Stephen Wares

Cyber Risk Practice Leader EMEA

Marsh

Cyber RiskAre criminals and terrorists a threat to supply security?

MARSH 221 April 2023

• We should exchange the word cyber for IT, then:

• ISO– The potential that a given threat will exploit vulnerabilities of an asset or

group of assets and thereby cause harm to the organization. It is measured in terms of a combination of the probability of occurrence of an event and its consequence.

What is cyber risk?

Threat Vulnerability Asset Harm

Stephen Wares

Cyber Risk Practice Leader EMEA

Marsh

Threats

MARSH 421 April 2023

Criminal

• Symantec estimated the direct cost of cyber crime in 24 countries to be $114 billion.

– Personal information – Credit debit card information– Held funds – Intellectual property– Confidential corporate data

• The world's largest hosting provider of secure websites suffered major outages in September 2012, taking potentially millions of sites down with it. A member associated with the Anonymous collective, claimed responsibility

– Public support for a cause – Direct impact of core activity– Corporate or industry wide scandal – Top corporate brand target

Hacktivist

Who might be a threat to the Power Industry

MARSH 521 April 2023

Terrorist

• “In all my years on the Homeland Security Committee, I cannot think of another issue where the vulnerability is greater and we've done less” Senator Collins

– Disruption to critical infrastructure – Economic impact– Loss of life – Damage to property

State Sponsored

• In May 2013 it was reported that US intelligence agencies traced the compromise of a National Inventory of Dams to a foreign government or military operatives raising concerns of a future attack against the national electrical power grid

– Disruption to critical infrastructure – Economic impact– Loss of life – Espionage

Cyber Risk Landscape

MARSH 621 April 2023

Malice

• After analysing the software code from the Aramco attack, security experts say that the event involved a company insider, or insiders, with privileged access to Aramco’s network. The virus could have been carried on a USB memory stick that was inserted into a PC.

– Disgruntled employee /customer – Proof of ability– Untargeted malicious code – Random selection

Who might be a threat to the power industry

MARSH

Threat Environment - US Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team

721 April 2023

17%

Stephen Wares

Cyber Risk Practice Leader EMEA

Marsh

Vulnerabilities

MARSH

Why vulnerabilities occur

• Increased availability of hacker tools and a decrease in the technical knowledge to use them

• According to the US State Department, 80% of attacks leverage known vulnerabilities and configuration management setting weaknesses

• Control systems were originally designed for use with a standalone communication network, but have subsequently been connected to the internet.

• Increased control remotely that includes connecting or disconnecting customers or pushing firmware upgrades to customer Advanced Metering Infrastructure.

• The digitisation of power grids creates an aggregation vulnerability that could span networks and geographies.

• According to ICS-CERT research in 2012, 171 unique vulnerabilities affecting 55 different ICS vendors were found.

921 April 2023

MARSH

Specific example vulnerabilities

• When Trend Micro set up a Honeypot to replicate the ICS within a water pumping system, 17 of the attacks monitored would have been considered “catastrophic”.

• According to IO Active, resold field devices (RTU’s, PLC’s) can be reverse engineered to give up historical data including control system network and layout that could be useful to a hacker.

• A virus infection introduced to a turbine control system via a USB-Drive for a software upgrade was reported to ICS-CERT in Oct 2012. The virus caused downtime for the impacted systems and delayed the plant restart by approximately 3 weeks

• Hard coded customer accounts discovered in May 2013 as a means of backdoors into devices from a German industrial automation manufacturer

• Researchers using the search engine Shodan were able to identify a number of internet connected control systems including command and control systems for power grids and nuclear power plants.

