How Underwriters Can Weigh (and Diminish) Cyber Risk Against Critical Infrastructure

By Lior Frenkel

Critical infrastructure presents a difficult cyber risk problem for insurance underwriters. The capability for cyber attacks is growing, and they are becoming increasingly targeted. The Havex and BlackEnergy malware strains are but two recent examples of the growing sophistication of high-end capabilities for adversaries of any skill level. Military-grade cyber attack techniques, like those used in the in- famous Stuxnet attack on Iranian nuclear facilities, are no longer in the hands of just governments. These attacks have been thoroughly and publically documented, and the techniques are available to everyone from hacktivists to terrorists. Unlike earthquakes, equipment failures and other hard-to-predict natural and man-made events, cyber attacks are carefully planned. In critical infrastructure markets, the question about cyber threat is no longer focused on “if” or “how,” but rather “when.”

While there are countless examples of successful cyber attacks on government and business networks of all types, there are fewer public disclosures of cyber attacks on the control system networks responsible for the safe and reliable operation of large, dangerous physical infrastructures. If relying on disclosures as a benchmark to assess the risk for a utility, an underwriter using an actuarial approach might rate the risk as minimal – but that is a limited view of the real threat.

Targeted persistent attacks (TPAs) threaten remote service centers

Modern attackers more or less make it their full-time job to assault an organization over a period of weeks or months. They use continuous, interactive remote control tools called Remote Administration Tools (RATs) to defeat standard IT-style protections, and they can learn these attack techniques in virtually any intermediate security training pro- gram. TPAs are routinely practiced, and routinely defeat even sophisticated security software systems protecting corporate net- works and control system networks. It takes little imagination to see how devastating such an attack could be if directed at the networks controlling physical processes of industrial sites.

Consider the turbines power companies use to create electricity. Turbine vendors generally require continuous remote “monitoring and diagnostics” for their turbines as a condition of support contracts and warrantees for that equipment. The vendors continuously monitor equipment for developing problems, and occasionally adjust the equipment remotely to address small problems that have the potential to grow into catastrophic failures.

To enable these services, vendors require remote access into the turbine network, in most cases over the internet. Each central “monitoring and diagnostics” site is connected to hundreds or even thousands of turbine control systems, world-wide. A targeted breach of such a central site could result in widespread cyber attack of multiple power plants, nationwide, potentially taking down large parts of the grid. An incident like this would represent a disastrous cost for insurers, as well as a serious impact on society at large.

How insurers can encourage better security standards

As insurance underwriters determine the risk class of their policyholders, they must consider whether those customers have embraced security best practices for critical infrastructure. Namely, have customers adopted unidirectional security gate- ways that offer hardware protections and completely block modern, targeted remote control attacks?

All software has defects, and many of those defects are also security vulnerabilities. In practice then, all software can be hacked. Software’s open door for hackers has created an environment in which criminals can breach a system remotely via the Internet from the safety of their offices in countries where no one will prosecute these crimes. Traditional IT cyber protections, such as firewalls, encryption, anti-virus systems and security update programs can stave off common malware and botnets, but do little to reduce the risk of modern, targeted attacks. Clearly, there must be a stronger-than-fire- walls approach applied to the protection of safety-critical control systems.

Government authorities in several geographies now require such advanced protections for many classes of critical national infrastructures, and an even larger set of authorities is recommending unidirectional security gateways to critical infrastructures. These organizations have done their own risk assessments and concluded that fire- walls and other software security systems are no longer sufficient to protect against modern attack capabilities. These organizations assess risk based on capabilities, not incident history, and insurance underwriters must do the same.

As insurance companies assess the risks facing their critical infrastructure policy- holders, insurers can take steps to encourage the use of stronger cyber security measures. Such measures should include at least one layer of hardware-enforced unidirectional security gateways as a means of protection that cannot be breached directly or indirectly from the Internet or through central monitoring systems.

With cybercriminals proving their skill in targeted attacks, we can no longer ignore the capabilities-based risk to utility operations and safety systems. Minimizing that risk must begin with defensive capabilities which are at least as sophisticated as the adversaries’ at- tack capabilities. Today’s best practices demand the deployment of hardware-enforced unidirectional security gateways.