Lloyd’s has partnered with cyber analytics specialist CyberCube and reinsurance broker Guy Carpenter on a new report examining the increasing risk posed by ‘Internet of Things’ devices to industrial and manufacturing businesses.
The three firms conducted an analysis detailing scenarios which represent the most plausible routes by which a cyber-attack against industrial control systems (ICS) could generate major insured losses.
The report considers four key industries dependent upon ICS (manufacturing, shipping, energy, and transportation) and assesses precedent and potential impact on each, as well as three potential routes of attack by organised hackers.
The first route consisted of a targeted supply-chain malware attack in which malicious actors breach a device manufacturer and compromise that manufacturer’s products before distribution.
Another included a targeted attack in which attackers exploit a vulnerability in widely used Internet of Things (IoT) devices found in industrial settings.
The third saw the infiltration of industrial IT networks to cross the OT “air-gap”.
In one scenario, once attackers gained access to a target firm’s IT system, they exploit ICS to inflict physical damage on the plant. This could, for example, involve gaining control of water pumps or temperature regulation systems.
“The Lloyd’s market is advanced when it comes to insuring cyber risks and it is therefore vital Lloyd’s syndicates underwriting this class of business have the ability to analyse their portfolios against the most sophisticated and technologically advanced risk scenarios,” said Kirsten Mitchell-Wallace, Lloyd’s Head of Portfolio Risk Management.
“We know that the risk of ICS-based cyber-physical events is increasing and because of this, we’ve partnered with CyberCube and Guy Carpenter to create illustrative scenario pathways based on highly realistic threats and modes of attack.”
Pascal Millaire, CyberCube’s CEO, added, “Working alongside Lloyd’s and Guy Carpenter to design these scenarios was an important development for the insurance market in this increasingly important new risk.
“The potential for a major ICS attack is all too real today given several real-world examples of such attacks. As we roll out hundreds of billions of additional IoT devices, it will become even more important in the future and could eventually become a systemic risk for the global economy.”
Jamie Pocock, Guy Carpenter’s Head of GC Cyber Analytics – International said, “A major ICS attack could impact a broad range of industrial businesses and classes of insurance.
As these attacks cross the divide between information technology and operational technology, they could conceivably involve significant property damage and loss of human life. The key is continued research, surveillance, and risk selection to help improve underwriting standards and portfolio management.”