Jenna McGrath, senior cyber economist, CyberCube
The cyber threat to supply chains and industrial control systems is growing exponentially as a result of the rapid rise in computing power. Add to this the increased use of internet of things devices and prevalence of 5G and there is the potential for something of a perfect storm of risk. Jenna McGrath, senior cyber economist at CyberCube, explains the key threat factors and how the insurance industry can respond.
Connected technologies as a tool are undoubtedly a benefit in what many now term the fourth Industrial Age. From the internet of things (IoT) to better connectivity through 5G, industries enjoy greater efficiencies, lower costs and are better placed for growth and innovation as a result of technological innovation.
But with increased reliance on technologies comes greater risk, notably business interruption from cyber attacks. On a smaller scale, these directly impact only the business concerned but the effects of cyber attacks have the potential to mushroom into something far bigger. How to protect not just our own industries but the wider community from physical damage as well as financial disruption is an important consideration.
On top of the potential threat is the recognition that some form of cyber attack is not just likely, it is inevitable. Bad actors are developing their strategies all the time. The best defence is therefore preparedness. To find out just how well the insurance industry is prepared to combat cyber attack itself, and to protect its clients, Intelligent Insurer got the inside track from Jenna McGrath, senior cyber economist at CyberCube.
This article is published ahead of the Intelligent Insurer webinar “Address Business Interruption in a Hyper-Connected World: Protecting Supply Chains and Industrial Control Systems from Cyber Attacks” on April 20, 2021.
“Accept the inevitability of some type of cyber incident occurring and plan for both short and long-term recovery.”
What are the most serious threats your customers should be most focused on when it comes to understanding the level of risk they face?
One thing that stands out for me personally is the compounded risk of cyber-physical attacks—a cyber attack used as a means by which to cause physical damage—and it’s why I find the discussion around industrial control systems (ICS) and infrastructure in general so interesting.
There are historical precedents for events that would not only cause business interruption and outages due to a cyber attack, but also physical damage or disruption due to safety factors.
The issue of physical damage plus widespread outages caused by a cyber attack to critical infrastructure such as water, energy, and transportation sectors has long been a concern. The March 2021 fire at one of OVHcloud’s data centres in France offers additional insights into how we think about the aggregated impacts of potential cyber-enabled physical attack scenarios, beyond traditional critical infrastructure.
The fire (although not thought to have been caused by malicious actors) is an example of how a targeted cyber-enabled physical attack could not only disrupt private entities and government agencies’ ability to operate effectively, but could also cause longer disruptions and costly repairs due to the physical damage to servers or data centres.
Events where there can be a two-fold impact of physical damage plus long-lasting disruption due to a cyber event offer an interesting layer of complexity for how we think about cyber risks.
Where are the clearest threats from increased connectivity?
The widespread implementation of 5G will allow greater speed and connectivity not just for individuals but for large entities, cities, manufacturing sites, etc, leveraging IoT devices. For example, 5G will assist in making smart cities more obtainable, integrated, and efficient in terms of building management, transportation, and electric grid devices.
However, these additional connections are also additional entry points for cyber attackers. A particular concern would be a denial of service (DoS) attack, which could cause internet traffic to halt between the interconnections or impact the ability of devices to process requests, thus leaving devices useless.
Realistically, what avenues are open to organisations to counter cyber attacks?
A lot of best-practice mitigation options are available, plus guidance from government regulations and industry recommendations. However, a straightforward way for businesses and organisations to protect themselves against cyber threats is to accept the inevitability of some type of cyber incident occurring and plan for both short and long-term recovery.
First, deal with the immediate aftermath of identifying and containing the threat, and then work on the lengthier process of recovery.
From there, focus on best-practice mitigation strategies aimed at minimising damages in the short and long term, including being on top of regulations, standards and redundancies.
What options are open to organisations in the event of a catastrophic cyber incident impacting critical infrastructure?
In such an event, the situation will vary depending on the country and regions. In the US, for example, if the event is officially declared an act of terrorism, then the US government provides reinsurance assistance via the Terrorism Risk Insurance Act (TRIA).
However, cyber attacks often go unattributed, which would mean that private re/insurance companies would not receive any Federal TRIA assistance. As I mentioned previously, disruption, damage, and other ramifications of cyber attacks against critical infrastructure have the potential to be a compounding threat due to both the physical damage and the business interruptions/outages caused by the event.
Therefore, understanding not only the potential for catastrophic risks but also the aggregate impacts is vital.
What do you hope attendees will learn from this webinar?
I’m looking forward to participating in this webinar particularly because of the focus on how an increase in interconnectivity through the IoT impacts critical infrastructure vulnerabilities to cyber-physical attacks.
My background is in energy security policy, and much of my previous research focuses on the evolution from physical vulnerabilities (to, for example, natural disasters, system failures, or malicious attacks) to cyber-enabled and cyber-physical attacks against critical infrastructure.
The intersection of the IoT, ICS, cybersecurity, and even geopolitics for critical infrastructure is a very interesting topic and I think attendees to the webinar will come away with a new appreciation for this complicated subject.