This past October was the country’s first National Cyber Security Awareness Month, and that makes it an appropriate time to touch on a very troubling first-party exposure. Every day brings news of massive cyber attacks on retailers, financial institutions, and hospitals and healthcare companies, with the aim of stealing digital assets such as Personally Identifiable Information (PII). What has received far, far less attention, however, is the prospect of a cyber attack designed to escape the virtual world in order to do physical damage to tangible property in the real one.
The ultimate risk is enormous. Computerized industrial control systems run the world’s financial institutions, its manufacturing and chemical facilities, its transportation systems, and its energy infrastructure, including the electrical grid and power and water treatment plants. These control systems are composed of devices such programmable logic controllers (PLCs) and supervisory control and data acquisition (SCADA) equipment that were originally designed to be open systems, which is to say systems focused on interoperability and ease of communication and repair. Security was a secondary consideration at best. If hijacked by a piece of malware, such systems could cause property damage and business interruption loss on a literally catastrophic scale.
With two exceptions, to date there have been no known cyber attacks of a serious nature that led to damage or destruction to physical facilities. It is only a matter of time, however. The most recent report of the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) states that 53% of the incidents that it now responds to are directed at the energy sector and 17% at manufacturing.
Dubbed the world’s first digital weapon, Stuxnet was a piece of malware designed by the Israelis and the Americans to attack Iran’s nuclear program. The target was the country’s uranium enrichment facility at Natanz. The plant used interconnected banks or “cascades” of centrifuges to separate out the isotope Uranium-235 for use in making nuclear fuel and potentially nuclear weapons as well. An early version of Stuxnet struck Natanz in early 2008, and a much more sophisticated version struck again in June of 2009. Iran did not succeed in identifying the problem and purging the malware from its systems until 2010.
The PLCs at Natanz were manufactured by Siemens AG, and Stuxnet was based on Siemens’ Step 7 software that was used to run the devices. The perpetrators hacked into the computer systems of five companies that provided industrial control systems believed to be connected with Iran’s nuclear program, and the malware spread from their systems to computers at Natanz. The centrifuges’ PLCs were “air gapped” from the rest of the computers at the facility, but Stuxnet was cleverly designed with the ability to spread via employees’ USB flash drives, and it eventually found its way to its target.
Stuxnet then instructed the PLCs to cause an uncontrolled increase in the centrifuges’ speed, and the devices literally tore themselves apart. It is reported to have ultimately destroyed 20% of Iran’s centrifuges.
In December 2014, Germany’s Federal Office for Information Security (the Bundesamt fur Sicherheit der Informationstechnik or BSI) reported that a steel mill had suffered “massive” damage when malware prevented the proper shutdown of a blast furnace. The mill was unnamed, but industry sources later identified it as a ThyssenKrupp AG facility. The hackers gained access by “spear phishing” – sending e-mails that appear to be from trusted source but infect computers when opened – to employees of ThyssenKrupp’s business partners, and the malware then spread to ThyssenKrupp itself and eventually to the controllers on its production line.
Unlike Stuxnet, the hackers’ motives are still unknown – it is unclear whether the incident was intentional or merely “collateral damage” when malware designed for some other purpose inadvertently interfered with the plant’s industrial control systems.
Coverage – Cyber Policies
The cyber insurance policies that retailers and financial institutions have been turning to after the theft of PII do not cover property damage or the business interruption loss resulting from such damage. They were written solely to afford first-party coverage for the loss of digital assets from privacy and data breaches and third-party coverage for the liability exposures growing from such a loss. Thus they are limited to expenses related to breach remediation (investigation and restoration of data), event management (public relations, notification, and credit-monitoring), and defense and indemnification costs associated with the breach.
Coverage – Traditional Property Policies
No claims for such loss have been made to date, and the extent to which traditional first-party property policies afford coverage for property damage from a cyber attack is, therefore, an “undiscovered country” at this time. This is no jurisprudence whatsoever.
There may well be a good deal of such coverage, although it is almost certain that the potential exposure never occurred to the underwriter when he or she was rating and pricing the risk. Many first-party contracts of insurance exclude computer-related losses, which are defined as losses to computer hardware, software, operating systems, networks, microprocessors, or other equipment or components together with any other product or service that directly or indirectly relies on such devices. Such exclusions frequently have an exception for ensuing loss from an otherwise covered peril such as fire or explosion, however.
The Terrorism Risk Insurance Act (TRIA) passed shortly after the September 11th attacks, requires that insurers make coverage for terrorism available to their commercial policyholders. The rub here lies in how the peril is defined by the policy language affording the coverage. Thus TRIA itself defines an “act of terrorism” as one that: (1) is dangerous to human life, property, or infrastructure; (2) results in damage within the United States; and (3) was committed as part of an effort to coerce American civilians or to influence either policy or conduct of the United States government through coercion. That is, in some ways, a strikingly narrow definition because it arguably excludes an attack whose sole motivation was to disrupt the business operations of a single concern. In addition, as at ThyssenKrupp, it may well be completely impossible to determine the motivation behind the attack or even to determine whether any kind of attack leading to physical damage was intended at all, making it difficult to invoke terrorism coverage.
In addition, many policies issued in Europe or to energy sector companies here in the States incorporate express exclusions written to bar coverage for property damage from a cyber event. The best known is the Institute Cyber Attack Exclusion Clause (CL 380), which recites that “in no case shall this insurance cover loss damage liability or expense directly caused by or contributed to by or arising from the use or operation, as a means for inflicting harm, of any computer, computer system, computer software program, malicious code, computer virus, or process or any electronic system.” Other insurers employ the Electronic Data Exclusion (NMA 2914), which bars coverage for “loss, damage, destruction, distortion, erasure, corruption or alteration of Electronic Data from any cause whatsoever (including but not limited to Computer Virus) or loss of use, reduction in functionality, cost, expense of whatsoever nature resulting therefrom,” but then restores coverage if a fire or explosion is “directly caused by such listed peril.”
Coverage – New Products
Nature abhors a vacuum, and insurers have now begun stepping forward with policies specifically intended to cover the property damage and associated business interruption loss caused by a cyber attack. These usually sit above or wrap around existing property policies on an excess or difference in conditions (DIC) basis, stepping down to fill gaps in coverage to the extent that the rest of the policyholder’s insurance program does not respond for property damage from a cyber event. Thus AIG has CyberEdge, with limits of up to $100 milion. AEGIS Insurance Services also offers such coverage, and Brit PLC sells a stand-alone policy backed by a consortium with $350 million of capacity. Zurich and Munich Re are reportedly considering entering that market as well. The take-up rate is miniscule to date, however, and – as with traditional first-party contracts of insurance – the coverages afforded by such products are wholly untested by the courts or by policyholders’ counsel.