OT cyber insurance insights
- As the risk of cyberattacks on operational technology (OT) systems grows, so does the cost of OT cyber insurance.
- Organizations can manage the rising cost of OT cyber insurance by implementing effective cybersecurity measures.
- A proactive approach to cybersecurity not only reduces the likelihood of successful cyber attacks, but it also demonstrates to insurers that an organization is taking steps to mitigate risk.
Cybersecurity insurance is an increasingly important weapon in the risk management arsenal of today’s enterprises. Unknown just a decade ago, these popular policies now offer organizations a crucial hedge against risks that defy routine assessment, planning and mitigation tactics. However, OT cyber insurance costs are rising.
Even the most diligent of risk registers typically lack accounting for devastating events like the recent exploitation of Microsoft Exchange on-premises products, or the sweeping compromise of 18,000 SolarWinds customers. The explosive growth of ransomware, along with sophisticated, well-funded attacks leveraging critical zero-day exploits has made insurance a must-have element of any mature cyber risk management strategy.
The oft-forgotten element in such cybersecurity coverage, however, is operational technology (OT). Even as threats to critical controls systems grow exponentially, cyber insurance underwriters have been slow to update rating tables to incorporate growing cyber-physical risks. Organizations, likewise, often fail to adequately account for OT/industrial control system (ICS) risks and basic controls in their overall assessment strategies.
As the world becomes an increasingly more dangerous place, particularly for organizations with a mix of IT and OT/ICS environments to protect, cyber insurance premiums are spiking and the qualifications for comprehensive policies are getting more rigorous at a time when enterprises need quality coverage more than ever.
OT cyber insurance coverage costs on the rise
For the past decade, the cybersecurity insurance market matured slowly. Costs remained low thanks to a growing pool of buyers and limited historical claims data. Over the past three years, however, premiums rose significantly in lock step with the number of claims being filed and the magnitude of the losses. According to the Council of Insurance Agents & Brokers, cybersecurity insurance rates are increasing 25%+ per quarter in each of the last quarters, and the coverage has decreased from $10M to about $5M in 2021.
Claims, particularly those due to ransomware and related business interruption costs, are driving the spike in premiums. Insurers now limit coverage specifically for ransomware to control their losses which total more than $20 billion in ransomware claims to date. Overall, Marsh McLellan estimates cybercrime costs will top $10.5 trillion by 2025.
In a recent report from the Institute for Security and Technology, Coalition, a cyber insurance firm, said ransomware attacks now account for most cybersecurity insurance claims. In the first half of 2020, Coalition saw a 260% increase in ransomware attacks among its policyholders, with the average ransom demand rising 47% to an average of $338,669. Elsewhere in the report, ransomware incident response specialist Coveware reported average downtime due to ransomware now tops 21 days.
Attacks on OT highlight cyber-physical risks
This growth in ransomware is a real threat to OT systems. The 2017 Wannacry/NotPetya event that impacted Merck, Mondelez, Maersk and others was an expensive warning shot across the bow that cost companies like Merck almost $1 billion and racked up insured losses of some $3.6 billion on both affirmative and non-affirmative (silent) covers globally.
In 2021, manufacturing became the number on targeted industry, increasing from second in 2020 and eighth in 2019. Attackers have discovered the profit potential derived from locking up manufacturing systems. Examples of recent attacks demonstrate in stark relief the industry’s plant-days lost to the scourge of ransomware.
Ransomware attacks are even more costly in industrial control systems where the price of not paying means lost production as well as additional expenses for building or acquiring new systems if the ransom is not paid — or as is often the case, the recovery post-payment is not 100% effective. The increasing ransomware costs during 2020 correlate with the increased number of cyberattacks on manufacturing and industrial systems.
But the financial impact doesn’t just affect the company. In the case of Colonial Pipeline, not only did they lose $4M to a ransomware payment, but the economic impact also cost $2-3B. Another question that arises is: What if Colonial Pipeline was a vendor of yours… Would you be covered?
The insurance risks from OT cyberattacks don’t stop with ransomware. Cyber-physical systems carry the unique added risks of damage to the physical plant and threats to personnel safety.
“The potential for physical perils represents a major turning point for the broader cyber (re)insurance ecosystem,” a recent Lloyd’s insurance report on OT threats warns. “This risk has previously been considered unlikely to generate insured losses with cyber perils traditionally emerging in the form of non-physical losses. However, as bridges are being built between IT and OT and there is increased automation and greater sophistication of threat actors seeking new avenues to create disruption, incidents are increasingly likely.”
The growing recognition of the combined risks from ransomware and cyber-physical impacts is driving increased rates for operators of industrial control systems. And as discussed in our recent 2021 ICS vulnerability report, the risks and threats are only increasing.
Safeguards against ransomware
Cyber insurance providers and their policy holders must work together to ensure continued cost-effective coverage for cyber-physical systems and the attendant risks. Key action items include:
Determining potential threats from OT cyber risks
Policy holders generally miscalculate potential impacts from cyber threats to their cyber-physical systems. Insurers may have provided “silent risk” coverage without understanding their real exposure. Both sides need to better understand risks from an OT attack. This requires an assessment of the security maturity of the environment as well as the potential threat vectors and impacts from different scenarios. Such an assessment requires a deep view of assets, networks, policies and, procedures —then mapping those vulnerabilities to impacts both financial and physical.
