More than ever before, organizations are aware of the potential financial consequences of a cyber attack. Many people mistakenly assume that the steep, monetary burden of a cyberattack is linked exclusively to damaged digital assets, lost records, and the price of investigating and reporting a breach. While these expenses take a big hit, cyber attacks that result in physical damage can be just as damaging.
Cyberattacks that result in physical harm typically occur when a hacker gains access to a computer system that controls equipment in a manufacturing facility, refinery, power generation facility, or similar business. After the hacker gains access to an organization’s machinery, they can control that equipment to damage it or other property.
These types of events can lead to major disruptions and costly damages. To protect their physical assets, it is important for organizations to understand the types of businesses and assets exposed to these attacks.
What is the risk of cyber attacks leading to physical harm?
To better understand the types of physical losses that can occur after a breach, it is useful to compare cyber attacks with a natural disaster or other industrial accident. After these types of incidents, organizations often incur costs to repair and replace damaged equipment in addition to any lost revenue caused by the disruption.
However, unlike natural disasters, cyber attacks that lead to physical damage are not limited to a geographic location and can affect an entire network. This means that damage caused by a breach can be extensive and affect several sectors of the economy depending on the target.
Because of this, cyberattacks that cause physical damage are often dynamic and large-scale. When an attack on critical infrastructure occurs, it affects not only business owners and operators, but also suppliers, stakeholders and customers.
Who is at risk of cyber attacks resulting in physical harm?
Cyber attacks that result in physical harm – including targets, attackers, motives and means of attack – are constantly evolving. Incidents can occur in a variety of ways, including phishing, attacks on Internet exchange points, intrusions into unsecured and unencrypted devices, and even machinations by rogue employees.
When discussing these attacks, many experts cite power and energy sector organizations as the most vulnerable. However, vulnerabilities also exist in power plants, telecommunications, oil and gas, petrochemicals, mining and manufacturing, and all other sectors where industrial control systems (ICS) are used.
ICS are open computer systems used to monitor and control physical processes and streamline operations and repairs. ICS are not often designed with security as a primary consideration, making them susceptible to attack. Furthermore, for many automated processes, attacks do not even need to cause physical damage to result in significant disruption and loss.
The targets of cyber attacks that result in physical damage vary widely across industries, and the damage can be extensive due to the interconnected nature of ICSs.
Because organizations are not always required to publicly disclose cyber attacks that cause physical harm, they go largely unreported. However, the following are a number of high-profile incidents that demonstrate the importance of considering physical and infrastructural cyber exposures:
- Attack on Ukrainian power grid— This was a multi-stage attack that disconnected seven 110 kilovolt (kV) and three 35 kV substations. Together, the attack resulted in a power outage for 80,000 people and lasted for three hours. Using just one phishing scam, the attackers were able to cause significant, long-lasting disruption to the economy and the public.
- Saudi Arabia computer attacks—In these incidents, hackers destroyed thousands of computers in six organizations in the energy, manufacturing and aerospace industries. Through a simple virus aimed at stealing data, computers were wiped and bricked. Not only did this mean that important business data was lost forever, but all of the damaged computers had to be replaced – a significant charge for businesses of all sizes. This attack was similar to an attack on Saudi Aramco, the world’s largest oil company, which destroyed 35,000 computers.
- Petrochemical plant attack– This attack targeted a petrochemical plant in Saudi Arabia. The attack was unique in that it was not designed to steal data, but rather to sabotage operations and trigger an explosion. The only thing that prevented an explosion was a mistake in the attackers’ computer code. Had the attack been successful, the facility would likely have been destroyed and many employees could have died. Experts are concerned that similar attacks could be carried out worldwide.
- Ventilator attack in hospital—In this incident, a hacker was able to damage and control a hospital’s plumbing system with malware. This attack put the safety of staff, patients and medical supplies at risk, as the hacker was able to control the temperature of the facilities at will.
Attacks that cause physical damage are likely to become more common as technology advances and hackers continue to get more creative. Even more worryingly, these types of attacks not only endanger a company’s data, reputation and finances, but also human lives.
How do I protect my organization?
Insurance coverage for cyberattacks that cause physical harm is still in its infancy, and your organization may have gaps in coverage. Even if your property insurance includes coverage for physical or non-physical damage, it does not necessarily mean that you are covered from first or third party losses from cyber attacks.
The level of protection your business has depends largely on the structure of your insurance policies. As such, it is critical for companies to do their due diligence and understand whether their policies do the following:
- Limit coverage, especially for physical damage to tangible property
- Cover an attack and any damage that occurs
- Provide contingent coverage for attacks not specifically targeting the organization
While it’s important to talk to a qualified insurance advisor about your cyber risk policy options, there are a number of steps businesses can take on their own to protect their physical assets. In addition to implementing a cyber risk management plan, companies should consider doing the following to protect their data:
- Keep all software up to date.
- Back up files regularly.
- Educate employees about common cyber risks and what to do if they spot something suspicious.
- Review your exposures and speak with your insurance advisor to discuss policy options to transfer risk.
We can help.
If you would like additional information and resources, we are here to help you analyze your needs and make the right coverage decisions to protect your business from unnecessary risk. You can download a free copy of our eBook, or if you’re ready make Cyber Liability Insurance part of your insurance portfolio, Request a quote or download and get started with our Cyber & Data Breach Insurance Application then we’ll get started for you.