The role of insurance in driving better security
With the advent of the SolarWinds crisis, companies worldwide are experiencing a first-of-its-kind systemic event that has revealed a major risk to the software supply chain.1 The critical infrastructure community is not immune. In recent years, cyber threat actors have shifted their sights to valuable and often vulnerable operational technology (OT) systems as a potentially lucrative attack vector. Defending those systems effectively requires a deeper appreciation of their criticality and a clear understanding of the financial impact of a successful breach.
Fortunately, the cyber insurance market is already responding to OT system exposures in ways that can help companies better prioritize their cyber risk prevention and mitigation strategies. A “baker’s dozen” of coverage categories currently exists that speak directly to a wide variety of potential loss areas. Opportunities for improvement, however, abound. OT asset owners often are not included in the cyber insurance discussion. This unfortunate situation often leads to a suboptimal understanding about the full impact of a cyberattack. It also prevents companies from leveraging long-available industry resources that could drive enhanced OT cyber resilience almost overnight.
A broadened coverage discussion that includes OT asset owners would help encourage the adoption of proven cybersecurity frameworks geared specifically to the IT-OT environment. Meaningful compliance with those frameworks, in turn, could help companies reduce their full exposures in ways that make them more attractive cyber risks. The critical infrastructure community – with OT asset owners at the table – should lead a “get compliant, get secure, and get insurance” cybersecurity discussion with the insurance industry to enhance the security and integrity of their companies. In so doing, it could become a major influence in how cyber insurance develops next.
Among their latest tactics, cyber threat actors are increasingly exploiting cybersecurity gaps caused by the convergence of IT and OT networks.2 Growing numbers are successfully penetrating Supervisory Control and Data Acquisition (SCADA) and other industrial control systems (ICS), shutting them down, and holding operations hostage until victims make hefty ransom payments.3 The secret to this cyber threat actor success is straightforward. While IT and OT convergence provides tremendous benefits when it comes to efficiency and productivity, it also exposes critical infrastructure owners to much greater vulnerability absent appropriate assessment and remediation.4 Most decades-old SCADA and other ICS that enable comprise OT networks – now linked to the Internet for the first time – were not built with cybersecurity in mind.5
Enterprising threat actors know this and see the infiltration of IT and OT networks as an easy path to cause all manner of mayhem. That mayhem may include Distributed Denial of Service (DDoS) attacks and outright takeovers of unprotected systems that bring operations to a standstill.6 Threat actors likewise can remotely manipulate Industrial Internet of Things (IIoT) technologies to cause equipment malfunctions that result in serious property damage, bodily harm, and even environmental pollution.7 What makes each of these scenarios so pernicious is that threat actors often need only threaten harm to successfully extort money from target companies.
Given the incentives at play, critical infrastructure companies today are at significant risk of loss, with one recent survey estimating an IT and OT network breach rate of 80% (over two years) across multiple industry sectors.8 Industry experts have observed that the highly digitized and connected nature of these companies makes them “arguably now more at risk than at any point in living memory.”9
The recent SolarWinds Orion event serves as a powerful case in point. Risks to OT systems vary because cyber threat actors themselves vary. They come with different levels of sophistication, motivations, and resources. Every few years, however, the critical infrastructure community encounters a significant new event that underscores the vulnerability of the IT and OT digital assets they share in common. While not involving OT systems, the SolarWinds event nevertheless illustrates that a cyber incident need not be a “smash and grab” affair. On the contrary, a determined adversary can expend significant time and resources to plan and execute a systemic attack.10 In fact, well-organized threat actors often exploit weaknesses with the goal of quietly gaining information about a company’s operations that can be leveraged later. In addition, the SolarWinds event involved the targeting of widely deployed technologies used across many sectors - a deliberate strategy designed to lead to maximum damage.11 Going forward, all infrastructure sectors should recognize the potential impacts of motivated threat actors targeting OT environments and should evaluate and bolster their preparedness postures accordingly.
