The Overlooked Physical Exposures of a Cyber-attack

More than ever before, organisations are aware of the potential financial impact of a cyber-attack. Many wrongfully assume that the steep, monetary burden of a cyber-attack (exacerbated by new, higher fines under the GDPR) is exclusively tied to damaged digital assets, lost records, and the price of investigating and reporting a breach. While those expenses represent a considerable hit, damage to an organisation’s physical assets can be just as harmful.

Cyber-attacks that cause physical damage typically occur when a hacker gains access to a computer system that controls equipment in a manufacturing firm, refinery, power station or similar operation. After the hacker gains access to an organisation’s machinery, they can then control that equipment to damage it or other property.

These types of events can lead to major disruptions and costly damages. To safeguard their physical assets, it’s critical that organisations understand what types of businesses and assets are exposed to these attacks.

What’s at Risk?

To better understand what kinds of physical losses can occur following a breach, it’s helpful to compare cyber-attacks to a natural disaster or other industrial accident. Following these kinds of incidents, organisations often incur costs to repair and replace damaged equipment in addition to any lost revenue caused by the disruption.

Unlike natural disasters, however, cyber-attacks that cause physical damage aren’t limited to a geographic location and can impact an entire network. This means that damages caused by a breach can be widespread, affecting multiple sectors of the economy depending on the target.

Because of this, cyber-attacks that cause physical damage are often dynamic and extensive. When an attack on critical infrastructure occurs, it not only affects business owners and operators, but suppliers, stakeholders and customers as well.

Who’s at Risk?

Cyber-attacks that cause physical damage—the targets, the assailants, the motivations and the means of the attack—are constantly evolving. Incidents can occur in a variety of ways, including phishing scams, internet exchange point attacks, breaches of unsecured and unencrypted devices, and even plots carried out by rogue employees.

When discussing these attacks, many experts cite power and energy sector organisations as the most at risk. However, vulnerabilities also exist in utilities, telecommunications, oil and petrol, petrochemicals, mining and manufacturing, and any other sectors where industrial control systems (ICSs) are used.

ICSs are open computer systems used to monitor and control physical processes as well as streamline operations and repairs. ICSs are not often designed with security as a primary consideration, which leaves them susceptible to attack. What’s more, for many automated processes, attacks don’t even need to cause physical damage to result in significant disruption and losses.

So, when it comes to the emerging risk of cyber-attacks that cause physical damage, targets vary by industry and the damages can be extensive due to the interconnected nature of ICSs.

Real-world Examples

Because organisations are not always required to make cyber-attacks that cause physical damage public, they largely go unreported. However, the following are a number of high-profile incidents that demonstrate how important it is to consider physical and infrastructure cyber-exposures:

  • Ukrainian power grid attack—This was a multistage, multisite attack that disconnected seven 110 kilovolt (kV) and three 35 kV substations. Together, the attack resulted in a power outage for 80,000 people and lasted for three hours. Using only a phishing scam, the attackers were able to cause substantial, prolonged disruption to the economy and general public.
  • Saudi Arabian computer attacks—In these incidents, hackers destroyed thousands of computers across six organisations in the energy, manufacturing and aviation industries. Through a simple virus aimed at stealing data, computers were wiped and bricked. Not only did this mean critical business data was lost forever, but all of the damaged computers had to be replaced—a substantial fee for businesses of any size. This attack was similar to an attack on Saudi Aramco, the world’s largest oil company, which destroyed 35,000 computers.
  • Petrochemical plant attack—This attack targeted a Saudi Arabian petrochemical plant. The attack was unique in that it wasn’t designed to steal data, but rather sabotage operations and trigger an explosion. The only thing that prevented an explosion was a mistake in the attackers’ computer code. Had the attack been successful, the plant would likely have been destroyed and many employees could have died. Experts are concerned that similar attacks could be carried out across the globe.
  • Hospital ventilation attack—In this incident, a hacker was able to damage and control a hospital’s heating and air conditioning system using malware. This attack put the safety of staff, patients and medical supplies in jeopardy, as the hacker could control the temperature of the facilities at will.

