Mitigating Physical Losses From Cyber Attacks

Conversations about cyber risk do not often cover sinking container ships or malfunctioning cranes. They tend to focus on digital processes and data assets, and potential physical losses are often an afterthought.

But as companies and commercial machinery become more reliant on interconnected systems, there is a growing exposure to physical losses.

Understanding these evolving exposures and incorporating them into cyber risk assessment and management programs will enable companies to improve their risk profile and build resilience into their business.

Industrial control systems

Industrial control systems operate virtually every piece of plant, machinery and commercial equipment, but they were not designed with security in mind or for today's digital environment.

Built as closed systems, they have increasingly become connected to corporate networks. Hackers that gain access to the corporate network can then find their way into the industrial control systems, giving them free reign over the machinery.

This is true of anything from sprinklers and air-conditioning systems to industrial turbines and blast furnaces. Once hackers have access to the industrial control system, they can direct equipment to their own ends and create catastrophic physical damage.

Previous and possible physical losses

It is almost 10 years since the malicious computer worm Stuxnet was discovered. Introduced manually via a USB, Stuxnet altered the speed at which centrifuges were spinning at Iran's Natanz nuclear plant, with reports suggesting about one-fifth (1,000) were subsequently decommissioned.

In 2014, a steel mill in Germany sustained extensive damage after hackers breached the plant's computer network via a spear phishing email, infiltrating the industrial control systems that operated the machinery. The attack compromised the system so that a blast furnace could not be shut down, causing significant damage to the premises.

The scope for physical losses from cyber attacks is immense and although market commentary often focuses on the risks faced by the heavy industry and power sectors, companies in every market should assess and quantify their exposures.

For example, hackers could capsize a container ship by mimicking the Hoegh Osaka incident.¹ The ship's ballast tanks were not properly matched to the weight and distribution of its cargo, destabilizing the ship and resulting in it listing and then toppling over onto a sandbank.

By accessing a ship's network and its ballast control systems, hackers could pump ballast from one side to the other, intentionally making it list. If this were not enough to capsize it, hackers could override the steering and roll the ship over by turning it in the same direction as it is listing.²

Back on land, researchers from an IT infrastructure and security firm have shown just how easy it is to hijack a construction site plant and its equipment.³

Working with construction site owners, they targeted cranes and were able to control the plant using radio frequency (RF) remote controllers. They were even able to override emergency stop commands issued by the owners as part of the tests.

Highlighting the underlying vulnerability of industrial control systems, the research written up after these practical tests stated: "The core of the problem lies in how instead of depending on wireless, standard technologies, these industrial remote controllers rely on proprietary RF protocols, which are decades old and are primarily focused on safety at the expense of security."

Risk assessment and management

Companies cannot lose focus on the potential for cyber attacks to disrupt their digital procedures or compromise their data. The challenge is to maintain security in these areas, while also improving protection against cyber-borne physical losses.

Cyber is not a standalone risk that IT departments can manage alone. It is an enterprise risk that can impact every aspect of operations.

To assess cyber exposures properly, companies should first review their physical security and restrict unauthorized access to workstations, laptops, and company networks. It sounds obvious, but research shows that 11% of cyber attacks involve physical actions, such as stealing a tablet,⁴ to gain access to corporate networks.

The second pillar in a robust cyber risk assessment is a full survey and analysis of the risk to data, software and intellectual property. This is where the most effort has been invested in recent years and it remains of central importance.

The final pillar, and the one most relevant to preventing physical losses, is reviewing industrial control and building automation systems. These systems were not designed with security in mind and hackers can use their inherent vulnerabilities to generate significant physical losses.

Companies that take this more rounded approach to assessing, quantifying and mitigating their cyber exposures will build resilience into their operations and reduce the chance of becoming a target.

Those that focus purely on the digital aspect of their cyber exposure may invite unwanted attention and find themselves ill-equipped when it comes.

[1] BBC, Hoegh Osaka ship was 'unstable' when it left Southampton port

[2] Pen Test Partners, Sinking a Ship and Hiding the Evidence

[3] Trend Micro, Attacks Against Industrial Machines via Vulnerable Radio Remote Controllers: Security Analysis and Recommendations

[4] Verizon, 2018 Data Breach Investigations Report

Learn more about FM Global’s Cyber Resilience Solutions

Related content:

Cyber Risks: Understanding the Motivation

Mutuality Best for Cyber Risk

Seeking Cyber Attack Sanctuary

Recover from Cyber Loss