1021 April 2023

Stephen Wares

Cyber Risk Practice Leader EMEA

Marsh

Assets

MARSH

Assets at risk

1221 April 2023

Stephen Wares

Cyber Risk Practice Leader EMEA

Marsh

Harm

MARSH 1421 April 2023

Harm - Impacts & LossIT forensic costs

Network remediation costs

Data remediation costs

Crisis management PR costs

Increased cost of working

Legal fees - advice

Breach notification costs

Credit monitoring costs

ID theft remediation costs

Third party compensation

Litigation costs - defence

Litigation costs - pursuit

Criminal action defence costs

Criminal fine

Civil regulatory fine

Contractual fine/penalty

Loss of licence to trade

Loss of revenue

Physical asset replacement cost

Loss of shareholder value

Loss of funds

Additional debt to third parties

Lost opportunity

Extortion demand cost

Extortion expert costs

Clean up cost

Data is altered

IT network interruption

Partial IT network interruption

Damage to digital assets

Damage to digital assets - third party

Damage to network equipment

Damage to a non IT physical asset

Bodily injury

Electronic content that is harmful to an individual

Theft of IT resources

Use of IT resources in a hacking event

Transmission of malicious code to a third party

Theft of own fundsTheft of third party funds

Theft of intellectual property

Assets transferred without payment

Compromise of commercially sensitive material - own

Compromise of commercially sensitive material - third party

Compromise of personally identifiable information - data owner

Compromise of personally identifiable information - data processor

Valid threat of harm

Environmental damage

MARSH

Possible Harm?

1521 April 2023

Bodily Injury/Death

Business Interruption Loss

Forensic investigation

Asset replacement cost

Contractual liability

Increased cost of working

Stephen Wares

Cyber Risk Practice Leader EMEA

Marsh

Insurance

MARSH

Typical Electronic Data Exclusion •  This Policy does not insure, loss, damage, destruction, distortion, erasure, corruption or

alteration of ELECTRONIC DATA from any cause whatsoever (including but not limited to COMPUTER VIRUS) or loss of use, reduction in functionality, cost, expense of whatsoever nature resulting therefrom, regardless of any other cause or event contributing concurrently or in any other sequence to the loss.

•   ELECTRONIC DATA means facts, concepts and information converted to a form useable for communications, interpretation or processing by electronic and electromechanical data processing or electronically controlled equipment and includes programmes, software, and other coded instructions for the processing and manipulation of data or the direction and manipulation of such equipment.

•   COMPUTER VIRUS means a set of corrupting, harmful or otherwise unauthorised instructions or code including a set of maliciously introduced unauthorised instructions or code, programmatic or otherwise, that propagate themselves through a computer system or network of whatsoever nature. COMPUTER VIRUS includes but is not limited to ‘Trojan Horses’, ‘worms’ and ‘time or logic bombs’.

•   However, in the event that a peril listed below results from any of the matters described above, this Policy, subject to all its terms, conditions and exclusions will cover physical damage occurring during the Policy period to property insured by this Policy directly caused by such listed peril.

•   Listed Perils: Fire, Explosion

1721 April 2023

MARSH 1821 April 2023

Network security liability: Liability to a third party as a result of certain events such as your networks participation in denial of service attacks or transmission of viruses to third-party computers and systems.

Data privacy liability: Liability to a third party as a result of the unauthorized disclosure of personally identifiable information

The Cyber Insurance Market

Crisis management fund: Expenses incurred to respond to a breach event

Cyber extortion: A genuine threat to the computer network or data lead to payment of expert and a ransom

Network business interruption:

The interruption or suspension of computer systems results in:

• your loss of income

• extra expense incurred to mitigate an income loss

Resulting from:

• a network security breach.

• a network failure

MARSH

Conclusion

• Strong evidence that security vulnerabilities exist within power generation and transmission.

• The drive for connectivity must be balanced against and acknowledge the additional risk that this creates.

• The cost of an event within a power generation facility or transmission network could be significant, with insurance coverage limited.

• The standalone cyber insurance market is not currently well enough developed to take on the entirety of the risk

1921 April 2023

This PowerPoint™ presentation is based on sources we believe reliable and should be understood to be general risk management and insurance information only.

Registered in England Number: 1507274, Registered Office: 1 Tower Place West, Tower Place, London EC3R 5BU

In the United Kingdom, Marsh Ltd is authorised and regulated by the Financial Conduct Authority for insurance mediation activities only.

Marsh Ltd conducts its general insurance activities on terms that are set out in the document "Our Business Principles and Practices". This may be viewed on our website http://www.marsh.co.uk/aboutMarsh/principles.html

© Copyright 2012 Marsh Ltd All rights reserved