CCIS graduate, Jim Venezia, explains the current state of insurance with respect to the growing concerns surrounding cyber risk in Operational Technology.
Back in 2011, I had the opportunity to visit a client’s facility for water use and re-use operations. Without going into too many technical specifics, the facility collects leachate from dump sites, treats it with a bacterial mixture, and returns treated groundwater to the land. Maintaining a specific concentration of bacteria in the treatment tanks is crucial to the facility’s functionality. A failure in the control machinery and related computer control systems could render the facility inoperable and cause substantial financial loss.
We considered the primary cyber risks to be addressed and concluded that the availability of remote access to monitor control systems, the client’s technology services and products were of key importance. In this case, a technology errors and omissions coverage part was added to the contractor’s professional liability insurance policy to cover network security liability. Unusually, there was also an additional modification made to the coverage, which included full limits for bodily injury and property damage for technology services. A great deal has changed with regard to technology and cyber risk, yet the coverage remains in force in 2023. What do cyber insurance professionals need to understand about today’s cyber risk in operational technology?
What Is Operational Technology?
Operational Technology (OT) is the management of machines used in heavy industries like production line management, mining operations, oil & gas monitoring, and other similar activities, as well as manufacturing process control systems and building systems.
IT deals with the management of digital information, hardware, software, and communications technologies that focus on data storage, manipulation and decision making, recovery, transmission, and protection. Companies often use both IT and OT infrastructures in their day-to-day business operations, with IT used in offices, while OT is used in manufacturing zones, treatment facilities, utilities and real estate campuses. In the past, there was no need for OT cybersecurity because OT systems operated offline, but with more smart OT infrastructures connected to the internet, there is a growing need for OT cybersecurity.
As threat actors increasingly target OT networks, they are developing more sophisticated and destructive attacks specifically targeted at OT. The Colonial Pipeline attack is an example of a hybrid attack, where a ransomware attack on IT infrastructure forced the total shutdown of OT and an entire fuel distribution pipeline, which threatened gasoline and jet fuel distribution across the US east coast.
Why OT Is The Wild Wild West
I asked a group of technology professionals and educators, which included the former CISO of a Fortune Global 500 company, about the challenges facing CISOs in cataloging operational technology (OT) assets.
I found that many CISOs experience some push back from engineering teams when it comes to managing cyber risk for OT, with many struggling to see OT as a significant exposure. It appears that this attitude can often lead to friction between shop-floor engineers and CISOs. But there’s another difficulty: OT often runs on outdated Operating Systems which are often impossible to program to today’s cyber hygiene minimum benchmarks. The impression I have, therefore, is that many CISOs, particularly those in SMEs, lack the resources to effectively address OT exposures, which can create critical gaps in an entity’s cyber security and business continuity programs.
From an organizational standpoint, more needs to be done to improve communication between diverse parties and skill sets (technology, engineering, finance) and to develop a more complete cyber risk insurance program; this goes well beyond a standalone cyber insurance policy. In terms of the diverse parties, the Human Resources Department also cannot be overlooked; many exposures to operational technology risk will result from physical access to such systems by insiders who may manipulate programs or introduce malware via a portable device.
The Cyber Insurance Market Has Struggled to Address Operational Technology Risk In It’s Policies
Insurers who fail to conduct effective underwriting and collaborate with their clients may be unexpectedly exposed to operational technology (OT) cyber risks. Similarly, insured individuals or companies may find themselves in a difficult situation without proper support. In response, several insurers have introduced operational technology supplemental applications or added OT underwriting questions to their ransomware supplemental application. These measures have become increasingly crucial as cyber insurers now consider operational technology (OT) as part of the definition of computer systems. As a result, they provide coverage for certain cyber event consequences, including business interruption.
But there are some discrepancies between the practicalities of OT management and underwriting cyber policies. The challenge with managing cybersecurity for Operational Technology (OT) lies in the fact that physical systems and structures are built to last for decades and are therefore unable to keep pace with the rapid changes in software.
For example, it is not possible to shut down Operational Technology at will to install security updates or update software. This inability to easily update control systems with newer operating systems creates a vulnerability with end-of-life software, which can pose problems when answering questions on cyber insurance applications. These applications are designed to address current and evolving information technology risks. Moreover, some cyber insurance policies may include patch cadence endorsements – failure to comply with these requirements may result in a reduction in coverage limits.