IT and enterprise systems are those devices that support business functions, email, billing and so forth. OT systems, by contrast, are those devices and systems such as SCADA and other ICS that conduct operational processes such as closing valves, pumping product, and sensing. Unlike IT systems, OT systems can vary in structure significantly. For example, an OT device may be a simple temperature sensor or, on the other end of the spectrum, a full Distributed Control System. Perhaps the largest difference between OT and IT systems, however, exists in criticality. While an unavailable enterprise system can cause significant inconvenience to a business, a cyber incident that halts the operation of an OT system can cause a far wider range of potentially severe consequences. Aside from the fact that a company’s operations may come to a standstill – leading to potentially millions of dollars in lost income over a very short period – a compromised OT system can result in safety, regulatory, and shareholder impacts. As a result, federal guidelines and industry standards place particular emphasis on defining and prioritizing the criticality of OT systems.
For decades, OT systems in critical infrastructure were afforded security through obscurity. These systems were both non-standard computing devices and non-networked. They accordingly were “safe” from most cyberattacks. With evolving and available technology, however, vendors and companies alike began to recognize the cost savings that could be had by moving data outside these localized devices and enabling their remote access and control. Vendors soon began shifting their offerings to more standard operating systems and applications – such as real-time data movement, mobility, and cloud – that today provide significant IT connectivity into core operational environments. Unfortunately, this combination of well-known technology and increased interconnection has resulted in an increased attack surface that cyber threat actors now target with regularity.
The cyber threat landscape, and by extension cyber risk, constantly evolves. It can be difficult to predict the capabilities and vectors of the next big threat. What is certain is that the increased use of standard operating systems and applications in the OT space creates more opportunities for the bad guys. Well-publicized IT threats can be leveraged against the OT environment. If networks are not correctly segregated, or if systems are left unpatched and unmaintained, OT systems are vulnerable to disruption, exploitation, and damage. The best defense is a well-developed perimeter protection, a secure network design, and protections against insider threats. Preparedness is key, both in technical controls and operations. Cyber insurance has an important role in that preparedness, especially when threats are unpredictable and potential consequences unknown.
How exactly can cyber insurance help advance the cybersecurity of a critical infrastructure owner’s IT-OT environment? As an initial matter, it’s important to emphasize that simply having a cyber insurance policy does not make a company safer. Instead, an enhanced cybersecurity posture results from going through the cyber insurance application and underwriting process. That process provides a huge opportunity for better cyber collaboration and, as a result, enhanced risk management. Stated another way, cyber insurance can bolster a critical infrastructure company’s cyber preparedness across the board in the face of unpredictable threats and unknown potential consequences.
To provide coverage, brokers and underwriters need information about an applicant’s cyber risk posture. Brokers seek that information to tell a client’s “story” to the market – specifically, how a client is addressing cyber risk, the lessons it’s learned, and how it’s applying those lessons. Stories that show steady risk management improvement over time help brokers make an effective case for coverage. For their part, underwriters take on all the risk. In other words, they’re the companies that pay out when a bad cyber day happens. Unsurprisingly, they want as much certainty as possible about an applicant’s cyber position before they issue a policy.
How does all this play out? As a company begins completing a cyber insurance application, it needs to come to consensus on several core questions:
As corporate leaders on both the IT and OT sides of the business collaborate on their answers, the criticality of certain assets becomes clear. Once that happens, the business case for protecting them – for the good of the entire company – becomes dramatically more persuasive. Funding is then more easily justified.
All these benefits result as a critical infrastructure company’s broker builds the company’s cybersecurity narrative. That narrative ultimately covers where its cybersecurity has been in the past, its current posture based on lessons learned, and where its cybersecurity program will go in the future to keep ahead of risk over time. Having that story down pat is a huge differentiator. It signals that an applicant is at a higher level of cyber maturity and is likely a safer cyber risk as a result of its assessments, awareness, and actions. The broker then brings that story to the insurance market, advocating on the applicant’s behalf for the best terms possible.
For their part, underwriters consider that narrative before asking their own sets of questions of applicants. While underwriters routinely pay out cyber insurance claims, they understandably want to limit losses whenever possible. Their questions accordingly often reflect very real losses that their existing clients have suffered. Put simply, they want to know what an applicant’s plan is to address particular threats and vulnerabilities of which they are acutely aware. The benefit to critical infrastructure companies is straightforward: underwriter questions provide essentially free insight into what types of incidents are actually happening to their peers and similar companies. Companies can then use that insight to update their own cyber strategies and fortify themselves accordingly – whether they buy a policy or not.
