PRIVILEGED AND CONFIDENTIAL 1ANKURA CONSULTING

JULY 17, 2017

Risk Management Considerations Around Cybersecurity of Industrial

Control Systems

PRIVILEGED AND CONFIDENTIAL 2

UBIQUITOUS, PERVASIVE BOARDROOM RISK TO THE ENTERPRISE• All sectors• All geographies• All companies

AN ERM ISSUE, NOT A TECHNICAL ISSUE• Organizations should plan/budget as if they will be hacked • Poorly prepared firms will suffer - valuation, reputation, legal and regulatory • Preparation and response capacity sets resilient clients apart

RESILIENCE – NOT JUST PREVENTION - IS THE RATIONAL OBJECTIVE

SPENDING RANGE• 3-5% of annual CapEx budget • 5-15% of annual IT budget

CYBERSECURITY: NATURE OF THE RISK AND OPPORTUNITY

PRIVILEGED AND CONFIDENTIAL 3

MARKET CONDITIONS• Cyber crime costs $400 billion annually – Lloyds ($2-3 trillion by 2020 – Juniper)

• Up 24% in 2016 from 2015 (FBI)• Top 5 Risk likelihood – 2017 World Economic Forum• Rating agencies considering adding cyber-maturity, risk accumulation to ratings.• Cybersecurity is a dominant risk for CEOs; 70% view it a major threat.

• $3 trillion in market value destroyed in 2015• Cyber insurance uptake is growing globally 21% annually.

• $2.5 billion in written cyber premiums in 2016• Key driver to D&O coverage

• 40% of companies rate cybersecurity risk management capacity as “non-existent” or “ad hoc”

• Only 24% at “mature” stage.• Slightly over 1/3 have a data breach response plan.• Only 60% have resources to comply with security regulations.

• Imposition of cybersecurity regulations is increasing.• 1.5 million InfoSec job shortage by 2019

CYBERSECURITY ENVIRONMENT

PRIVILEGED AND CONFIDENTIAL 4

CYBERSECURITY THREAT LANDSCAPE - GENERAL

©Ponemon Institute

PRIVILEGED AND CONFIDENTIAL 5

CYBERSECURITY THREAT LANDSCAPE – 290 REPORTED 2016 ICS ATTACKS

©NCCIC/ICS-CERTYear in Review F/Y 2016

PRIVILEGED AND CONFIDENTIAL 6

CYBERSECURITY THREAT LANDSCAPE – LEVEL OF ICS INTRUSION

PRIVILEGED AND CONFIDENTIAL 7

CYBERSECURITY RISK IN THE “IIOT” – OVER 7 BILLION DEVICES BY 2020

©Applied Control Solutions, LLC

PRIVILEGED AND CONFIDENTIAL 8

POTENTIAL TARGETS

PRIVILEGED AND CONFIDENTIAL 9

HAVE WE MOVED FROM “POSSIBLE” TO “PLAUSIBLE” TO “PROBABLE”?

©Cyxtera Technologies

PRIVILEGED AND CONFIDENTIAL 10

THE CAUSE (NTSB): • This was an intentional, non-malicious “cyber” event on ICS.• PG&E scheduled maintenance of its uninterruptable power supply

(UPS) system at its Milpitas Terminal - 39 miles from the accident site on September 9, 2010.

• When engineers replaced the UPS to the SCADA system:• Instead of supplying regular output of 24 volts, the UPS supplied 7 volts to

the SCADA system. • This anomaly caused a low voltage level alarm signal to a valve on Line 132

moving the regulating valve to the “fully opened” position, and increasing the pressure on Line 132 to 386 pounds per square inch gauge (psig).

• The pneumatically-activated over-protection valve maintained pressure at 386 psig.

• At 5:45 PM SCADA showed pressure exceeded 375 psig, increasing to 390 psig at 6:00 PM.

• The 60 year-old 30” pipe exploded before the safety settings were reached, due to findings of poor maintenance.

• Between 6:00 PM and 6:09 PM SCADA showed that pressure dropped to 386… 361…290 psig, consistent with the results of the explosion.

