Articles
Manufacturing and process plant are now vulnerable to cyber-attack in much the same way as organisations or countries that have been targeted, a leading insurer has said. But it may take a massively disruptive attack on an installation to make companies sit up and take notice.
Stephen Wares, a cyber-warfare expert at London insurance broker Marsh, said the power of electronic warfare to disable production facilities was demonstrated by the 2010 attack using a computer virus called Stuxnet that temporarily disabled 1,000 centrifuges that Iranians were using to enrich uranium.
“While most hacking is targeted at individuals and personal data, in the last 12 months there has been a move to focusing on manufacturing and control systems,” Wares said.
A data breach last year at US retailer Target affected information on more than 70 million customers – names, addresses, phone numbers and e-mail addresses were hacked. That sort of incident was now more likely at industrial facilities given their increased connectivity to the internet, Wares said. “Connection to the internet introduces vulnerability. The Stuxnet attack highlighted – on a military scale – what could be done to an industrial facility.”
Engineering companies needed to focus on keeping office IT systems and process control separate, Wares said. “Obviously IT is more easily penetrated than process control systems – but there is a link, and malicious code can be routed between the two. Security companies and those who design these architectures need to look at how they can be separated.
“From an insurance point of view, the market is alive to the possibility that a major facility such as an offshore oil and gas platform, refinery, manufacturing facility, or power plant could be affected – leading to business interruption, property damage, or both.”
Currently, policies that cover property damage go “some or all of the way” to excluding damage based on hacking, he said. This means manufacturers are not guaranteed indemnity in the event of a hacking incident. “That’s a very large uninsured exposure, potentially,” said Wares. IT “forensics” companies would need to be brought in to assess whether it had indeed been a cyber-attack that caused an outage.
Wares said there had been a growth in the number of firms taking out business interruption policies that included cover against malicious electronic attacks. In Europe, there was a growth of 80% in the number of companies taking out these policies in the second half of last year. “We are seeing a rapid increase in the take-up of cyber products from industrial and manufacturing companies,” he said. “There is increasing work in identifying and quantifying the risks.
“A similar event to Stuxnet in industry could have a profound effect. But we are already seeing a change in awareness.”