If a company does choose to buy a cyber insurance policy, these risk management benefits continue. Policies renew every 12 months, an annual process that typically requires an insured to answer new sets of questions that reflect the changing cyber risk landscape. This helps focus the company on any needed cybersecurity improvements that, if implemented, further bolsters its narrative to the market. In short, cyber insurance helps support a virtuous cycle of cybersecurity improvement that keeps up with the times.
Cyber insurance for critical infrastructure companies is available and expanding. While cyber coverage categories continue to evolve, the following baker’s dozen could be packaged together by an enterprising broker engaging several key markets. Each category responds directly to critical infrastructure losses of particular concern to companies:
Today, a growing number of critical infrastructure companies have begun purchasing cyber insurance to help address their OT-related cyber exposures. OT asset owners interviewed for this article reported that while they certainly are aware of cyber insurance, few had been engaged by their companies for input and collaboration. Instead, most advised that their executive management and IT team colleagues had primary responsibility for advancing that conversation. The exclusion of OT leaders from the discussion is not altogether surprising given the historical segregation of duties between IT and OT professionals, with cybersecurity traditionally seen as an “inside the fence” responsibility and physical plant operations – including control system security and maintenance – outside it. Given this cultural disconnect, and the missed opportunity it presents, OT asset owners must rise to the occasion. They expressed several common themes during our conversations:
While relatively new entrants to the market, critical infrastructure companies that bring OT asset owners into the conversation are in a powerful position to educate the insurance industry and shape coverage in ways that meet their specific OT cybersecurity needs. Cyber property damage and cyber bodily injury coverage, for example, are recent additions to policies but have not been informed by either the cyber risk management perspectives operators can offer or the “puzzle pieces” they can provide. Those puzzle pieces include proven cybersecurity standards and compliance practices that industry has designed to help prevent and/or minimize IT-OT cyber loss. They should directly inform cyber insurance underwriting.
Cybersecurity standards reflect the collective expertise of countless risk management and safety professionals. When implemented fully, they vastly improve a company’s ability to prevent, mitigate, and build resilience against a constant onslaught of damaging cyber and physical hazards. That’s why the Purdue Enterprise Reference Architecture (PERA) is so essential to the effective cyber risk management of converging IT and OT networks.12 Leveraged effectively, it could directly inform the insurance application and underwriting process and advance internal cyber risk investment strategies accordingly.
PERA provides a network design framework for compartmentalizing secure layers and a model for moving data across those layers. In existence since the 1990s, PERA has been accepted by both OT asset owners and vendors as the standard design for operational systems and networks. In a nutshell, it helps them speak the same language – ensuring that the application of security controls is done accurately and cost effectively. The model also provides for secure scalability, maintenance, and effective incident response.
Following the PERA model, the ISA/IEC 62443 standards address technical controls required to secure industrial automation and control systems in any industrial environment.13 The standards likewise define a model of “zones and conduits” and similarly implement compartmentalized security measures. They provide a baseline that empowers both asset owners and technology vendors to identify, prioritize, and mitigate IT-OT environment risks.
The widespread adoption by industry of both PERA and the ISA/IEC 62443 standards could enable an “apples to apples” security comparison of similarly situated critical infrastructure companies. This would help cyber insurance underwriters clarify which such companies are safer and “less safe” cyber risks. Brokers and underwriters accordingly might consider using PERA and these standards to develop a comprehensive and logical sequence of questions about the cybersecurity of OT-dependent companies. Over time, answers to those questions could clarify which specific security policies, procedures, and technologies provide consistent cyber risk prevention and mitigation value. That insight in turn could serve as an industry-informed baseline for OT cybersecurity that companies could be required to meet as a requirement for coverage.
Beyond PERA's benefits, compliance with Federal regulations, guidelines and industry-specific standards provides additional risk management value that can inform the underwriting process. OT cybersecurity regulations today are limited to the electric sector and to information handling in the transportation sector. Many industries nevertheless have access to variety of Federal guidelines tailored to their specific operating environments. In addition, many industry forums have developed security standards for their members. The American Petroleum Institute, for example, has developed security standards tailored to OT systems in the oil and natural gas space.14 These resources often include network design recommendations, detailed risk mitigations, and technical controls. In addition, they provide recommended recurring actions to maintain a secure posture that address training, assessments, patching, and security drills.
