In early 2016 I wrote a post about the dangers of cyber attacks on critical infrastructure and the insurance available for the financial consequences of such attacks. At that time I mentioned that one of the greatest risks was the possibility of an attack on industrial control systems that resulted in physical damage or bodily injury. On December 14, 2017 we learned about just such an attack. Frighteningly, the attack was directed at industrial safety systems.
In a post on its Threat Research Blog, Mandiant disclosed its discovery of malware designed to interact with Triconex Safety Instrumented System controllers. According to the manufacturer, Triconex controllers are used, “across a broad range of high hazard industries including Oil & Gas, exploration and production, refining, petrochemical, chemical, pipelines and distribution, as well as energy and power generation.” The malware, which Mandiant calls “TRITON,” reprogrammed the controllers and caused them to shut down. This in turn caused the industrial process being monitored to shut down. The shutdown led to the discovery of the malware.
Mandiant believes the shutdown was inadvertent, and that the attacker had planned to use the malware to cause physical damage. They have “moderate confidence” that the attack was launched by a nation state.
It isn’t difficult to imagine the havoc that a successful TRITON attack could create. In fact, we don’t have to. In December 2014 the German Federal Office for Information Security released a report that revealed a cyber attack on a steel mill that caused an uncontrolled shutdown of a blast furnace that led to “massive damage.” A subsequent third party report describes this now well-known event in more detail.
Physical damage to equipment could severely impair, or entirely prevent, a company from doing business. A steel mill without a working blast furnace can’t make steel. Damaged equipment would certainly lead to lost income and expense to repair or replace the equipment. It could also lead to claims from customers, and possibly the loss of customers. Buyers of steel may decide to buy from other mills, and may not resume doing business with the mill that suffered the attack. The crippled company’s reputation could be damaged which could impact future business. Steel buyers may buy from other mills that are, rightly or wrongly, perceived to have a lower cyber risk and are therefore more reliable.
Physical damage to equipment could also result in injuries to employees and others. The steel mill attack in Germany didn’t kill or injure people, but as a UK government report concerning a blast furnace explosion (not resulting from a cyber attack) demonstrates, deaths and injuries are certainly possible when industrial control systems fail.
A cyber attack on industrial control systems will create some of the same losses that attacks that don’t cause property damage or bodily injury will. A company will need to retain forensic investigation firms to determine the cause of the attack and to ensure that the attack is terminated. A company may need to restore or recreate lost or compromised data. Legal assistance may be needed to respond to regulatory inquiries and customer claims. A company will likely want public relations consultants to help it communicate about the attack and to limit any reputational damage from the event.
When writing about this it is tempting to say something like TRITON is a shot across the bow, or that it is a bullet dodged. Those phrases are so overused that they have lost whatever punch they may once have had. But those clichés really are apt in this case. TRITON could have succeeded. The next version might. Companies such as the steel mill in Germany have already been harmed and have sustained huge losses. Financial losses from cyber attacks like this are real. Unfortunately it seems likely that more will follow.
In the face of such potential losses, companies naturally will want to know if their insurance policies will provide coverage. Insurers can cover losses from TRITON and similar malware.
Generally speaking, the non-physical losses can be covered under a good cyber policy. These would include business interruption loss (in the event that the attack does not cause bodily injury or property damage), the cost to restore or recreate data, forensic costs, legal costs, public relations costs, and claims by regulators and third parties. Other policies may also provide some coverage.
The situation is trickier for loss resulting from physical losses and bodily injury. While such losses would be covered under property and casualty policies if they arise from non-cyber events, coverage may be limited or non-existent if a TRITON or similar attack is successful. (Several of my colleagues wrote an excellent paper earlier this year that discusses that in more detail. I recommend it highly.) A handful of different insurance solutions exist to address this problem, and each has its particular strengths and weaknesses.
The important thing to know is that obtaining insurance coverage for physical damage and bodily injury resulting from a cyber event like TRITON isn’t a matter of buying the right policy. Instead, the solution is to craft multiple policies so that they cover that risk and work well together.