Cybercrime on the OT: Hackers are accessing operations, not just networks
By Libby Benet, Global Chief Underwriting Officer, Financial Lines, AXA XL
Ransomware attacks are doing more than threatening to expose proprietary information; they’re shutting down operations.
In June 2020, one of the world’s largest auto manufacturers was forced to shut down production for a day. The problem: hackers had planted a computer virus in the automaker’s internal computer networks, which shut down systems and locked employees out of email and servers.
However, the hackers went further; the ransomware infiltrated systems along the production line, including the car inspection system. Production in plants in Japan, Turkey, Brazil, India, and the US were disrupted, some for more than a day. By crippling production, the hackers hoped to force ransom payment.
The tool hackers appear to have used is a software designed to infiltrate control systems in factories, power plants, and other industrial facilities. Such software is not designed to steal data, but rather to infect operational systems, rendering them useless and bringing business to a halt.
To date, much of the focus of cybercrime prevention by companies has been on protecting internal data – trade secrets, employee personal information, payroll, health insurance, internal records. However, manufacturers have operational technology systems (OT). These systems control production equipment, detect changes, monitor operations, and keep production lines running smoothly.
That is, until a breach occurs. Unfortunately, attacks on OT infrastructure are on the rise. One study reveals that 90% of industries across the globe had suffered at least one damaging cyberattack between 2017 and 2019, and nearly two-thirds admitted to being hit at least twice.
These OT attacks are hitting organizations by disrupting:
Fire safety equipment
Lighting controls and energy monitoring
Until 2010, attacks like these on the OT infrastructure was the stuff of espionage and government-backed attacks.
Today cyberweapons have become tools for cyber thieves. Because of the ability for widespread shutdown of operations from an OT attack, hackers are seeing the potential for high ransom amounts. The hackers too have evolved. No longer lone actors, sophisticated hacking groups are targeting big business, attacks that can be launched from anywhere in the world.
The threat for industries is exponentially larger. Whereas in the past a breach could shut down systems and compromise data, the OT breach can result in a devastating fire, bodily injury, or environmental damage. The monetary losses alone would far outweigh those associated with the more traditional privacy breach cyberattack.
The OT breach can result in a devastating fire, bodily injury, or environmental damage
Is It Covered?
Since cyberattacks grew in frequency and severity, the insurance market has responded well. Most have focused on the privacy breach event, which is where most of the threats were occurring. In the US there are several markets that write that form of insurance. Cyber insurance is less mature outside the US. Those types of policies have evolved to cover several types of first and third party losses that can arise from a breach.
However, cyber policies typically exclude property damage and bodily injury. Breaches that threaten property via an OT attack are new enough that policy wording has to catch up. There is no single way the cyber peril is addressed in Property, sometimes the forms are silent, sometimes excluding it, and sometimes giving sub-limited affirmative grants. In the US, a general liability policy typically excludes the privacy breach type losses while reserving third party liability coverage for bodily injury or property damage but even that is not entirely clear cut.
At present, global insurers have adopted the practice of making explicit statements regarding whether cyber -related losses are covered or excluded, and to what extent. That gives some clarity to policyholders but does not spell out the intricacies of coverage. For example, property coverage can come with a cyber events exclusion but offers a “write back” for fire or explosion or some other limited perils.
To date, bodily injury and property damage are still not excluded. However, as losses mount or should the reinsurance market decide to exclude it, that could change.
For the property and casualty insurers, the knowledge regarding the impact of OT attacks is still in its infancy. Understandable, because until recently, such attacks did not happen in the mainstream corporate environment. However, as these claims begin to mount in frequency and severity, insurers and industry alike need answers.
We as an industry need to continue learning about cyberattacks and their impact on various industries and operations. Insurers should be trying to understand just how much of a company’s operations is vulnerable to cyberattack and should be underwriting the exposures that cannot be mitigated fully.
Organizations themselves can decrease their loss exposures by conducting risk assessments that include their OT infrastructure. Tabletop exercises and mitigation strategies, along with regular patches and updates to security systems, can help companies prepare for an attack, and potentially thwart hackers.
Have a conversation with your insurer. An insurer that has expertise in cybersecurity can review your current coverage and outline the protections that are in place. They can also walk your organization through self-insured retention or other options to ensure that remediation is in place in the event of an attack.
Cyberattacks are continuing to evolve, much as the hackers themselves are doing. Unfortunately, not all insurance coverage can keep up with, or cover completely, the nuances of each iteration in the cyber threat chain.
Your production line, your equipment, your processes can be accessed and controlled with the same ease and dexterity that hackers use to get into your systems. In fact, by accessing your systems, cyber thieves have full access to the whole of your operations.
By knowing all you can about these attacks – and about how your current policies will or will not respond – your organization can be better prepared for any attack. Work with your insurer to put protections in place that help reduce loss and ensure stronger operational readiness going forward.
Libby Benet is Global Chief Underwriting Officer, Financial Lines at AXA XL.