Confirmation of MFA on cyber insurance applications or supplements can also pose challenges as MFA is rarely used in the context of OT. Historically, these devices have had limited capabilities and lack tools such as EDR and anti-virus, making them more vulnerable to cyber threats.
Tweaking OT Coverage: What Needs To Change?
Physical Damage & Bodily Injury
The cyber insurance industry faces a significant gap in coverage for physical damage and bodily injury resulting from an OT-related cyber event. This issue is compounded by the need to protect physical equipment, including – and especially – that which can be manipulated and damaged by exploiting Operating Technology. Indeed, Malware was 81% more capable of causing disruption to industrial control systems in 2022 (up from 79% in 2021).
I have been involved in two claims in the past 12 months that highlight the importance of protecting physical equipment: the first claim involved a control panel catching on fire, costing an additional $100,000 per month over a 6-month build time; the second claim concerns a damaged generator, which will take 52 weeks to replace and will result in an additional loss of $6,000 per month. Although these were non-cyber claims, the significant financial impact of equipment damage and failure demonstrates why the risk of these happening through OT exploitation should be an important cyber underwriting consideration – awareness is improving but more conversation and collaboration is necessary.
Assessing your insureds – questions to consider:
- Who is managing this exposure at organizations utilizing operational technology?
- In cataloging OT, has consideration been given for the replacement timeline of the equipment and or control systems and panels?
- What is the organization doing to manage insider risk?
- Has the organization explored the use of employee assistance programs as a conduit to improve employee mental and physical health while creating a positive workplace culture?
- Does the organization use online tools to gauge its culture vs competition to ensure or seek opportunities to improve employee engagement?
Boost your career
Boost your salary
Stay Relevant with the Global Standard in accredited Cyber Insurance Certification.
Issues With Coverage Overlap
Underwriters may find OT cyber risk crossing the line beyond cyber insurance and into other insurance policies. Consider a manufacturer of remote-controlled mobile battery systems used to provide support for fluctuations in energy levels on the power grid. Let’s say that such systems rely on liquid cooling to prevent them from overheating, and that system falls under a malware attack, shuts off the cooling mechanism and starts a fire? We could be looking at property damage to surrounding infrastructure as well as pollution damage, and this in turn triggers questions around product liability and product pollution exposure. For this reason, underwriting considerations for OT must begin by gaining a deeper understanding of their insureds business operations, the control systems and cyber security considerations built in from the ground up.
Applicable insurance coverage in this scenario would involve a blended environmental product including products liability coverage and products pollution coverage. Where coverage is written on a surplus lines basis, I would suggest using language that explicitly and affirmatively grants coverage for physical damage and bodily injury. In some jurisdictions this may involve having the ISO CGL electronic data endorsement removed to improve coverage clarity.
Assessing your insureds – questions to consider:
- Is the construction and assembly of the control panels done by the insured or by a subcontractor?
- Is the system the insured’s design or is the insured licensing the design from another party?
- Does the client have a team of programmers or is the programming sub-contracted?
- Has the operating software been designed from the ground up with security being a key consideration?
- Is the control system accessible online and or by a hardware interface?
- What failsafe is built into the system?
- Are battery systems built with best-in-class technology and have they received safety certifications from key safety testing organizations?
The increasing use of OT has made various systems, infrastructure and equipment vulnerable to cyber attacks, but CISOs are struggling to maintain high standards of cyber hygiene in the face of internal communication and reporting issues and outdated Operating Systems. The cyber insurance market has also struggled to address OT cyber risk in its policies, although some market leaders have begun to introduce supplemental questionnaires and OT underwriting questions in their ransomware supplemental applications. More needs to be done to improve communication both along the policy value chain, and internally within insured organizations, to develop a more complete cyber risk insurance program, which goes beyond a standalone cyber insurance policy, to mitigate the cyber risks associated with OT.
James J Venezia is a CCIS graduate and President of Animal Genius Sage, LLC.
Find out how you can become a Certified Cyber Insurance Specialist (CCIS) here.