Finally, companies derive yet another benefit from meeting compliance obligations: the ability to demonstrate due diligence. Board members, shareholders, and consumers have an expectation that security, like safety, is addressed as part of a company’s daily operations. While taking security seriously minimizes risk and results in a good audit, it also illustrates that a company maintains good stewardship within the critical infrastructure community. This may put complying companies at a distinct competitive advantage over less secure peers. It likewise may put them in an enhanced position to obtain cyber insurance.
What’s the bottom line? When a critical infrastructure company sets standardized OT cybersecurity goals, it’s unnecessary to develop a security program from scratch. Numerous resources exist to provide tried and true approaches to preparedness, maintaining security, and incident response. By requiring them as a condition of coverage, underwriters could incentivize their adoption among critical infrastructure companies in every industry sector. In this way, cyber insurance could become a key contributing piece to an overall security program and preparedness approach.
Well-publicized cyber security events such as SolarWinds remind us that the cyber threat environment is constantly evolving. Those threats can impact IT, OT, or any digital networked asset. While protections are required everywhere, a distinction in criticality between IT and OT exists that is derived from potential business and safety consequences. Put simply, OT networks and systems require additional protections against cybersecurity threats. Key OT protections include a network design that implements PERA, comprehensive preparedness, and security maintenance. Similar to safety, security must be an inherent part of the OT environment. Federal guidelines and industry standards are an excellent place to start, particularly those tuned to mitigating the cyber vulnerabilities of specific sectors and operations. Insurance should be part of the total preparedness effort. By leveraging all these resources, critical infrastructure companies can follow a basic path of “get compliant, get secure, and get insurance” to boost their cyber risk postures.
A successful approach requires the appropriate expertise at the table when cyber insurance planning discussions occur. In that way, a clear picture of risks can be developed that includes identification of realistic operational impacts. Education across the board presents a big benefit. When it comes to coverage, it’s important to think beyond data privacy and ransomware. Policies increasingly address business interruption, cyber property damage, cyber bodily harm, and many other potential losses that are of paramount importance in the operational environment.
The critical infrastructure community today has a unique opportunity to define, and maximize, the mutual benefit of securing OT assets and obtaining well-fit cyber insurance policies. Operators should collaborate to better describe their defenses, exposures, and coverage needs to shape the next generation of policies for the benefit of their organizations.
Tom Finan is a Cyber Growth Leader with Willis Towers Watson, a cyber insurance broker that specializes in policy placement, advocacy, and cybersecurity consulting. Tom previously served as a Senior Cybersecurity Strategist with the U.S. Department of Homeland Security and a Subcommittee Staff Director and Counsel with the U.S. House of Representatives Committee on Homeland Security.
Annie McIntyre is the President of Ardua Strategies, an operational security consulting company focusing on critical infrastructure and energy. Annie previously served as Principal Member of Technical Staff and Project Manager at Sandia National Laboratories and as the Information Operations Laboratory Chief and Information Warfare Lead for Future Combat Systems Assessment at the U.S. Army Research Laboratory.
Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed subsidiaries of Willis North America Inc., including Willis Towers Watson Northeast Inc. (in the United States) and Willis Canada, Inc.
1 Zukis, B., 2020. Will SolarWinds Blow Cybersecurity Governance Reform Into the Boardroom? [online] Forbes. Available at https://www.forbes.com/sites/bobzukis/2020/12/19/its-a-twister-will-solarwinds-blow-cybersecurity-governance-reform-into-the-boardroom/?sh=47bd0bba6f47.
2 Low, J., 2020. Industrial Robots Are Dominating — But Are They Safe From Cyber-Attacks? [online] TechHQ. Available at: https://techhq.com/2020/08/industrial-robots-are-dominating-but-are-they-safe-from-cyber-attacks/; Thryft, A., 2020. Critical Infrastructure Cyber-Attacks On The Rise - EE Times Asia. [online] EE Times Asia. Available at: https://www.eetasia.com/critical-infrastructure-cyber-attacks-on-the-rise/.
