock-on effects that such an interruption can have,” says Lamb. “And, even if the OT is not directly impacted by the attack, the indirect impact still requires a disablement of the OT system, otherwise you’d end up with a loss.” The Colonial Pipeline was put out of action in 2021, for example, because of uncertainty as to how far the pipeline’s OT had been affected by a ransomware cyber attack on its IT systems.
Underwriting scrutiny
Such is the ongoing threat to OT, insurers are growing increasingly concerned about the associated risks. “A systems failure could overload safety critical equipment causing incidents like explosions resulting in bodily injury and other potential general liability insurance claims,” says Lara Frankovic - General Liability Line Underwriter for Hiscox London Market. “And as we head towards internet 4.0 and an ever-connected world, there will only be more ways for OT to access the internet and we’ll see greater potential for hacks.”
There is also acknowledgement in the insurance industry of the increasing possibility of physical damage from a cyber attack on OT with the development of cyber property damage insurance products. “The CZ risk code in the insurance market recognises the increasing risk of property damage being caused by a cyber event.” says Tim Andrews – Cyber Line Underwriter at Hiscox London Market, which should help to fill the gap between existing property cover and cyber cover. “We haven’t seen claims activity on the CZ side yet, but OT is also a big area of interest for cyber insurers in the non-property damage area and the risk of interruption to manufacturing processes in the event systems have to be shut down.”
“The CZ risk code in the insurance market recognises the increasing risk of property damage being caused by a cyber event.” says Tim Andrews – Cyber Line Underwriter at Hiscox London Market
Protecting your OT
With regulators keen to see businesses and organisations taking steps to secure their OT, understanding what insurers look for when assessing a potential new insured could be helpful. “The first step we take is to thoroughly understand the specific details of the OT in use and the associated systems involved in the risk. This would include gathering information on the type and level of automation, the control systems in place, and the potential impact of failure or downtime,” says Hiscox’s Frankovic. “I would also assess the company's level of expertise in managing these systems and cyber security, including its training and maintenance programs. Finally, we would need to assess the likelihood and potential severity of losses associated with the OT. This would involve analysing historical loss data, examining the potential for equipment failure, and evaluating the effectiveness of the risk management including mitigation strategies in place, the company’s response plans and procedures for handling emergencies.”
“The first step we take is to thoroughly understand the specific details of the OT in use and the associated systems involved in the risk. This would include gathering information on the type and level of automation, the control systems in place, and the potential impact of failure or downtime,” says Hiscox’s Frankovic.
Time for a rethink
Much of this work may well have been done for an organisation’s IT systems as part of its cyber security strategy: it’s now clear that the same processes must also encompass OT systems. But the insurance industry can also play its part in helping to combat the risk by providing solutions to match changing client needs. “The connected world calls for a connected approach to risk and insurance where insurance classes including cyber, property, and general liability all need to share knowledge and expertise to effectively respond to the new and evolving risks businesses are facing,” says Andrews.
