Cyber Terrorism

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.lloyds.com/news-and-insight/news-and-features/market-news/industry-news-2013/cyber-terrorism

Industrial facilities from nuclear plants to dams are increasingly coming
under attack from cyber terrorists bent on causing physical damage and
disruption from behind their computer terminals. But with the insurance
market yet to plug the gap between cyber and physical terrorism risk, the
Lloyd’s market has a key role to play in finding the solution.

The ability of hackers to wreak havoc on industrial facilities first became
apparent when the Stuxnet virus – a worm speculated to have been created by
the US and Israeli secret services to target Iran’s nuclear facilities –
successfully started disrupting uranium enrichment at the Natanz nuclear
station in Iran in 2010, before spreading to other facilities.

“Stuxnet was the first virus to create physical damage – it was purely
electronic in its origin but caused actual explosions and meltdown, which
hadn’t been seen before,” explains Laila Khudairi, Underwriter – Enterprise
Risk at Lloyd’s underwriter RJ Kiln & Co. “Now terrorists don’t need to
board planes and put bombs in location, but can use the internet to get
into critical infrastructure or nuclear facilities and cause explosions.
This is a new type of risk.”

Rick Welsh, Head of Cyber Insurance at specialist utilities and energy
industry insurer Aegis, believes cyber terrorists are not yet sophisticated
or commercialised enough to take down successfully a major facility, but
the use of malicious malware is rising year-on-year and Welsh is seeing an
increasing number of cyber-attacks on industrial facilities.

“For the moment the risk is still in the low vulnerability but high threat
quadrant, but that will be subject to change in next year or two,” he tells
lloyds.com. “We’ve been told of quite a few attacks that have been
successful but the scope of the damage has been kept out of the press and
downplayed. No-one wants to talk about it – particularly when it concerns
critical infrastructure.”

Finding the insurance solution

In the US, President Obama certainly considers the risk a subject worthy of
attention, having signed in February this year an executive order entitled
‘Improving Critical Infrastructure Cyber security’. But Welsh and Khudairi
both agree that despite the significant potential risk posed by
cyber-attacks on critical industry, the insurance market does not yet offer
a comprehensive solution.

“Cyber terrorism is addressed by the cyber market but the property damage
element is not, so there is a gap in cover,” explains Khudairi. “The
terrorism market excludes attacks electronic in nature, while the cyber
market covers hackers breaking into systems and bringing networks down but
doesn’t cover that Stuxnet-type scenario.”

Welsh says that brokers have little choice but to place their clients’
business through established silos of insurance, while plugging any gaps
with supplementary cyber add-ons. “Our [utility and energy] clients don’t
think like that,” he says. “For them, cyber risk is a central
organisational risk, so they are asking why the insurance market can’t look
at this more holistically. There are very few insurers able to do that.”

Looking to Lloyd’s

According to Welsh, the Lloyd’s market is expected to play a significant
role in solving the problem. “Even in the US they are looking to London –
and particularly Lloyd’s as a specialist market – for guidance as that’s
what we’re known to be good at,” he says, adding that Aegis is currently
working with clients to develop the kind of ‘holistic’ products they
require.

Meanwhile, Khudairi says RJ Kiln is also developing coverage for property
damage as well as business interruption caused by cyber terrorism. However,
she adds, capacity for these risks is still very limited, even in the
Lloyd’s market. “Lloyds has to monitor its aggregate exposures, but will do
whatever it can in order to meet demand.”

Welsh says there is likely to be uncertainty over pricing physical cyber
coverages, which will have to be probability-priced rather than actuarial
due to the fact that these risks are so new. “Pricing has got to find its
natural home, somewhere between property and cyber rates. For those that
want more coverage, in this environment of unknowns they are going to have
to pay more,” he says.

Khudairi and Welsh both say the level of awareness of cyber risks among
critical industry operators is rising, but that the quality of risk
mitigation varies significantly across the sector. “Some clients absolutely
adopt cyber security risk management guidelines yet there are others who
don’t really believe they have exposure, so rather than adopting cyber
security best practice they buy as much insurance as they can and try to
mitigate their exposure that way,” says Welsh.

He believes one step lawmakers could take is to standardise cyber security
on an industry basis. “The problem with operational security is that people
aren’t sure what those standards should look like,” he admits. “This is all
still new.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.