View
220
Download
0
Category
Tags:
Preview:
Citation preview
Stephen Wares
Cyber Risk Practice Leader EMEA
Marsh
Cyber RiskAre criminals and terrorists a threat to supply security?
MARSH 221 April 2023
• We should exchange the word cyber for IT, then:
• ISO– The potential that a given threat will exploit vulnerabilities of an asset or
group of assets and thereby cause harm to the organization. It is measured in terms of a combination of the probability of occurrence of an event and its consequence.
What is cyber risk?
Threat Vulnerability Asset Harm
Stephen Wares
Cyber Risk Practice Leader EMEA
Marsh
Threats
MARSH 421 April 2023
Criminal
• Symantec estimated the direct cost of cyber crime in 24 countries to be $114 billion.
– Personal information – Credit debit card information– Held funds – Intellectual property– Confidential corporate data
• The world's largest hosting provider of secure websites suffered major outages in September 2012, taking potentially millions of sites down with it. A member associated with the Anonymous collective, claimed responsibility
– Public support for a cause – Direct impact of core activity– Corporate or industry wide scandal – Top corporate brand target
Hacktivist
Who might be a threat to the Power Industry
MARSH 521 April 2023
Terrorist
• “In all my years on the Homeland Security Committee, I cannot think of another issue where the vulnerability is greater and we've done less” Senator Collins
– Disruption to critical infrastructure – Economic impact– Loss of life – Damage to property
State Sponsored
• In May 2013 it was reported that US intelligence agencies traced the compromise of a National Inventory of Dams to a foreign government or military operatives raising concerns of a future attack against the national electrical power grid
– Disruption to critical infrastructure – Economic impact– Loss of life – Espionage
Cyber Risk Landscape
MARSH 621 April 2023
Malice
• After analysing the software code from the Aramco attack, security experts say that the event involved a company insider, or insiders, with privileged access to Aramco’s network. The virus could have been carried on a USB memory stick that was inserted into a PC.
– Disgruntled employee /customer – Proof of ability– Untargeted malicious code – Random selection
Who might be a threat to the power industry
MARSH
Threat Environment - US Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team
721 April 2023
17%
Stephen Wares
Cyber Risk Practice Leader EMEA
Marsh
Vulnerabilities
MARSH
Why vulnerabilities occur
• Increased availability of hacker tools and a decrease in the technical knowledge to use them
• According to the US State Department, 80% of attacks leverage known vulnerabilities and configuration management setting weaknesses
• Control systems were originally designed for use with a standalone communication network, but have subsequently been connected to the internet.
• Increased control remotely that includes connecting or disconnecting customers or pushing firmware upgrades to customer Advanced Metering Infrastructure.
• The digitisation of power grids creates an aggregation vulnerability that could span networks and geographies.
• According to ICS-CERT research in 2012, 171 unique vulnerabilities affecting 55 different ICS vendors were found.
921 April 2023
MARSH
Specific example vulnerabilities
• When Trend Micro set up a Honeypot to replicate the ICS within a water pumping system, 17 of the attacks monitored would have been considered “catastrophic”.
• According to IO Active, resold field devices (RTU’s, PLC’s) can be reverse engineered to give up historical data including control system network and layout that could be useful to a hacker.
• A virus infection introduced to a turbine control system via a USB-Drive for a software upgrade was reported to ICS-CERT in Oct 2012. The virus caused downtime for the impacted systems and delayed the plant restart by approximately 3 weeks
• Hard coded customer accounts discovered in May 2013 as a means of backdoors into devices from a German industrial automation manufacturer
• Researchers using the search engine Shodan were able to identify a number of internet connected control systems including command and control systems for power grids and nuclear power plants.
