Member Article

A year ago, President Obama issued Executive Order 13636, or "Improving Critical Infrastructure Cybersecurity." The order concerned "critical infrastructure," which it defined as "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety or any combination of those matters."1

The executive order also directed that a set of incentives be established for voluntary compliance with cybersecurity guidelines, including “insurance liability considerations.”2 The idea, presumably, was that insurers would provide coverage for cybersecurity risks, lower premiums for companies that satisfied cybersecurity standards and would also be a repository for information about the latest cyber risks. If it worked, companies would have additional protection from cyber risk, both financial and technological. For it to work, though, there needs to be a market for cyberinsurance coverage protecting critical infrastructure against cyber risks.

Over the year since the executive order, there has, indeed, been a great deal of activity in the cyberinsurance market. Brokers and underwriters are aggressively marketing cyberinsurance products. There are reports of increased interest among policyholders in acquiring cyberinsurance, no doubt fueled by the recent publicity of large-scale cyberattacks on retailer point-of-sales systems, as well as the increased attention on cybersecurity generated by the executive order.

Unfortunately, the sort of cyberinsurance being sold does not protect against the main risks faced by critical infrastructure. Moreover, there appears to have been, simultaneously, an attempt by insurers to restrict coverage of that risk under more traditional products. The result has been that since the executive order there has been a contraction of insurance-protecting infrastructure against cyber risk, rather than an expansion, and it is less likely that insurance can serve as an incentive to protect critical infrastructure risk.

Cyber risk is not limited to data loss and, as "The Internet of Things" expands, it is possible that the risk of data loss will be eclipsed by other events. On the other hand, cyber policies being marketed are primarily designed to address data loss and, in particular, exposure of personally identifiable information. But, notwithstanding the magnitude of recent retail breaches, that is not the only — and perhaps not even the main — cyber risk to infrastructure.

Much infrastructure, if not all, is controlled by supervisory control and data acquisition ("SCADA") systems, an often private, geographically-expansive network that controls and obtains data regarding system operations. Interference with SCADA has the potential of causing large-scale bodily injury and property-damage losses. 

SCADA has not been immune from cyber risk. For instance, malware has been found in an electric utility’s turbine control3 system that impacted computers on the control system network. SCADA exploits have been released by Metasploit, the well-known penetration testing software suite. The Federal Bureau of Investigation's Cyber Division reported that SCADA systems in three cities had been compromised.4 There is, however, a gap in cyber coverage for much SCADA loss.

What is SCADA?

SCADA is a combination of telemetry, data acquisition and control systems used to automate industrial systems. In its most simplified version, it consists of a central operating unit through which user interface generally occurs, called the main terminal unit (“MTU”). The MTU is networked to a series of scattered computers called regional terminal units (“RTUs”), which monitor input from operations and control operations through data outputs.

Taking a very simple example, consider a traffic light system in a town. Here we might have at each light an RTU that monitors traffic and, when, say, the difference between traffic in the north-south direction and traffic in the east-west direction exceeds a certain value the RTU changes the timing of traffic lights so that the traffic going north or south receives shorter red lights than those going east or west. The MTU, back in police headquarters, shows data regarding the various traffic patterns and can be used to upload new software to RTU’s as well as to override existing programs on special occasions, for instance, to address anticipated motorcades.

More complicated versions of such systems are used in manufacturing and utility facilities, to control oil and gas pipelines and elsewhere. They are the computer work horses of industry.   

What is the Cyber Risk?

  

Although a cyberattack on such a traffic system could obtain data, for instance, it might download data regarding traffic flows, data loss is not the primary risk. What would be of most concern is the risk of traffic jams, or of bodily injury and property damage caused by malfunctioning traffic signals. It is sometimes thought that SCADA systems are air gapped (i.e., not interconnected with other networks) and, therefore, not as seriously impacted by cyber risks as other networks.

This impression, however, is not accurate. In fact, SCADA components are often connected to the Internet and, as such, can be subjected to malicious code. In fact, there is a search engine that permits one to find SCADA components that are connected to the Internet. Researchers using this tool have found that there are numerous SCADA components on the Internet.

