Observations from Advisen Cyber Risk Conference March 3rd in San Francisco

March 3rd, 2015, Advisen held their Cyber Risk Insights Conference in San Francisco (http://www.advisenltd.com/events/conferences/2015/03/03/2015-cyber-risk-insights-conference-san-francisco/). Advisen provides information, analytics, research, and events for the insurance industry and reaches more than 150,000 commercial insurance and risk professionals at 8,000 organizations worldwide. There were approximately 150 attendees at the Conference from insurance companies, brokers, and consultants. The following were my observations:

-        The Conference was focused on data breach with heavy emphasis on recent large data breaches such as Anthem, Sony, Target, etc. There was generally little understanding of the unique cyber security issues of industrial and building control systems or the risk they pose to insurance companies.

-        There were several presentations on cyber analytics and modelling. It was stated that Advisen has the largest cyber risk event database but there are no control systems events included (my database includes almost 400 actual control system cyber incidents). Advisen showed the penetration rate for cyber insurance for public administration, finance, wholesale/retail, and services. Except for the finance industry, the penetration rate is slowly rising. There were no industrial organizations included in the analysis. During the modeling discussion, the issue of business interference (continuity) was raised as being difficult to quantify. Yet availability (business continuity) is key for control systems.

-        I was on the Operational Risk panel (next to last session) and presented control system cyber risk issues. I was asked about the general awareness of the Board level to control system cyber issues. My response was in general it is still lacking.

-        The last session was a critique on the live cyber incident simulation exercise performed prior to the Conference. The exercise was based on an auto manufacturer being hacked and the associated corporate response. The first slide identified the corporate organizations involved in the response – there was no initial participation from manufacturing/control systems. (see last item about Board’s not being sensitive to control systems issues)

-        I was surprised with the number of insurance companies that provide insurance to industrial organizations. Those in attendance did not seem to be aware of the unique control system cyber security issues. I was told that London appears to be more focused on insuring industrial infrastructures than in the US.

I believe the insurance industry is very important for improving control system cyber security as they can provide both carrot (lower premiums) and stick (higher premiums or no coverage) to their commercial and industrial customers. Control system cyber security is both a potential revenue stream and a potential significant liability to the insurance industry. There have already been control system cyber incidents that have had tens of millions to billion dollar impacts and deaths. I am hoping the insurance industry will become better educated and more involved in control system cyber security.

Joe Weiss

Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.

Comments

  • <p>There are at least 3 key issues which can be correlated to the symptoms of this problem:</p> <p>(1) Lines of ownership and accountability are generally unclear when it comes to cyber vulnerabilities impacting the ICS infrastructure. In most companies, CIO organization is on point for addressing cyber related issues. They have oversight for IT systems supporting various business functions such as customer service, sales, manufacturing and supply chain etc. So, the question really is: who is accountable for industrial infrastructure security and do they have the authority and subject matter expertise to establish the necessary security controls for ICS? What is the governance model associated with the security model?</p> <p>(2) Primary focus at the organizational level seems to be information security for IT systems. The distinction between IT and OT (operational technologies i.e. IACS) is not well understood. Hence OT is sometimes not prioritized high enough in the decision making levels. Infrastructure owners have to recognize that compliance does not necessarily equal protection.</p> <p>(3) Control system cyber security requires an interdisciplinary approach in order to comprehend the complexities and vulnerabilities associated with ICS infrastructure. Again, the question is: are businesses investing in their workforce to ensure knowledge sharing and skills enhancement between/across the multiple disciplines of security, IT, OT, cyber, process etc. </p>

    Reply

RSS feed for comments on this page | RSS feed for all comments