Traditionally, cyber-attacks have been aimed at the theft or compromise of data and information, the disruption of computer systems, and financial gain through ransomware. This has been true whether the attacker has been a rogue employee, a hacker or a nation-state. Similarly, the resulting loss and harm has been financial in nature – payment of ransom; consequential lost income; the cost of breach response and notification; liability to clients plus defense costs; regulatory fines and penalties; etc.
Cyber insurance has grown up against this threat background, with coverage developing to address each of these direct financial costs and consequences of an attack on computer security. This cyber coverage has been, and continues to be, a satisfactory solution for these traditional costs of a cyber-attack. In the meantime, cyber policies generally exclude property damage and bodily injury, often on the argument that other insurance policies should provide specific coverage.
Operational and control risks
However, as we become more interconnected, operational technologies (which previously were isolated systems) are increasingly connected to and part of broader information networks and technologies. As a result, attackers who gain access to those systems can take control of the physical assets, with the potential to cause property damage and bodily injury.
For example, consider the onset of Positive Train Control (PTC) in the rail industry. PTC is a system of functional requirements for monitoring and controlling train movements – the goal is to improve the safety of train traffic by only permitting movement if there is a positive permission, and in the absence of that positive permission the movement is halted. This system has been designed to prevent rail collisions but a cyber-attack could cause the system to fail resulting in property damage to the train and surrounding infrastructure, with bodily injury to passengers and others nearby.
This use and reliance on operational technologies exists in many other areas of our economy too – including manufacturing, utilizes (power, water, etc.) heavy industry and critical infrastructure. Supervisory Control and Data Acquisition (SCADA) systems and other Industrial Control Systems (ICS) are used to monitor and control key processes related to electrical power grids, water distribution, wastewater collection systems, oil and LNG pipelines, railway transportation systems, manufacturing plants, and refineries.
Attacks are made on SCADA and ICS not just through brute force and insiders, but also though advanced persistent threats, spear phishing, SQL injection, distributed denial of service, and social engineering attacks.
In each case, unauthorized access to those systems opens up the threat and possibility of outside interference in and control of those systems, resulting in not only data breach but actual physical damage and bodily injury as those systems are directed (or simply allowed) to run contrary to their intended (and safe) design and operation.
In practical terms, the attackers gain access to the organizations control systems and, unfortunately, there is now a public trail of such events, including: