risk management considerations around cybersecurity of industrial … · 2017-07-25 · • $3...
TRANSCRIPT
PRIVILEGED AND CONFIDENTIAL 1ANKURA CONSULTING
JULY 17, 2017
Risk Management Considerations Around Cybersecurity of Industrial
Control Systems
PRIVILEGED AND CONFIDENTIAL 2
UBIQUITOUS, PERVASIVE BOARDROOM RISK TO THE ENTERPRISE• All sectors• All geographies• All companies
AN ERM ISSUE, NOT A TECHNICAL ISSUE• Organizations should plan/budget as if they will be hacked • Poorly prepared firms will suffer - valuation, reputation, legal and regulatory • Preparation and response capacity sets resilient clients apart
RESILIENCE – NOT JUST PREVENTION - IS THE RATIONAL OBJECTIVE
SPENDING RANGE• 3-5% of annual CapEx budget • 5-15% of annual IT budget
CYBERSECURITY: NATURE OF THE RISK AND OPPORTUNITY
PRIVILEGED AND CONFIDENTIAL 3
MARKET CONDITIONS• Cyber crime costs $400 billion annually – Lloyds ($2-3 trillion by 2020 – Juniper)
• Up 24% in 2016 from 2015 (FBI)• Top 5 Risk likelihood – 2017 World Economic Forum• Rating agencies considering adding cyber-maturity, risk accumulation to ratings.• Cybersecurity is a dominant risk for CEOs; 70% view it a major threat.
• $3 trillion in market value destroyed in 2015• Cyber insurance uptake is growing globally 21% annually.
• $2.5 billion in written cyber premiums in 2016• Key driver to D&O coverage
• 40% of companies rate cybersecurity risk management capacity as “non-existent” or “ad hoc”
• Only 24% at “mature” stage.• Slightly over 1/3 have a data breach response plan.• Only 60% have resources to comply with security regulations.
• Imposition of cybersecurity regulations is increasing.• 1.5 million InfoSec job shortage by 2019
CYBERSECURITY ENVIRONMENT
PRIVILEGED AND CONFIDENTIAL 4
CYBERSECURITY THREAT LANDSCAPE - GENERAL
©Ponemon Institute
PRIVILEGED AND CONFIDENTIAL 5
CYBERSECURITY THREAT LANDSCAPE – 290 REPORTED 2016 ICS ATTACKS
©NCCIC/ICS-CERTYear in Review F/Y 2016
PRIVILEGED AND CONFIDENTIAL 6
CYBERSECURITY THREAT LANDSCAPE – LEVEL OF ICS INTRUSION
PRIVILEGED AND CONFIDENTIAL 7
CYBERSECURITY RISK IN THE “IIOT” – OVER 7 BILLION DEVICES BY 2020
©Applied Control Solutions, LLC
PRIVILEGED AND CONFIDENTIAL 8
POTENTIAL TARGETS
PRIVILEGED AND CONFIDENTIAL 9
HAVE WE MOVED FROM “POSSIBLE” TO “PLAUSIBLE” TO “PROBABLE”?
©Cyxtera Technologies
PRIVILEGED AND CONFIDENTIAL 10
THE CAUSE (NTSB): • This was an intentional, non-malicious “cyber” event on ICS.• PG&E scheduled maintenance of its uninterruptable power supply
(UPS) system at its Milpitas Terminal - 39 miles from the accident site on September 9, 2010.
• When engineers replaced the UPS to the SCADA system:• Instead of supplying regular output of 24 volts, the UPS supplied 7 volts to
the SCADA system. • This anomaly caused a low voltage level alarm signal to a valve on Line 132
moving the regulating valve to the “fully opened” position, and increasing the pressure on Line 132 to 386 pounds per square inch gauge (psig).
• The pneumatically-activated over-protection valve maintained pressure at 386 psig.
• At 5:45 PM SCADA showed pressure exceeded 375 psig, increasing to 390 psig at 6:00 PM.
• The 60 year-old 30” pipe exploded before the safety settings were reached, due to findings of poor maintenance.