Developing and monitoring clear OT cybersecurity baseline requirements
Baseline requirements are becoming standard for IT security. In the past, some cybersecurity insurers viewed a lack of security baseline requirements as a selling point. However, the rapid rise in claims is causing a shake-out of those providers. More mature insurance providers typically require clients to adhere to strong baseline security practices, which can significantly reduce the disruption caused by a ransomware attack.
However, in OT, these cyber baselines are much less clear. While guidance such as or more specific OT frameworks like IEC62443 do exist, insurers and insureds will need to adjust the baselines to address the unique devices, process, and risks posed by OT systems.
Taking a more proactive approach to OT systems management (OTSM)
Most OT networks are not “managed” today. They run legacy operating systems, patches are often not deployed and backups may or may not be effective. Formal OTSM is necessary to maintain baseline requirements for an efficient cybersecurity insurance market. Broad adoption of OTSM requires a fundamental shift in the mindset of IT-OT leadership, however. New tools, skills and procedures will all be necessary.
Gathering key data into an OT cybersecurity platform
A comprehensive security platform aggregates the reporting on baseline requirements in a way that provides visibility into ongoing risks. It’s insufficient to simply monitor network anomalies or have plant-level information stuck in local databases. Centralizing OT data into a platform that provides management visibility into risk profiles is a game changer. This management console enables insureds to make the right trade-offs for insurance coverage. Similarly, it provides insurers a way of pricing risk effectively. Certain insurers may even offer discounts for more mature security environments that can be confirmed via such platforms.
“As part of a risk mitigation strategy, syndicates need to monitor the correlation potential for risks stemming from attacks bridging the IT/OT gap,” The Lloyd’s report states. “In practice, syndicates can improve awareness by building a technology inventory for their insureds. This might include identifying leading PLC components and investigating the use of common industrial OT and IoT assets.
“It is very important for syndicates to focus on procedures as well as components,” the report adds. “This should encompass the extent of air-gapping between IT and OT systems, the nature of risk management protocols such as automated patch updates, and the presence of known industrial component vulnerabilities.”
Insurance as part of your OT cybersecurity strategy
As we think about protecting our OT environments, there are many layers of protection we can put in place to stop threats (training, detection, disaster recovery, etc.). But as prepared as we can be, cybersecurity insurance covers financial losses should we fail to stop cyber-related events.
Insurance spending by industrial organizations is expected to increase significantly. In the industrial segments, it’s about a million-dollar industry and expected to grow annually by 16% in the next decade (according to Guidehouse).
But with increasing coverage comes many challenges/limitations with policies:
- Silent cyber – Is cyber covered in traditional property and loss insurance? Some policies exclude cyber as it was not initially intended to be covered.
- OT excluded – As seen with recent attacks on Colonial Pipeline, Maersk and Merck, awareness has raised the risks of industrial environments and insurers are requiring control systems to be covered separately.
- Acts of war – Limits liability arising from any state-backed cyber attacks (i.e. Mondelez), but who/what determines what is qualified as an “act of war”?
- Physical damage – Is the cybersecurity insurance responsible for a physical event (i.e. plant explodes, wind turbine is destroyed)?
- Lost profits from outages
- Impact of third-party supply chain incident
While the cost of insurance is rising and the challenges for obtaining complete OT cyber insurance coverage are increasing, it would benefit industrial organizations to find ways to improve security controls in the protection of their OT environments. Many cybersecurity standards now include insurance as part of their required safeguards. So what requirements do we need to achieve to ensure coverage?
Examples of OT supplementary insurance application elements:
- Do you maintain a complete and up-to-date, centrally-held asset inventory of all OT assets and their software/firmware?
- Do you have a defined process for identifying OT devices with critical cybersecurity vulnerabilities and patching or updating those devices? Do you have devices that the OEM considers “end of life” in your environment? For those that can’t be patched, please describe the other compensating controls in place.
- Is OT segmented from the Internet AND is OT segmented inside the perimeter? If so, how?
- Do you permit A) employees or B) third parties to remotely access your OT systems? And if so, what security controls are in place? (MFA, monitoring, separate accounts)
- How do you assess and monitor security in your OT environment? Describe all that apply: A) risk assessments, B) penetration testing, C) IDPS, D) endpoint protection and response or endpoint protection on specific assets
- Do you conduct backups on a monthly basis (at minimum)? Do those backups include: A) non-Windows configurations, B) offline copies, C) at least annual recovery testing, D) disaster recovery plans?
- Do you employe individuals dedicated to OT security, and is there a specific budget for OT security?
- In the last two years, have you conducted OT cybersecurity tabletop exercises, and did they include ransomware?
- Do you maintain OT-specific cybersecurity policies and procedures?
The good news — none of this is “new” as a lot of these requirements look very similar to what cybersecurity practitioners already see in standards such as NIST CSF or Top CIS Controls. Given the new insurance requirements, it is recommended to take a proactive OT systems management approach to address these needs by bringing your OT cybersecurity program and data into a common platform to demonstrate the answers to these common questions/requirements.
Original content can be found at Verve Industrial.