Assessing ICS cyber risk and role of insurance in the escalating threat landscape

Assessing ICS cyber risk and role of insurance in the escalating threat landscape

Over the past two years, the cyber insurance landscape has undergone several significant changes, most of which have resulted due to ransomware threats and assaults. Insurance policies have also been identified as an increasingly important weapon in the risk management arsenal of organizations, providing a crucial hedge against risks that defy routine assessment, planning, and mitigation tactics. The explosive growth of ransomware, combined with sophisticated, well-funded attacks leveraging critical zero-day exploits, has made insurance a must-have component of any mature cyber risk management strategy.

A December report from Corvus Insurance revealed that fraudulent funds transfer (FFT) claims reached an all-time high, making up 36 percent of the company’s cyber claims in the third quarter of last year. FFT is defined as an attack in which hackers use social engineering tactics to trick employees or vendors into transferring funds to the wrong accounts. It also found that FFT and ransomware are the top drivers of cyber loss in 2022, accounting for over 50 percent of all claims combined.

The importance of implementing necessary resiliency measures is heightened by Mario Greco, chief executive at insurer Zurich, having warned in December that cyber attacks, rather than natural catastrophes, will become ‘uninsurable’ as the disruption from hacks continues to grow. “Insurance executives have been increasingly vocal in recent years about systemic risks, such as pandemics and climate change, that test the sector’s ability to provide coverage. For the second year in a row, natural catastrophe-related claims are expected to top $100bn,” he added.

Cyber insurance has also faced legal challenges, as the Ohio Supreme Court unanimously overruled last December a judgment of the Ohio Second District Court of Appeals and moved that there must be ‘direct’ physical loss or physical damage in the company’s computer software for insurance policy coverage. The Supreme Court affirmed the trial court’s grant of summary judgment in favor of Owners Insurance Co. on EMOI Services LLC’s claim of breach of contract and bad-faith denial of insurance coverage after a ransomware attack on EMOI’s computer software systems, holding that Owners was not responsible for covering the loss at issue.

At issue was whether the business owners insurance policy issued by the Appellant to EMOI covered losses suffered by EMOI when it became the target of a ransomware attack. The trial court granted summary judgment to Owners. The court of appeals reversed, concluding that genuine issues of material fact precluded summary judgment. The Supreme Court reversed, holding that Owners did not breach its contract with EMOI because the pertinent insurance policy did not cover the type of loss EMOI experienced. 

Last August, Lloyds of London announced that from 2023 all its insurer groups will have to exclude ‘catastrophic’ state-backed attacks from their cyber insurance policies, pushing industrial asset owners and operators to step up their cybersecurity defenses. The company also added that it is set to introduce cyber insurance exclusions to coverage for ‘catastrophic’ state-backed attacks from 2023, as cyber-attack risks involving state actors have additional features that require consideration.

Industrial Cyber contacted cyber insurance experts to rate the sustainability of the current norms of cyber insurance in the evolving ICS (industrial control system) threat landscape. They also evaluated the level of preparedness of organizations, especially those in the critical infrastructure sector, to deal with escalating cyber risks.

Jose Seara, founder and CEO at DeNexus
Jose Seara, founder and CEO at DeNexus

“The preparedness of different critical infrastructure sectors varies. The medium and large electric utilities are in a better position to identify, assess and manage escalating cyber risks as they had a head-start due to better funding or regulations such as NIS or NERC CIP that accelerated ICS/OT cybersecurity adoption,” Jose Seara, founder and CEO at DeNexus, told Industrial Cyber. “It is the small and medium critical infrastructure organizations or other sectors without cybersecurity regulations like water/waste/transportation that are beginning their cybersecurity journey later that are generally less prepared today.” 

Cybersecurity is a journey that takes years to progress, to incrementally build the program, identify and mitigate the top risks, implement technologies, change mindsets, and improve cybersecurity posture and maturity, Seara points out. Every company, industry, region, and vertical is different.

Regarding ‘current norms of cyber insurance,’ Seara said that he did not think that such a thing really exists. “There is no normalization of products, terms and conditions, due to the immaturity of the space and the lack of data to achieve that normalization.” 

The current standard across the cyber insurance industry is to rely mostly on outside data and a variety of manual questionnaires (a form of non-evidence-based inside data) to understand the risks of their portfolios, according to Seara. “This approach is not sustainable, nor sustainable, nor reliable, as the reporting is manual, dated, cyber incidents are under-reported, and details are lacking such as safeguards in place. For cyber insurance to evolve and be sustainable, it must be driven by trusted data that is automated, trustworthy, and timely. From this foundation, leaders can make faster, more effective, and accurate decisions about their cyber risks,” he added.

