A “Tale of Two Cities” – where are the insurance companies?
According to an article in BBC (http://www.bbc.com/news/technology-26358042), underwriters at Lloyds’ of London say they have seen a "huge increase" in demand for cover from energy firms. But surveyor assessments of the cyber-defenses in place concluded the cyber defenses were inadequate. "In the last year or so we have seen a huge increase in demand from energy and utility companies," said Laila Khudari, an underwriter at the Kiln Syndicate, which offers cover via Lloyd's of London.
The market is one of few places in the world where businesses can come to insure such things as container ships, oil tankers, and large development projects and to secure cash that would help them recover after disasters. Now, she said, the same firms were seeking multi-million pound policies to help them rebuild if their computers and power-generation networks were damaged in a cyber-attack.
"They are all worried about their reliance on computer systems and how they can offset that with insurance," she said. Any company that applies for cover has to let experts employed by Kiln and other underwriters look over their systems to see if they are doing enough to keep intruders out.
Now, compare this to the US electric industry. There has been no mad rush for cyber insurance as the focus has been NERC CIP and compliance not security. The major reinsurers and member companies are currently looking at a number of potential cyber insurance policy forms, some of which require the third-party assessment outlined in the BBC article. They hope this assessment will raise awareness of control system “soft underbellies” and result in some preventative measures. The industry is still in the throes of developing a cyber solution and will have a more definitive idea of where they are headed on the coverage issue later this year or next.
Why are these discussions relevant at this point in time? At the October 2013 ICS Cyber Security Conference, a generating utility discussed a recent “significant near miss”. They had a combustion turbine acting as a cogeneration unit at a large industrial complex. The turbine was probably $100Million and the industrial complex was probably $500Million to a $1 Billion. The utility received a security patch from their turbine vendor. They installed the patch and brought the turbine up to power. However, the turbine patch prevented the HMI from refreshing – a loss of view of the process. Consequently, the operator chose to shut the turbine down from the HMI. The operator was NOT ABLE TO SHUT THE TURBINE DOWN! In this case, the failure was unintentional, but this would not be difficult to cause maliciously. When I presented this case to the electric industry insurance industry and utility risk managers, there was a palpable unease in the room. This problem would NOT be addressed by NERC CIP yet the consequences are enormous.
Why are the British/Europeans so much more concerned about ACTUAL cyber security than the US electric industry? I hope Wall Street and the risk managers are listening!