Moreover, even if a SCADA component is not directly connected to the Internet, many SCADA systems share components with other systems that are open to the web. For example, a company may share a router with its email server and its MTU and, while the MTU may be unable to receive and send emails through that router, a compromise of the router through the email server can be a compromise of SCADA. Additionally malicious code can be and has been uploaded directly onto SCADA components through USB devices and computers used to program and/or update SCADA software. Indeed, many SCADA systems communicate wirelessly and can be subjected to man-in-the-middle attacks, like any device communicating over a wireless network.

In short, SCADA systems are subject to the range of cyber risks, malware, denial of service attacks and others — as are all systems directly connected to the Internet. In fact, in a way, the risk to SCADA may be even greater. The assumption that it is air gapped may lead to a certain complacency not present with components designed to interact directly over interconnected networks.

The risk of loss from a SCADA system is not limited to data. Rather, the risk includes a risk of bodily injury as well as property damage. The Stuxnet malware is the most well-known example of such a compromise. It infected files on SCADA-controlled software and eventually resulted in the destruction of 1,000 fuel centrifuges inside Iran’s uranium fuel enrichment program.

It is not hard to conjure up vast property and personal-injury losses resulting from a cyberattack on SCADA. Electric grids might be shut down through denial-of-service attacks and fuel might be diverted from delivery to refineries. Yet, as discussed below, these losses, to the extent they do not involve data loss, may be beyond the scope of many cyberinsurance policies.   

Insurance   

Many, if not all, cyberinsurance policies include exclusions for bodily injury and property damage. Others define coverage so narrowly that sound arguments can be made that bodily injury or property damage caused by cyberattacks on SCADA are outside the scope of coverage.

For example, some policies limit their coverage to expenses and costs, including legal fees, related to determining the identity of persons who must be notified of the breach and of providing notice. That, as noted, is not a concern of compromised SCADA systems. They may contain no personally identifiable information requiring notification. Companies seeking a policy to cover a SCADA system may be hard-pressed to find one in those commonly found in the market.    

At the same time insurers are issuing cyber policies, they are also attempting to limit the coverage provided for cyber risks under traditional property and liability policies. For example, The Insurance Services Office Inc. has proposed that certain exclusions be incorporated into those policies.   

These exclusions, although apparently intended to bar coverage for claims relating to loss of personally identifiable information, such as those recently suffered by retailers, could be read more broadly by insurer advocates seeking to limit coverage. In a high-stakes dispute involving coverage for property damage or bodily injury caused by the breach of a SCADA system, a carrier might contend these exclusions apply. One exclusion, for instance, bars coverage for injuries resulting from, "The loss of, loss of use of, damage to, corruption of, inability to access or inability to manipulate electronic data."   

A carrier might stretch this language to bar coverage for a denial of service attack on a RTU, or the injury caused to system hardware by a Stuxnet-like code as well as damage resulting from the loss of data. It might contend that the Stuxnet code corrupted electronic data or that the denial of service attack constituted an inability to manipulate data, and that it was this that led to the bodily injury or property damage for which coverage was sought.

The Conundrum    

As noted at the outset, Executive Order 13636 was issued to protect critical infrastructure against cyberattack. One method the Obama administration hoped to use to incentivize companies to increase cybersecurity was insurance. 

 

It was thought that insurance might create an incentive to adjust cyber practices so that lower premiums might be obtained. It is true that insurers are intensely marketing cyberinsurance policies. Unfortunately, the products being marketed are not generally of the sort needed to protect critical infrastructure and appear to leave unprotected critical risks of loss that would be faced in the event of a cyberattack on SCADA.    

Cybersecurity is not merely the protection of data, although that is a function. Especially where SCADA systems are at issue, cybersecurity involves the protection of lives and property as well. Companies buying cyberinsurance need to be sure they have protection against the full risk of a cyberattack and not limit their protection to lost or publicized data.

 

Footnotes:   1 http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity, Section, 2. 2 DHS Analysis Report Cyber Security Incentives 3 See ICS-CERT Monitor October/November December 2012 at 1. 4 http://nakedsecurity.sophos.com/2011/12/13/fbi-acknowledges-more-scada-attacks-increases-cyber-budget/