Gerry Kennedy, CEO at Observatory Strategic Management
Gerry Kennedy, CEO at Observatory Strategic Management

“The sustainability of cyber insurance and more is going to be determined by the resilience of the organizations that are going to seek coverage out.  Insurance carriers are already mandating things like 2FA & MFA,” Gerry Kennedy, CEO at Observatory Strategic Management, told Industrial Cyber. “The mitigating techniques like 2FA are now being compromised and we have to adjust to the risks.  The elevation of duty of care will be changing through the course of coverage as the threats continually change and carriers need to be proactive too.”  

Kennedy highlighted that the carriers are beginning to rate their risk on factors of governance (ie. how do you stand up to regulatory scrutinies like GDPR and state reporting), cyber hygiene at an enterprise level (ie. credential management on the Dark Web), entropy (ie. use of single sign-on, password management, decentralization of data, and employee and third party access), cloud knowledge (ie. how aware are the prospective insureds of cloud liabilities as a user to their enterprise and their clients?), and training not only for employees but boards of directors and vendors.

“How prepared are the organizations? Preparation varies wildly from none to OT security maturity.  No one is safe and the insurance industry knows that,” Kennedy weighs in. “In order to insure even outside of ‘cyber insurance,’ the preparation on a pre-loss basis has already elevated past things like 2FA and basic employee training.  The post-loss readiness will need to be ‘known’ prior to binding even for property insurance due to covered kinetic concurrent causations like fires.”  

The insurance industry is grasping the ubiquity of IT and OT infiltration and exfiltration and most importantly, their concurrent causations, Kennedy added.

The threats and vulnerabilities are evidently closing in on the ICS infrastructure, with the Red Balloon reveal and Dragos disclosure. The experts analyze the manner in which they would assess the risk to the OT and ICS environments with such rising threat instances. They further provide three critical measures that OT and ICS environments must immediately adopt to reduce risk and exposure. 

Seara said that let’s first recognize that most ICS/OT systems in production today were designed and developed over 10-20 years ago. “It was a different era of code development, without the secure coding practices or bug-finding tools of today. Vulnerabilities in code developed 20 years ago are not hard to find; there is a steady increase in vulnerability disclosure but many are legacy technologies, or there are simply an increased number of ICS/OT researchers looking for them,” he added.

“In most organizations, how they select, design, and maintain their ICS infrastructure has a lot of room for improvement,” Seara underlines. “Even newly deployed ICS/SCADA systems include compatibility features or design provisions that could make them vulnerable. Cybersecurity engineering and analysis go hand in hand with ICS/OT system design and maintenance.”

Seara also added that many ICS/OT vendors have achieved certification of their development processes, systems, and components with ISASecure, but the industry still chooses the lowest price over certified products that are supposed to be more secure and encounter fewer vulnerabilities in the future. “This should help reduce the long-term cybersecurity operating costs, with fewer urgent patching events, and reduced compensating controls to mitigate vulnerabilities.”

“We feel the rate of vulnerability discovery and disclosure will continue to increase year-over-year until a mindset and step-change occur in the industry. It begins with changing the selection, cybersecurity design, and cybersecurity maintenance of ICS infrastructure,” according to Seara. “Recognizing the value of certified products, increased front-end cybersecurity engineering, and increased cybersecurity scrutiny in the daily maintenance and operations of ICS infrastructure. This will improve cybersecurity controls implemented, but also improve decision-making because cybersecurity is a greater part of the culture and infrastructure.”

Seara feels that the top three things which can help OT and ICS environments to reduce risk and exposure are visibility, access control and identity management, and risk-based management. On visibility, he said that a strong understanding of the most critical/impactful parts of the ICS infrastructure, its cyber assets, and dependencies throughout. Ransomware has revealed a lot of surprises in ICS/OT dependencies and impacts on the corporate network and third parties.

Coming to access control and identity management, Seara suggests increasing the minimum standard for the electronic security perimeter (ESP) that protects the ICS infrastructure including remote access, files transferred, managing portable USB devices, and the regular scrutiny of communications and rules through firewalls. These are the conduits that threats are getting into ICS infrastructure.

Moving over to risk-based management, Seara proposed employing tools and resources that help to automate the cyber risk assessments using trusted evidence-based data, so it is not a yearly manual exercise performed by a third party, but a weekly one that is led by the risk owners themselves.

Joe Weiss, Managing Partner at Applied Control Solutions
Joe Weiss, Managing Partner at Applied Control Solutions

Industrial Cybersecurity expert Joe Weiss said that ICS infrastructures are becoming more complex with more communication capabilities leading to larger cyber threat spaces. “The Red Balloon Reveal and the Dragos disclosure illustrate those capabilities can, or have been, exploited. Previous sophisticated attacks have bypassed cyber security functions. Some of these OT/ICS vulnerabilities also can be exploited by the lack of cyber security expertise from those operating and maintaining the control systems.”

