Observations from Advisen Cyber Risk Conference March 3rd in San Francisco

March 8, 2015

Based on the Advisen and other meetings I have attended, there is little understanding of control system cyber security by the insurance industry. I believe the insurance industry is very important for improving control system cyber security as they can provide both carrot (lower premiums) and stick (higher premiums or no coverage) to their commercial and industrial customers. There have already been control system cyber incidents that have had tens of millions to billion dollar impacts and deaths. I am hoping the insurance industry will become better educated and more involved in control system cyber security.

March 3rd, 2015, Advisen held their Cyber Risk Insights Conference in San Francisco (http://www.advisenltd.com/events/conferences/2015/03/03/2015-cyber-risk-insights-conference-san-francisco/). Advisen provides information, analytics, research, and events for the insurance industry and reaches more than 150,000 commercial insurance and risk professionals at 8,000 organizations worldwide. There were approximately 150 attendees at the Conference from insurance companies, brokers, and consultants. The following were my observations:

-        The Conference was focused on data breach with heavy emphasis on recent large data breaches such as Anthem, Sony, Target, etc. There was generally little understanding of the unique cyber security issues of industrial and building control systems or the risk they pose to insurance companies.

-        There were several presentations on cyber analytics and modelling. It was stated that Advisen has the largest cyber risk event database but there are no control systems events included (my database includes almost 400 actual control system cyber incidents). Advisen showed the penetration rate for cyber insurance for public administration, finance, wholesale/retail, and services. Except for the finance industry, the penetration rate is slowly rising. There were no industrial organizations included in the analysis. During the modeling discussion, the issue of business interference (continuity) was raised as being difficult to quantify. Yet availability (business continuity) is key for control systems.

-        I was on the Operational Risk panel (next to last session) and presented control system cyber risk issues. I was asked about the general awareness of the Board level to control system cyber issues. My response was in general it is still lacking.

-        The last session was a critique on the live cyber incident simulation exercise performed prior to the Conference. The exercise was based on an auto manufacturer being hacked and the associated corporate response. The first slide identified the corporate organizations involved in the response – there was no initial participation from manufacturing/control systems. (see last item about Board’s not being sensitive to control systems issues)

-        I was surprised with the number of insurance companies that provide insurance to industrial organizations. Those in attendance did not seem to be aware of the unique control system cyber security issues. I was told that London appears to be more focused on insuring industrial infrastructures than in the US.

I believe the insurance industry is very important for improving control system cyber security as they can provide both carrot (lower premiums) and stick (higher premiums or no coverage) to their commercial and industrial customers. Control system cyber security is both a potential revenue stream and a potential significant liability to the insurance industry. There have already been control system cyber incidents that have had tens of millions to billion dollar impacts and deaths. I am hoping the insurance industry will become better educated and more involved in control system cyber security.

Joe Weiss

Sponsored Recommendations

Measurement instrumentation for improving hydrogen storage and transport

Hydrogen provides a decarbonization opportunity. Learn more about maximizing the potential of hydrogen.

Get Hands-On Training in Emerson's Interactive Plant Environment

Enhance the training experience and increase retention by training hands-on in Emerson's Interactive Plant Environment. Build skills here so you have them where and when it matters...

Learn About: Micro Motion™ 4700 Config I/O Coriolis Transmitter

An Advanced Transmitter that Expands Connectivity

Learn about: Micro Motion G-Series Coriolis Flow and Density Meters

The Micro Motion G-Series is designed to help you access the benefits of Coriolis technology even when available space is limited.