3 Preminger, A., 2020. Combating the Rising Cyber Threat Against ICS. [online] Infosecurity Magazine. Available at: https://www.infosecurity-magazine.com/opinions/combating-threat-ics/; Williamson, J., 2020. Why Manufacturers Are A Particularly Juicy Target For Cyberattack. [online] The Manufacturer. Available at: https://www.themanufacturer.com/articles/why-manufacturers-are-a-particularly-juicy-target-for-cyberattack/; Crane, C., 2020. Recent Ransomware Attacks: Latest Ransomware Attack News in 2020. [online] Security Boulevard. Available at: https://securityboulevard.com/2020/08/recent-ransomware-attacks-latest-ransomware-attack-news-in-2020/; Ashford, W., 2017. Manufacturing A Key Target For Cyber Attacks. [online] ComputerWeekly.com. Available at: https://www.computerweekly.com/news/450424302/Manufacturing-a-key-target-for-cyber-attacks.
4 Maurya, R. OT Security Breaches Are Anything But Rare; Forde, M., 2019. 71% Of Manufacturers Employ IoT Despite Cyber Risks: PwC. [online] Supply Chain Dive. Available at: https://www.supplychaindive.com/news/manufacturers-iot-tech-projects-cyber-risk/567658/; Presti, K., 2020. Supply Chain Pivots Need To Start With Cybersecurity. [online] Manufacturing Business Technology. Available at: https://www.mbtmag.com/security/blog/21138223/supply-chain-pivots-need-to-start-with-cybersecurity.
5 Singh, S., 2020. Biggest threats to ICS/SCADA systems. [online] Infosec. Available at: https://resources.infosecinstitute.com/topic/biggest-threats-to-ics-scada-systems/; Edwards, M., 2020. Era of IT/OT Convergence has Shifted Realm of Risk for Military Ops, Says Navy CISO. [online]. Homeland Security Today. Available at https://www.hstoday.us/subject-matter-areas/infrastructure-security/era-of-it-ot-convergence-has-shifted-realm-of-risk-for-military-ops-says-navy-ciso/; Maurya, R. OT Security Breaches Are Anything But Rare; Ashford, W., Manufacturing A Key Target For Cyber Attacks; Presti, K., Supply Chain Pivots Need To Start With Cybersecurity.
6 Reilly, P., 2020. Five Steps to Secure Operational Technology in an Evolving Threat Landscape. JD Supra [online]. Available at https://www.jdsupra.com/legalnews/five-steps-to-secure-operational-33619/; Shaw, W., 2004. SCADA System Vulnerabilities to Cyber Attack. EE Online [online]. Available at: https://electricenergyonline.com/energy/magazine/181/article/SCADA-System-Vulnerabilities-to-Cyber-Attack.htm; Presti, K., Supply Chain Pivots Need To Start With Cybersecurity.
7 Sampson, M., 2020. Hackers can now unleash physical damages, personal injury [online]. NU PropertyCasulty360. Available at: https://www.propertycasualty360.com/2020/08/25/when-cyber-attacks-result-in-physical-damage-important-insurance-considerations-414-185793/?slreturn=20210008203856; MITRE, 2020. MITRE Release Framework for Cyber Attacks on Industrial Control Systems [online]. MITRE. Available at: https://www.businesswire.com/news/home/20200107006064/en/MITRE-Releases-Framework-for-Cyber-Attacks-on-Industrial-Control-Systems.
8 Maurya, R., 2020. OT Security Breaches Are Anything But Rare. [online] CIO &Leader. Available at: https://www.cioandleader.com/article/2020/05/26/ot-security-breaches-are-anything-rare#1.
9 Moy, R., 2020. Protecting critical infrastructure and distributed organizations in an era of chronic cybersecurity risk. Security Magazine [online]. Available at: https://www.securitymagazine.com/articles/93663-protecting-critical-infrastructure-and-distributed-organizations-in-an-era-of-chronic-cybersecurity-risk.
10 Zukis, B. Will SolarWinds Blow Cybersecurity Governance Reform Into the Boardroom?
11 FireEye, Dec 13, 2020. Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. [online] FireEye Threat Research. Available at: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
12 Williams, T., 1996. The Purdue Enterprise Reference Architecture and Methodology (PERA). [online] Purdue University. Available at: https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.194.6112&rep=rep1&type=pdf.
13 International Society of Automation, 2018. New ISA/IEC 62443 standard specifies security capabilities for control system components. [online] InTech. Available at: https://www.isa.org/intech-home/2018/september-october/departments/new-standard-specifies-security-capabilities-for-c.
14 American Petroleum Institute, 2009. API 1164 Pipeline SCADA Security Version 2, API Standard.