Attacks causing physical damage will likely become increasingly common as technology advances and hackers continue to get more creative. Even more concerning is that these kinds of attacks not only endanger a company’s data, reputation and finances, but human lives as well.

How Do I Protect My Organisation?

Insurance cover for cyber-attacks that cause physical damage is still in its infancy, and your organisation may have gaps in protection. Even if your commercial property insurance policy includes physical or non-physical damage covers, that does not necessarily mean you’re covered from first- or third-party losses from cyber-attacks.

The level of protection your company has depends largely on the structure of your policies. As such, it’s critical for businesses to do their due diligence and understand if their policies do the following:

  • Impose any limits on cover, particularly as it relates to physical damage of tangible property
  • Cover an attack and any resulting damages
  • Provide contingent cover for attacks that aren’t specifically targeted at the organisation

While it’s important to speak with a qualified insurance broker about your cyber-risk policy options, there are a number of steps businesses can take by themselves to protect their physical assets. In addition to implementing a cyber-risk management plan, businesses should consider doing the following to protect their data:

  1. Keep all software up to date.
  2. Back up files regularly.
  3. Train employees on common cyber-risks and what they should do if they notice anything suspicious.
  4. Review your exposures and speak with your insurance broker to discuss policy options for transferring risk.

For more cyber-related content, contact Direct Insurance Corporate Risks today.

website: www.dicr.co.uk

email: info@direct-ins.co.uk

telephone: 01277 844 360

Aftermath of WannaCry Ransomware Yet to Be Seen

WannaCry, a ransomware program that targets a vulnerability in outdated versions of Microsoft Windows, has spread across 150 countries and infected more than 230,000 computers since it was launched on 12th May. It disrupted many NHS hospitals in England and Scotland, infecting up to an estimated 70,000 devices including computers, MRI scanners, blood-storage refrigerators and theatre equipment.

Microsoft was aware of this cyber security gap and, as a precaution, released a Windows security update in March. However, many users have not yet run the update, which has allowed WannaCry to spread quickly.

As of 15th May, the spread of the ransomware program has appeared to slow down, but employers and their employees should be careful, as the effects in the United Kingdom have yet to be fully determined.

An Overview of WannaCry
After infecting just one computer, WannaCry can spread to every device in a network within seconds. It works by locking users out of their computers before demanding money in order to regain control of their data. Initially, WannaCry requests about £230, but, if no payment is made within three days, it then threatens to double the amount. If no payment is made within that time, the ransomware program then threatens to delete files after seven days.

According to Elliptic, a London start-up that helps law enforcement agencies track criminals, around £39,000 worth of bitcoin payments have been made to the hackers as of 15th May.

Response to the WannaCry Ransomware Attack
No one is certain about who is behind the attack, but Europol is working on a decrypting tool. Many

firms hired experts over the weekend to prevent new infections, which seems to have worked in Europe, so far.

After the initial discovery of the WannaCry ransomware, Microsoft issued a warning to the US government concerning its data-storing practices. Microsoft claimed that the tool used in the WannaCry cyber attack was developed by the US National Security Agency and was stolen by hackers.

Cyber Security Precautions
Some experts recommend that you should not pay the ransomware if you’ve been hacked, as there is no guarantee that the hackers will return the files to you unharmed, if returned at all. Experts also recommend that you take the following precautions:

  • Update your network security.
  • Run the Windows update and turn on auto-updaters, if available.
  • Install and update anti-virus as well as anti-malware software on all of your organisation’s computers.
  • Provide your employees with cyber security training. This should include valuable best practices, such as how to recognise a cyber attack and phishing email scams.
  • Back up your documents regularly onto a separate drive.
  • Purchase comprehensive cyber insurance to ensure that your organisation can sustain a cyber attack.

Contact Direct Insurance Group if you have any further questions regarding how you can avoid disruptive business interruptions from cyber attacks.

Call us on 01277 844360 or email info@direct-ins.co.uk.