Physical damage caused by a cyber attack is a serious concern for organizations with industrial control systems.
Cyberattacks Reach the
risk managers are
beginning to get their
arms around the
next wave of cyber
exposure — an attack
that causes property
or bodily damage.
By Katie Siegel
When the Baku-Tbilisi-Ceyhan pipeline exploded in 2008 in eastern Turkey, it damaged the pipeline in Refahiye, spewed oil into the environment and posed physical harm to firefighters called in to quell the flames. Cyber attackers apparently hacked into the pipeline’s control
system and manipulated valves to increase pressure inside the pipe, while
suppressing alarms that would have alerted operators to an error.
In 2014, an unnamed steel mill in Germany sustained extensive damage after
hackers breached the plant’s computer network via a spear phishing email, then
infiltrated industrial systems that control operational machinery. The attack
compromised the system so that a blast furnace could not be shut down.
In another well-known incident the year before, the Stuxnet computer virus
engineered by U.S. and Israeli forces damaged thousands of centrifuges at an
Iranian nuclear power plant, again compromising system controls while making
it appear everything was working normally. The virus was introduced through an
employee’s thumb drive.
These are only a few examples of cyberattacks that caused physical property
damage and potential bodily injury.
“The breaches and cyberattacks we see in the news are usually around the theft
of personally identifiable information,” said Tracie Grella, global head of cyber
risk insurance at AIG. “We’ve seen ransomware events, DOS attacks. The data
disclosure and business downtime are usually the results of a network breach. But
the potential for extensive physical damage is an emerging risk.”
As cyber risk rapidly evolves, the insurance industry is working hard to keep
up. However, gray areas remain and there are unanswered questions about how to
underwrite and mitigate such a dynamic risk.
“Five to 10 years ago, cyberattacks were motivated primarily by financial gain
and access to confidential data,” said Chris O’Byrne, cyber underwriting specialist
at FM Global. “This has evolved into more attacks focused on causing business
disruption, and others where the goal is physical damage.”
Though every type and size of company is susceptible to a cyberattack,
those with industrial-control systems (ICS), such as manufacturers and energy
suppliers, may be most vulnerable to an attack intended to cause physical damage.
Industrial-control systems are comprised of many components relying on
communication between separate computer networks. The less cohesive a system
is, the more opportunities arise for hackers to find a way in.
“We’re seeing more reports of malware being written specifically to target
these systems,” O’Byrne said.
“The intent may not be to expressly cause physical damage, but that could
certainly be a result.”
The physical damage that could result from an attack on ICS varies. It could be
a fire that destroys equipment or a whole facility; it could be the simple wearing
down and corrosion of machinery; it could involve environmental damage, or
damage to any goods being produced.
“Hackers can spoof sensors by
sending false data. They can force cyclical
behaviors, like turning something on
and off in rapid cycles, which causes
machinery to wear out, fuses to be
blown, leaking, and in some cases
explosion and fire,” said Tom Harvey,
product manager of cyber solutions at
RMS, the risk modeling firm.
“It could be something as simple as
disconnecting safety features,” he said.
“Everything would be operating as it
should, but there’s the increased risk for
“If you are targeted by
a sophisticated group of
hackers, they will find a way
in. You have to make sure
you’re properly covered.”
—Tom Harvey, product manager, cyber solutions,
• Cyberattacks can cause extensive
physical property damage by
• There could be gaps or overlaps
in coverage from property and
• Risk managers should adopt an
ERM approach and treat cyber as
any standard risk.