• Between 6:00 PM and 6:09 PM SCADA showed that pressure dropped to 386… 361…290 psig, consistent with the results of the explosion.
SAN BRUNO PIPELINE EXPLOSION – CASE DISCUSSION
PRIVILEGED AND CONFIDENTIAL 11
THE IMMEDIATE DAMAGE: • The blast and 1,000 ft. high wall of fire in a residential
neighborhood near SFO:• 167’ long, 26’ wide, and 40’ deep crater• 8 dead• 58 injured• 58 homes destroyed
• PG&E was unable to isolate the rupture for 1 hour.
SAN BRUNO PIPELINE EXPLOSION
PRIVILEGED AND CONFIDENTIAL 12
THE LONG TERM IMPACT: • One day later PG&E stock dropped 8% erasing $1.57b market value.
• Sept. 17, 2010 - December 13, 2013, stock remained down 10.69%• Media coverage – disastrous.• Convictions, fines, mass tort litigation – unprecedented:
• 6 felony convictions forced PG&E to spend $3mm to publicize its conviction• 10,000 hours of community service were imposed• CEO resigned• $3 million fine for multiple violations of Gas Pipeline Safety Act & obstruction
of justice• $1.6 billion California PUC fine for 3,800 violations of federal/state statutes• State of California found illegal diversion of $100 million from public safety to
executive compensation and bonuses• Mass tort litigation…eventually settled for $565 million & $70 million
restitution (borne by shareholders, not customers)• Forced a $769 million PG&E pipeline modernization plan (55% of inspection
and upgrade cost borne by rate payers through a 3-5 year gas rate increase)
SAN BRUNO PIPELINE EXPLOSION
PRIVILEGED AND CONFIDENTIAL 13
BACKGROUND• May 2015 joint report by Lloyd’s and University of Cambridge’s Centre for Risk
Studies• Hypothetical scenario of a catastrophic electricity loss from a cyber attack that
affects many companies and insurers simultaneously• Created to highlight the complexity of direct/indirect insurance consequences:
• Addresses economic impacts to physical assets, infrastructure, revenue & supply chains• Wide range of claim types triggered• Insurance policy, legal and aggregation issues
• Assumes no TRIA backstop intervention by the U.S. government
“BUSINESS BLACKOUT” SCENARIO – CASE DISCUSSION
THE CAUSE• Hackers teamed up to develop & install malware in U.S. grid• Spent 1 year mapping networks and planning to disable safety systems• Presence was detected, remediated, but not reported• Hackers launched July attack:
• Sent control signals that opened/closed generators’ circuit breakers in quick succession
• Caused an out-of-phase condition
PRIVILEGED AND CONFIDENTIAL 14
THE IMMEDIATE DAMAGE• Power Utilities
• 50 generators caught fire, billowing smoke• Some were partially destroyed as engines blow apart• 1 gas turbine facility completely destroyed in explosion • Many undamaged generators proactively shut down to protect them • Damage to assets and infrastructure for repair/replacement costs • Direct loss of revenue to generating/distribution companies and network
operators
• The Economy• Exports/imports cease (port loading/off-loading is non-operational)• 50% drop in labor productivity
• Workers cannot get to jobsites (gas pumps down, subways, trains)• All electric-driven machinery non-functional • Businesses closed
• 50% drop in consumption in the affected region• No travel, store purchases, online shopping
“BUSINESS BLACKOUT” SCENARIO
PRIVILEGED AND CONFIDENTIAL 15
THE IMMEDIATE DAMAGE• Public Users
• Blackout in 15 states and Washington D.C. affecting 93 million • Regional factories and commercial activity ceased
• Direct loss in sales revenue• Indirect supply chain losses
• Companies, hospitals, and public facilities with generators resume limited operations until diesel fuel is exhausted
• Major airports serving NYC and DC are closed for the first day of the outage –massive service disruptions.
• Service is disrupted for another week dealing with the chaos caused by the power outage.