The three critical measures Weiss laid down include engineering and network security staff and management need to work together, control system cyber training is necessary for all levels of the organization with the technical staff needing the deepest technical dive, and develop compensating controls where good cyber hygiene is not sufficient.

Kennedy said that assessment starts with ‘knowing’ what you have as OT assets down to the model number/serial number. He added that “identifying what task(s) each of those assets connected or otherwise performs for the enterprise. Supply chain issues come into play here as suppliers’ same OT liabilities can be catastrophic to you.”

“Setting a map of your most critical devices and knowing what your Possible Maximum Loss or (PML) is for each identified asset.  This is exactly how insurance rates are set for property insurance,” Kennedy added. “Knowing how to react to these PML exposures requires testing too.”

The three critical measures that Kennedy prescribes for OT and ICS environments when it comes to reducing risk and exposure, include knowing what you have to begin with, knowing where it is and what it does, and not believing “what your vendors are telling you as gospel. Talk to them openly about your concerns. Let them know you will hold them accountable both financially and legally if they fail to do so. Dialogue is cheaper than lawyers.”

With the evolution of ‘cross-industry disruptive/destructive ICS/OT capability,’ the experts dive into what will be the impact on cyber insurance as the OT and ICS environments, as such capabilities are developed with the intent and motivation to access, manipulate, and disrupt OT environments and processes. Additionally, they also chart how insurers will evaluate the potential damage from such disruptive and destructive attacks.

“The major impact on cyber insurance will be, hands down, heightened accumulation risk. Which in turn will present many challenges around how to measure the accumulation exposure and its knock-on effects to insurers’ ability to assume that risk,” Seara said. “Visibility into cyber risk accumulation is complicated and requires not just the traditional top-down approach, but the more granular bottom-up approach already present in second generation cyber risk quantification models.”

Using Pipedream malware as an example, Seara said that there will be a need to understand three levels of accumulation exposure. These include industrial company level with accumulation between the entity’s multiple operating assets (i.e., single owner/multi assets); industry level where there exists accumulation between the industrial companies operating within the industry (i.e., multi-owner/multi assets); and multi-industry level with accumulation between multi owners/multi assets across multi industries.

“It also increases the importance of having inside-out data in near or real-time, along with the outside-in data, to gain true visibility of the accumulation exposure, Seara points out. “Otherwise, insurers will have difficulty in appropriately calculating capital requirements to assume the risk as well as potential problems with claims determination. Unknown accumulation usually results in pricing increases and reductions in available risk transfer capacity.”

“What you are speaking to is finally becoming known to the masses. The impact will be underwriters requiring information as to how you handle Third Party risk.  The fact we rely on our vendors/suppliers to operate any enterprise has brought forth the need to assess your ‘Third Party Risk,’” Kennedy said. 

“We at Observatory coined the term, ‘Community Risk’ as your vendors need to work with you and communicate their known risks with you and others in an open forum to elevate everyone’s duty of care,” according to Kennedy. “This level of reasonable care will allow for early warnings amongst your ‘community’ without the fear of legal reprisal. Proactivity and reporting are key to the insurance underwriter and their claims counterpart. These interactions will be very positive and affect the coverage outcomes.  The truth in OT liabilities truly does set you free.” 

It has been reported that HardBit ransomware attackers were trying to negotiate a ransom payment that would be covered by the victim’s insurance company. Deploying the latest version of the ransomware, the threat actor tries to convince the victim that it is in their interest to disclose all insurance details so they can adjust their demands so the insurer would cover all costs.  

The executives address the potential implications of such tactics on the cybersecurity posture of the OT/ICS industry. 

“Not the first time that we hear about this approach. The tactic of linking ransom demands to cyber insurance terms is not an unexpected development,” Seara said. “This is likely to increase the need for a more holistic approach and greater alignment of cooperation between the various parties along the cyber risk value chain (e.g., risk owners, technology providers, MSSPs, and the risk transfer market).” 

“Another development could be insurers taking more stringent action on access to insurance policy terms, which could get extreme where releasing policy details will void it,” Seara said. “If such a situation should arise, the insured will feel repercussions on not just its cyber policy, but all types of policies it purchases from the insurance market – quite a conundrum.”

Kennedy says it is very important not to do what they are asking. Pointing out that every policy has a ‘Loss Provisions’ section, which lays out what one is to do at the time of a loss. “You must report the loss on a timely basis as there are penalties called time barring requirements called Knowledge of Occurrence and Notice of Occurrence,” he added.

“If you preclude the adjustment process by doing what these hackers are threatening the insurance carrier can deny your coverage because you undertook adjustment of the claim without the carrier’s knowledge,” according to Kennedy. “People need to understand that these provisions are in place to maintain the continuity of coverage and let the insurance carrier who has the checkbook do their job. There is no DIY in insurance claims! It will cost you,” he concluded. 

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related