Canadian Underwriter

How cyberattacks can sabotage the plants of your industrial clients

February 27, 2018   by Jason Contant

Print this page

Industrial control systems (ICS) at manufacturing plants are perfect targets for cybercriminals because they are not designed with security in mind, Zurich Canada’s head of specialty products, Greg Irvine, said recently.

Speaking at NetDiligence’s Cyber Risk Summit in Toronto on Feb. 23, Irvine said that business interruption (BI) and contingent business interruption (CBI) related to cyber risks are his Number 1 concern in the manufacturing space. CBI reimburses lost profits and extra expenses resulting from business interruption at the premises of a customer or supplier.

One good risk management practice is to separate or isolate the ICS from the rest of the network, also known as “air gapping,” Irvine said. From an employer perspective, it would be ideal to monitor the inventory of connected devices within the ICS on the shop floor.

“It’s pretty easy now to install a wireless access point to be able to penetrate that system,” Irvine said during a panel discussion titled Sector Risk Round Robin, which discussed cyber risks related to manufacturing, healthcare, professional services and municipalities.

Also consider if a vendor or two has access to the ICS, as well as who in the company takes control for the ICS. “The weak point in your supply chain can happen anywhere,” Irvine said.

One major risk in the manufacturing space involves “criminals purporting to be vendors calling up and saying, ‘I want to change my payment,’” Irvine reported. “So, it’s not just wire transfers, there’s other ways.”

Traditionally, cyber insurance has focused on first-party notification losses, or the loss of personal information. But “that’s not a material exposure for a lot of our manufacturing companies,” Irvine said. While not specific to manufacturing, losses can be attributed to:

  • malware
  • DDoS attacks (distributed denial of service attacks, which describes an effort to make a website unavailable by overwhelming it with Internet traffic)
  • social engineering fraud (in which a person is tricked into revealing confidential information)
  • CEO impersonation fraud (a form of social engineering)
  • wire transfer fraud.

Although there may not be a large frequency of cyber loss in the industrial space, there have been global cyberattacks involving property damage. In 2014, cybercriminals hacked into the office software network of a German steel mill and eventually took over most of the plant’s control systems, where they “methodically destroyed human interaction components.” They succeeded in preventing a blast furnace from initiating its security settings in time and caused serious damage to infrastructure.

Years earlier, in 2001, an Australian man hacked into a waste management system, deliberately spilling millions of litres of raw sewage.

Typically though, manufacturing losses don’t grab headlines or involve big class action lawsuits or the release of personally identifiable information. “The losses haven’t been sexy,” Irvine said.