• Public transportation (airports, subways, trains) disrupted or eliminated• Power loss & damaged back-up generator led to chemical release of
dangerous compounds into the water supply, sickening 10,000 people• Water plant accident spills raw sewage, contaminating a local water supply,
adversely effecting another 2 million people• Social unrest – rioting, looting, arson
“BUSINESS BLACKOUT” SCENARIO
PRIVILEGED AND CONFIDENTIAL 16
THE LONG TERM IMPACT• Residential
• Material Losses – candles, food spoilage• Traffic lights non-functional – spike in accidents• Potable water scarce – pumps, valves, power supplies non-functional, pollutants released• Rx refills stop – medical emergency• Older, infirm people at risk – heat stress, failing healthcare equipment, no elevators
• Commercial• Commercial food spoilage• Payment systems/ATMs are down – no cash or retail sales, loss of patronage, reputation• Telecom impacts as UPS runs out, Internet down• EFT, email and internet failures hit banks, ecommerce and retail hard• Tourism-related expenditures plunge – travel plans abandoned
• Industrial• Just-in-time production operations between supplier and producers are severely impacted• Productivity drops as transportation for supplies and workers breaks down
• Economy• Criminals exploit lack of police presence• Increased mortality rate – poor EMS, Fire, Police response• GDP reduced by $750 billion – 2-4 week outage before power restoration• Massive litigation among aggrieved parties
“BUSINESS BLACKOUT” SCENARIO
PRIVILEGED AND CONFIDENTIAL 17
INSURANCE CLAIMANTS
• Power generation companies - Property damage, business interruption, incident response costs & fines
• Defendant companies - suppliers of generators, control room systems, security software; companies responsible for malware release; litigation/settlement costs
• Companies that lose power - Property losses (cold store contents), business interruption, liability from failure to protect work force, causing a pollution accident, disproportionate suffering from outage (D&O claim)
• Companies indirectly affected - Contingent Business Interruption, D&O claims arising from inadequate contingency plans
• Homeowners - Property Damage (cold store contents)• Specialty - Various specialty coverages applied including event cancellation• Potential liability coverages - for cyber related power outages, general liability,
E&O, D&O, portions of commercial multi-peril coverage, medical malpractice, product liability, and others
• Other areas of insured losses - injury-related claims, auto, property fire, industrial accidents, environmental liability, social unrest
“BUSINESS BLACKOUT” SCENARIO
PRIVILEGED AND CONFIDENTIAL 18
• How might a cyber incident play out across our assets? • Do IT and control engineers talk and compare notes? • Do Risk Managers confer with IT on potential scenarios of loss?• Does the risk appetite include accepting ICS cybersecurity risk?• Does the risk transfer process take into account the types of
policies necessary to address an array of 1st and 3rd party risks?• Has Risk Management “war-gamed” incidents to identify
contingent risk outcomes?• Do the business continuity and crisis management plans
adequately address ICS cybersecurity risk?• Has senior management and the Board been briefed on how ICS
cybersecurity events might play out from an ERM perspective? • How active is senior management in the cyber risk assessment
and corresponding planning? How supportive is the Board?• Inventory insurance policies: Cyber, Property, Crime, GL, Umbrella,
Package policies, Inland Marine, D&O, E&O, DIC
RISK MANAGEMENT & INSURANCE IMPLICATIONS
PRIVILEGED AND CONFIDENTIAL 19
• IT attack activates data breach, data loss, data recovery policies.• Attack on operating technology (OT) activates 1st and 3rd party
business interruption and property damage policies.• Cyber policies may try to exclude “physical” damage and “bodily
injury” claims.• General liability from cyber opened to broad interpretation; various
ISO “cyber” exclusion forms.• Poor historical data around loss information.• Will cyber policies pay time element loss where data locked by
ransomware?• New insurance products to pick up PD and BI risk where cyber, CGL
and property insurance companies may context coverage.• Unknown motive of, and attribution to perpetrator(s)
• May embolden some insurance companies to contest coverage and litigate• Poor OT (versus IT) coverage
COVERAGE CONSIDERATIONS
PRIVILEGED AND CONFIDENTIAL 20
Contact: Scott Corzine
Senior Managing DirectorAnkura Consulting Group
Office: +1.646.291.8596Cell: +1.917.930.5300