Physical cyber risk in a changing geopolitical landscape

Cybersecurity is now at the top of the agenda for businesses, with physical cyber risk an important aspect of the risk landscape, according to Lloyd’s.

In the latest Lloyd’s Futureset report, the market notes that in recent years, malware and ransomware attacks have been causing severe disruption for global businesses and their supply chains – and increased scrutiny of the mitigation strategies and insurance coverage of those businesses. 

Those trends, it adds, have been underlined by the COVID-19 pandemic and the rise in criminal ransomware activity it triggered; alongside the changing geopolitical landscape in the wake of Russia’s invasion of Ukraine. Thankfully, the world is yet to experience a truly catastrophic cyber physical attack. But the potential impacts of such an attack could be significant, crippling entire systems and societies. 

Data integrity

For the most part, says Lloyd’s, cyber-attacks target the availability, confidentiality or integrity of data – rather than causing operational, environmental or material damage. In some cases, however, the disruption that follows cyber-attacks can have a destructive impact on the physical world. This is a growing threat, with attacks targeting critical infrastructure rising from less than 10 in 2013 to almost 400 in 2020.1 As well as the increase in frequency, the complexity of attacks are evolving, from simply targeting short-term disruption to compromising assets or processes with the intent to cause physical harm or loss of life. 

Scenario planning

In this context: an effective cybersecurity strategy is paramount, the report suggests:

“With a risk as complex as cyber – encompassing a huge range of possibilities and uncertainties – one useful tool for risk managers can be scenario planning. This report outlines three hypothetical, but plausible scenarios (summarised below) involving politically motivated cyber-attacks intended to cause physical damage. The analysis includes the potential impacts on businesses and the insurance industry.”

1. Asymmetric Attack Exchange: A rudimentary cyber power sponsors non-state ransomware attacks by cybercriminals targeting another nation’s critical infrastructure 

2. Offensive Cyber Retaliation: Regional tensions over nuclear development programmes spill over into cyber-physical sabotage of critical infrastructure 

3. Symmetric Attack Exchange: Two sophisticated cyber powers engage in an escalation of destructive cyber-attacks on critical infrastructure 

While geopolitical interests to date have broadly deterred actors from using their advanced cyber capabilities – as the scenarios developed in this report demonstrate, circumstances can quickly escalate; and the anonymous nature of cyber-attacks could allow states and other geopolitical players to deploy espionage, retribution, and attacks with broad plausible deniability. Placed in a climate of increased tension, the risk of a major cyber-attack affecting physical systems, national infrastructure and the global economy becomes far more likely. 

Virtual attacks

This report provides a qualitative assessment of the risks to businesses and national economies from ‘cyber physical’ – virtual attacks triggering material impacts – and highlights the role insurance can play in building resilience against these threats. 

It highlights how cyber physical represents an under-utilised opportunity for insurers to extend the protection they offer businesses, and thus society, through the products and services they provide. This opportunity is not without its challenges, and more research is needed to understand potential losses and likelihoods; but what the scenarios make clear is that those with effective cyber strategies and scenarios in place will be best equipped to face the unique challenges of this emerging and potentially debilitating risk. 

In order to create physical damage or bodily injury, the report suggests that targeted systems must already feature embedded fuel or energy sources which can be tapped into from digital systems to inflict damage. Examples of energy sources that could be targeted include: 

1. Lithium-ion batteries 

Batteries in laptop computers, mobile phones, game consoles, power tools, electric vehicles and specific aerospace equipment are a possible power source for attackers. Through 2016 and 2017, Samsung issued a massive recall on the Galaxy Note 7 after a manufacturing defect caused thermal runaway in the devices’ lithium batteries, posing a potential fire risk. Attackers might be able to deliberately duplicate similar effects in widely used devices using malicious software updates to exploit battery management systems. Most fire safety and retardation systems are ineffective against lithium fires, meaning blazes could spread and cause significant damage.

2. Fuel for boilers 

Combustion fuel for boilers and heating systems stored on-site could be weaponised by attackers exploiting digital building management systems. Attackers may be able create concentrations of fuel in enclosed systems by manipulating these fuel sources. If ignited, this accumulated fuel could rapidly cause a major fire risk with the potential for explosions. 

3. Machinery energy 

Attacks on industrial machinery, power plants, production lines, furnaces, centrifuges,
turbines, generators or transformers could see the internal momentum or heating of a machine compromised in order to cause a fire, explosion, or collision. The pivotal German steel mill attack of 2014 and the Stuxnet worm which affected nuclear processing facilities in Iran in 2010 are alarming examples of industrial machinery systems being accessed via production software or other malware and exploited in order to cause massive damage to the facility. 

This is an abridged version of the report, Shifting powers: Physical cyber risk in a changing geopolitical landscape. To access the full report, click here.

For the most part, says Lloyd’s, cyber-attacks target the availability, confidentiality or integrity of data – rather than causing operational, environmental or material damage. In some cases, however, the disruption that follows cyber-attacks can have a destructive impact on the physical world.