1021 April 2023
Stephen Wares
Cyber Risk Practice Leader EMEA
Marsh
Assets
MARSH
Assets at risk
1221 April 2023
Stephen Wares
Cyber Risk Practice Leader EMEA
Marsh
Harm
MARSH 1421 April 2023
Harm - Impacts & LossIT forensic costs
Network remediation costs
Data remediation costs
Crisis management PR costs
Increased cost of working
Legal fees - advice
Breach notification costs
Credit monitoring costs
ID theft remediation costs
Third party compensation
Litigation costs - defence
Litigation costs - pursuit
Criminal action defence costs
Criminal fine
Civil regulatory fine
Contractual fine/penalty
Loss of licence to trade
Loss of revenue
Physical asset replacement cost
Loss of shareholder value
Loss of funds
Additional debt to third parties
Lost opportunity
Extortion demand cost
Extortion expert costs
Clean up cost
Data is altered
IT network interruption
Partial IT network interruption
Damage to digital assets
Damage to digital assets - third party
Damage to network equipment
Damage to a non IT physical asset
Bodily injury
Electronic content that is harmful to an individual
Theft of IT resources
Use of IT resources in a hacking event
Transmission of malicious code to a third party
Theft of own fundsTheft of third party funds
Theft of intellectual property
Assets transferred without payment
Compromise of commercially sensitive material - own
Compromise of commercially sensitive material - third party
Compromise of personally identifiable information - data owner
Compromise of personally identifiable information - data processor
Valid threat of harm
Environmental damage
MARSH
Possible Harm?
1521 April 2023
Bodily Injury/Death
Business Interruption Loss
Forensic investigation
Asset replacement cost
Contractual liability
Increased cost of working
Stephen Wares
Cyber Risk Practice Leader EMEA
Marsh
Insurance
MARSH
Typical Electronic Data Exclusion • This Policy does not insure, loss, damage, destruction, distortion, erasure, corruption or
alteration of ELECTRONIC DATA from any cause whatsoever (including but not limited to COMPUTER VIRUS) or loss of use, reduction in functionality, cost, expense of whatsoever nature resulting therefrom, regardless of any other cause or event contributing concurrently or in any other sequence to the loss.
• ELECTRONIC DATA means facts, concepts and information converted to a form useable for communications, interpretation or processing by electronic and electromechanical data processing or electronically controlled equipment and includes programmes, software, and other coded instructions for the processing and manipulation of data or the direction and manipulation of such equipment.
• COMPUTER VIRUS means a set of corrupting, harmful or otherwise unauthorised instructions or code including a set of maliciously introduced unauthorised instructions or code, programmatic or otherwise, that propagate themselves through a computer system or network of whatsoever nature. COMPUTER VIRUS includes but is not limited to ‘Trojan Horses’, ‘worms’ and ‘time or logic bombs’.
• However, in the event that a peril listed below results from any of the matters described above, this Policy, subject to all its terms, conditions and exclusions will cover physical damage occurring during the Policy period to property insured by this Policy directly caused by such listed peril.
• Listed Perils: Fire, Explosion
1721 April 2023
MARSH 1821 April 2023
Network security liability: Liability to a third party as a result of certain events such as your networks participation in denial of service attacks or transmission of viruses to third-party computers and systems.
Data privacy liability: Liability to a third party as a result of the unauthorized disclosure of personally identifiable information
The Cyber Insurance Market
Crisis management fund: Expenses incurred to respond to a breach event
Cyber extortion: A genuine threat to the computer network or data lead to payment of expert and a ransom
Network business interruption:
The interruption or suspension of computer systems results in:
• your loss of income
• extra expense incurred to mitigate an income loss
Resulting from:
• a network security breach.
• a network failure
MARSH
Conclusion
• Strong evidence that security vulnerabilities exist within power generation and transmission.
• The drive for connectivity must be balanced against and acknowledge the additional risk that this creates.
• The cost of an event within a power generation facility or transmission network could be significant, with insurance coverage limited.
• The standalone cyber insurance market is not currently well enough developed to take on the entirety of the risk
1921 April 2023
This PowerPoint™ presentation is based on sources we believe reliable and should be understood to be general risk management and insurance information only.
Registered in England Number: 1507274, Registered Office: 1 Tower Place West, Tower Place, London EC3R 5BU
In the United Kingdom, Marsh Ltd is authorised and regulated by the Financial Conduct Authority for insurance mediation activities only.
Marsh Ltd conducts its general insurance activities on terms that are set out in the document "Our Business Principles and Practices". This may be viewed on our website http://www.marsh.co.uk/aboutMarsh/principles.html
© Copyright 2012 Marsh Ltd All rights reserved
Recommended