SAN BRUNO PIPELINE EXPLOSION – CASE DISCUSSION

PRIVILEGED AND CONFIDENTIAL 11

THE IMMEDIATE DAMAGE: • The blast and 1,000 ft. high wall of fire in a residential

neighborhood near SFO:• 167’ long, 26’ wide, and 40’ deep crater• 8 dead• 58 injured• 58 homes destroyed

• PG&E was unable to isolate the rupture for 1 hour.

SAN BRUNO PIPELINE EXPLOSION

PRIVILEGED AND CONFIDENTIAL 12

THE LONG TERM IMPACT: • One day later PG&E stock dropped 8% erasing $1.57b market value.

• Sept. 17, 2010 - December 13, 2013, stock remained down 10.69%• Media coverage – disastrous.• Convictions, fines, mass tort litigation – unprecedented:

• 6 felony convictions forced PG&E to spend $3mm to publicize its conviction• 10,000 hours of community service were imposed• CEO resigned• $3 million fine for multiple violations of Gas Pipeline Safety Act & obstruction

of justice• $1.6 billion California PUC fine for 3,800 violations of federal/state statutes• State of California found illegal diversion of $100 million from public safety to

executive compensation and bonuses• Mass tort litigation…eventually settled for $565 million & $70 million

restitution (borne by shareholders, not customers)• Forced a $769 million PG&E pipeline modernization plan (55% of inspection

and upgrade cost borne by rate payers through a 3-5 year gas rate increase)

SAN BRUNO PIPELINE EXPLOSION

PRIVILEGED AND CONFIDENTIAL 13

BACKGROUND• May 2015 joint report by Lloyd’s and University of Cambridge’s Centre for Risk

Studies• Hypothetical scenario of a catastrophic electricity loss from a cyber attack that

affects many companies and insurers simultaneously• Created to highlight the complexity of direct/indirect insurance consequences:

• Addresses economic impacts to physical assets, infrastructure, revenue & supply chains• Wide range of claim types triggered• Insurance policy, legal and aggregation issues

• Assumes no TRIA backstop intervention by the U.S. government

“BUSINESS BLACKOUT” SCENARIO – CASE DISCUSSION

THE CAUSE• Hackers teamed up to develop & install malware in U.S. grid• Spent 1 year mapping networks and planning to disable safety systems• Presence was detected, remediated, but not reported• Hackers launched July attack:

• Sent control signals that opened/closed generators’ circuit breakers in quick succession

• Caused an out-of-phase condition

PRIVILEGED AND CONFIDENTIAL 14

THE IMMEDIATE DAMAGE• Power Utilities

• 50 generators caught fire, billowing smoke• Some were partially destroyed as engines blow apart• 1 gas turbine facility completely destroyed in explosion • Many undamaged generators proactively shut down to protect them • Damage to assets and infrastructure for repair/replacement costs • Direct loss of revenue to generating/distribution companies and network

operators

• The Economy• Exports/imports cease (port loading/off-loading is non-operational)• 50% drop in labor productivity

• Workers cannot get to jobsites (gas pumps down, subways, trains)• All electric-driven machinery non-functional • Businesses closed

• 50% drop in consumption in the affected region• No travel, store purchases, online shopping

“BUSINESS BLACKOUT” SCENARIO

PRIVILEGED AND CONFIDENTIAL 15

THE IMMEDIATE DAMAGE• Public Users

• Blackout in 15 states and Washington D.C. affecting 93 million • Regional factories and commercial activity ceased

• Direct loss in sales revenue• Indirect supply chain losses

• Companies, hospitals, and public facilities with generators resume limited operations until diesel fuel is exhausted

• Major airports serving NYC and DC are closed for the first day of the outage –massive service disruptions.

• Service is disrupted for another week dealing with the chaos caused by the power outage.

