Control system cyber security and the insurance industry

I have felt that the insurance companies can be a major player in driving the need to adequately secure control systems.  Consequently, when I was asked the following questions by Advisen (http://www.advisenltd.com/) for their Cyber Risk Network newsletter, I felt that could be a valuable venue to get the message out to people who may not be familiar with control system cyber security. Advisen reaches more than 150,000 commercial insurance and risk professionals at 8,000 organizations worldwide. I will be on a panel at the Advisen Risk Conference in San Francisco March 3rd.

Response to Advisen:

Industrial control systems are the computing systems that monitor and control physical processes in electric substations, power plants of all types, refineries, pipelines, water and waste water systems, chemical plants, manufacturing facilities, transportation, building control systems, and even medical systems.

Question: What do you see as the greatest cyber risks industrial companies face today?

In my opinion, the most important risk that most companies currently face is the lack of adequate understanding and commitment to address control system cyber security by senior management. Control system cyber security is about cyber securing physical processes to “keep lights on and water flowing” not identity theft or industrial espionage. Without senior management commitment, it will be very difficult to adequately secure control systems. Moreover, securing control systems is different than securing business IT systems. A major threat to the reliability and safety of control systems are IT organizations using inappropriate technologies, policies, and testing to “secure” control systems. Another issue that impacts the cyber security of control systems is the compliance mindset. The North American electric and U.S. nuclear industries are focused on compliance (checking the box) rather than adequately securing the electric systems and nuclear plants against many known cyber threats.

Question: What are the emerging risk issues to industrial control systems?

In my opinion, there are several levels of risk. The first is unintentional cyber incidents. Unintentional cyber incidents have caused very significant impacts including destruction of large equipment, environmental discharges, and even deaths. Because unintentional cyber incidents aren’t malicious targeted attacks, the impacts are generally localized to the specific facility. With the movement to the “Internet of Things” and installing cyber-sensitive technologies, there may be more and more unintentional control system cyber incidents that may not be localized.

Malicious, though untargeted cyber attacks include “viruses and worms” that can affect control systems when control systems are connected to corporate networks, the Internet, or third party networks. This is where the concept of the “Internet of Things” can be such a cyber threat enabler.

In my opinion, the most frightening risks are nation-states such as Iran or North Korea deciding to cyber attack our infrastructures - and they have the capability to do that.

Question: Is the insurance industry doing enough to adequately address control system cyber risks?

In my opinion, the answer is no. I have found securing control systems often is not well understood by many insurance companies. There are two aspects of securing control systems that can affect insurance companies. If understood, insuring secure control systems can be a new revenue stream (the positive). On the other hand, insuring companies with inadequately secured control systems can be lead to major insurance company liabilities on the order of hundreds of millions of dollars (the negative). Accepting control system cyber compliance rather than actual security will not lessen the potential liabilities to the insurance industry.

Question: What keeps you awake at night?

What keeps me awake is the general lack of understanding about control system cyber security by decision makers and the consequent inappropriate decisions made that can affect the cyber security and reliability of control systems. Much of our critical industrial infrastructures are effectively open to hackers. The damage can be devastating to our country and economy.

Question: In your opinion, what is the single most important control system cyber risk development in the past 12 months?

In my opinion, the single most important control system cyber risk are hackers and nation-states realizing our critical infrastructures can be cyber targets and the accompanying lack of appropriate attention by senior management to these threats.

Joe Weiss