More than ever before, companies like you are aware of the potential financial impact of a cyber hack.
But many wrongfully assume that the steep, financial burden of a cyber attack in Ohio is exclusively tied to damaged digital assets, lost records and the price of investigating and reporting a data breach.
While those costs of the cyber crime represent a considerable hit, damage to your company’s physical assets, like your company’s industrial control system (also referred to as, ICS ) can be just as harmful.
Cyber crimes that result in physical damage typically occur when a hacker gains access to your computer system that controls your equipment in a manufacturing plant, refinery, electric generating plant or similar operation.
After the hacker gains access to your ICS, they can then control that equipment to damage it or other property.
This can lead to a major disruption in your business.
To protect your physical assets, it’s critical that you understand the types of companies and assets that are exposed to these cyber hacks, and identify if you fit the mold.
What’s at Risk when a cyber attack occurs?
To better understand what kinds of physical losses can occur following a data breach, it’s helpful to compare cyber crime to a natural disaster or other industrial accident.
Following these kinds of incidents, companies often incur costs to repair and replace damaged equipment in addition to any lost revenue that’s caused by the disruption.
Unlike natural disasters, cyber crimes that result in physical damage aren’t limited to geographic location and can impact an entire network.
So what this means is, damages caused by a breach can be widespread, affecting multiple sectors of the economy depending on the target.
Because of this, cyber crimes that cause physical damage are often dynamic and extensive. When critical infrastructure is impacted by a cyber hack, it not only affects your company owners and operators, but your suppliers, stakeholders and customers as well.
is your business at risk of A Cyber threat?
Cyber crimes that result in physical damage-including the targets, assailants, motives and means of the attack- are constantly evolving.
Incidents can occur in a variety of ways, including phishing scams, internet exchange point attacks, breaches of unsecured and unencrypted devices, and even plots carried out by rogue employees.
When discussing these cyber crimes, many experts cite power and energy sector companies as the most at risk.
But vulnerabilities also exist in utilities, telecommunications, oil and gas, petrochemicals, mining and manufacturing, and any other sectors where industrial control systems (ICS) are used.
The ICS is an open computer system used to monitor and control physical processes as well as streamline operations and repairs. It’s not often designed with cyber security as a primary consideration, which leaves it susceptible for a an attack.
What’s more, for many automated processes, attacks don’t even need to cause physical damage to result in significant disruption and losses.
The targets of cyber crime that result in physical damage vary greatly by industry, and the damage from a cyber crime can be extensive due to the interconnected nature of the ICS.
Here’s a few examples of how this has happened on a global scale:
Because companies are not always required to make cyber attacks that cause physical damage public, they largely go unreported.
But the following are a number of high-profile incidents that demonstrate how vital it is for you to consider physical and infrastructure cyber risks:
Ukrainian Power Grid Attack - This was a multistage, multisite attack that disconnected seven 110 kilovolt (kV) and three 35 kV substations. Together, the attack resulted in a power outage for 80,000 people and lasted for three hours. Using only a phishing scam, the attackers were able to cause substantial, prolonged disruption to the economy and general public.
Saudi Arabian Computer Attacks - In these incidents, hackers destroyed thousands of computers across six organizations in the energy, manufacturing and aviation industries. Through a simple virus aimed at stealing data, computers were wiped and bricked. Not only did this mean critical business data was lost forever, but all of the damaged computers had to be replaced - a substantial fee for businesses of any size. This attack was similar to an attack on Saudi Aramco, the world’s largest oil company, which destroyed 35,000 computers.
Petrochemical Plant Attack - This attack targeted a Saudi Arabian petrochemical plant. The attack was unique in that it wasn’t designed to steal data, but rather sabotage operations and trigger an explosion. The only thing that prevented an explosion was a mistake in the attackers’ computer code. Had the attack been successful, the plant would likely have been destroyed and many employees could have died. Experts are concerned that similar attacks could be carried out across the globe.
Hospital Ventilation Attack - In this incident, a hacker was able to damage and control hospital’s HVAC system using malware. This attack put the safety of staff, patients and medical supplies in jeopardy, as the hacker could control the temperature of the facilities at will.
Hacks causing physical damage will likely become increasingly common as technology advances and hackers continue to get more creative.
Even if your business insurance policy includes physical or nonphysical damage coverages, that doesn’t necessarily mean you’re covered from first- or third- party losses from cyber attacks.
The level of protection your company has depends largely on the structure of your insurance policies.
As such, it’s critical for your business to do their due diligence and understand if their policies do the following:
- Impose any limits on coverage, particularly as it relates to physical damage of tangible property
- Cover an attack and any resulting damages
- Provide contingent coverage for attacks that aren’t specifically targeted at the organization
While it’s important to speak with a qualified insurance advisor about your cyber insurance policy options, there’s a number of steps you can take by yourself to protect your physical assets.
In addition to implementing a cyber risk management plan, your company should consider doing the following to protect your data:
- Keep your software up to date
- Back up your files regularly
- Train your employees on common cyber risks and what they should do if they notice anything suspicious
- Review your exposures and speak with your insurance advisor to discuss policy options for transferring risk.
If your business operates off of an industrial control center, it’s critical to review your cyber security plan and ensure your physical assets are not at risk of being damaged.
Talk with a risk advisor to help identify the risks your organization faces, and help secure for you a cyber liability insurance policy so that, in the event a cyber attack happens, your organization is protected.
My name is Pat O’Neill, and I’m a Risk Advisor here at The O’Neill Group, a risk management and insurance firm in Wadsworth, Ohio. I’d love to learn more about your organization, help you identify the unique risks you face and develop strategies to reduce those risks and protect your business.
Click here to select a time on my calendar that’s convenient for you.
This article was adapted from Zywave. This is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel or an insurance professional for appropriate advice.