• Public transportation (airports, subways, trains) disrupted or eliminated• Power loss & damaged back-up generator led to chemical release of

dangerous compounds into the water supply, sickening 10,000 people• Water plant accident spills raw sewage, contaminating a local water supply,

adversely effecting another 2 million people• Social unrest – rioting, looting, arson

“BUSINESS BLACKOUT” SCENARIO

PRIVILEGED AND CONFIDENTIAL 16

THE LONG TERM IMPACT• Residential

• Material Losses – candles, food spoilage• Traffic lights non-functional – spike in accidents• Potable water scarce – pumps, valves, power supplies non-functional, pollutants released• Rx refills stop – medical emergency• Older, infirm people at risk – heat stress, failing healthcare equipment, no elevators

• Commercial• Commercial food spoilage• Payment systems/ATMs are down – no cash or retail sales, loss of patronage, reputation• Telecom impacts as UPS runs out, Internet down• EFT, email and internet failures hit banks, ecommerce and retail hard• Tourism-related expenditures plunge – travel plans abandoned

• Industrial• Just-in-time production operations between supplier and producers are severely impacted• Productivity drops as transportation for supplies and workers breaks down

• Economy• Criminals exploit lack of police presence• Increased mortality rate – poor EMS, Fire, Police response• GDP reduced by $750 billion – 2-4 week outage before power restoration• Massive litigation among aggrieved parties

“BUSINESS BLACKOUT” SCENARIO

PRIVILEGED AND CONFIDENTIAL 17

INSURANCE CLAIMANTS

• Power generation companies - Property damage, business interruption, incident response costs & fines

• Defendant companies - suppliers of generators, control room systems, security software; companies responsible for malware release; litigation/settlement costs

• Companies that lose power - Property losses (cold store contents), business interruption, liability from failure to protect work force, causing a pollution accident, disproportionate suffering from outage (D&O claim)

• Companies indirectly affected - Contingent Business Interruption, D&O claims arising from inadequate contingency plans

• Homeowners - Property Damage (cold store contents)• Specialty - Various specialty coverages applied including event cancellation• Potential liability coverages - for cyber related power outages, general liability,

E&O, D&O, portions of commercial multi-peril coverage, medical malpractice, product liability, and others

• Other areas of insured losses - injury-related claims, auto, property fire, industrial accidents, environmental liability, social unrest

“BUSINESS BLACKOUT” SCENARIO

PRIVILEGED AND CONFIDENTIAL 18

• How might a cyber incident play out across our assets? • Do IT and control engineers talk and compare notes? • Do Risk Managers confer with IT on potential scenarios of loss?• Does the risk appetite include accepting ICS cybersecurity risk?• Does the risk transfer process take into account the types of

policies necessary to address an array of 1st and 3rd party risks?• Has Risk Management “war-gamed” incidents to identify

contingent risk outcomes?• Do the business continuity and crisis management plans

adequately address ICS cybersecurity risk?• Has senior management and the Board been briefed on how ICS

cybersecurity events might play out from an ERM perspective? • How active is senior management in the cyber risk assessment

and corresponding planning? How supportive is the Board?• Inventory insurance policies: Cyber, Property, Crime, GL, Umbrella,

Package policies, Inland Marine, D&O, E&O, DIC

RISK MANAGEMENT & INSURANCE IMPLICATIONS

PRIVILEGED AND CONFIDENTIAL 19

• IT attack activates data breach, data loss, data recovery policies.• Attack on operating technology (OT) activates 1st and 3rd party

business interruption and property damage policies.• Cyber policies may try to exclude “physical” damage and “bodily

injury” claims.• General liability from cyber opened to broad interpretation; various

ISO “cyber” exclusion forms.• Poor historical data around loss information.• Will cyber policies pay time element loss where data locked by

ransomware?• New insurance products to pick up PD and BI risk where cyber, CGL

and property insurance companies may context coverage.• Unknown motive of, and attribution to perpetrator(s)

• May embolden some insurance companies to contest coverage and litigate• Poor OT (versus IT) coverage

COVERAGE CONSIDERATIONS

PRIVILEGED AND CONFIDENTIAL 20

Contact: Scott Corzine

Senior Managing DirectorAnkura Consulting Group

Office: +1.646.291.8596Cell: +1.917.930.5300

scott.corzine@ankuraconsulting.com