Surveys suggest that cyber is an under-insured risk: many more organisations believe that their existing insurance would respond in the event of cyber attack than is likely to be the case. Understanding the impact of severe events is one of the key requirements for insurers to develop cyber risk cover, and this study aims to contribute to that knowledge base.
The scenario described in the report reveals three attributes of cyber risk that are particularly significant for the development of insurance solutions. These factors may individually be found in a variety of risks, but cyber risk combines them in ways that demand innovative responses by insurers.
The first of these is systemic exposure. Digital networks and shared technologies form connections that can be exploited by attackers to generate widespread impacts. The hostile actors described in this report are motivated to create broad disruption to the US economy, and cyber attack against the power grid serving New York and Washington DC provides them a means to achieve it. The analysis suggests that insurers could be required to meet claims across many different classes of cover, which emphasises the importance of insurers applying robust exposure management for cyber risk across the entire portfolio.
The second key attribute is the fact that cyber attack is an intangible peril. Studies have revealed that victims often only become aware that they have been targeted months or even years after the event, and that the location of a cyber security breach on a network is often never determined. In this scenario, malware is inserted into the target systems without being detected and lies dormant for several months. In the aftermath, a full year of investigation is required to understand the true nature of the attack, and the perpetrators are never positively identified. For insurers, these factors present challenges for assessing risk exposure for any given entity and in aggregate across the portfolio.
Third is the dynamic nature of the threat. Cyber attacks are often treated as a problem of technology, but they originate with human actors who employ imagination and surprise to defeat the security in place. The evidence of major attacks during 2014 suggests that attackers were often able to exploit vulnerabilities faster than defenders could remedy them. In order to achieve accurate assessment of risks, insurers need insight into the evolution of tactics and motives across the full spectrum of threats.
For insurers, responding to these challenges will demand innovative collaborations harnessing multidisciplinary expertise. Key requirements will be to enhance the quality of data available and to continue the development of probabilistic modelling for cyber risk. Sharing of cyber attack data and pooling of claims information is a complex issue, but the systemic, intangible, dynamic nature of cyber risk means that all parties involved in managing the risk have an interest in sharing anonymised data on the frequency and severity of attacks.
This report reveals a complex set of challenges, but the combination of insurers’ expertise in pricing risks together with the capabilities of the cyber security sector to assess threats and vulnerabilities, and the risk modelling expertise of the research community, has the potential to offer a new generation of cyber insurance solutions for the digital age.
Tom Bolt Director, Performance Management Lloyd’s
University of Cambridge’s Centre for Risk Studies, considers the insurance implications of a cyber attack on the US power grid.
While there have been large individual business losses attributed to cyber attacks, there have, at the date of writing, been no examples of catastrophe-level losses from a widespread cyber attack affecting many companies and insurers at the same time.
This report publishes, for the first time, the impacts of this sort of attack using the hypothetical scenario of an electricity blackout that plunges 15 US states including New York City and Washington DC into darkness and leaves 93 million people without power. The scenario, while improbable, is technologically possible and is assessed to be within the benchmark return period of 1:200 against which insurers must be resilient.
Ein europaweiter Blackout würde möglicherweise mehrere 100 Millionen Menschen betreffen.
The scenario predicts a rise in mortality rates as health and safety systems fail; a decline in trade as ports shut down; disruption to water supplies as electric pumps fail and chaos to transport networks as infrastructure collapses.
In the scenario, a piece of malware (the ‘Erebos’ trojan) infects electricity generation control rooms in parts of the Northeastern United States. The malware goes undetected until it is triggered on a particular day when it releases its payload which tries to take control of generators with specific vulnerabilities. In this scenario it finds 50 generators that it can control, and forces them to overload and burn out, in some cases causing additional fires and explosions. This temporarily destabilises the Northeastern United States regional grid and causes some sustained outages. While power is restored to some areas within 24 hours, other parts of the region remain without electricity for a number of weeks.
Economic impacts include direct damage to assets and infrastructure, decline in sales revenue to electricity supply companies, loss of sales revenue to business and disruption to the supply chain. The total impact to the US economy is estimated at $243bn, rising to more than $1trn in the most extreme version of the scenario.
The report also analyses the implications of these direct and indirect consequences on insurance losses. The total of claims paid by the insurance industry is estimated at $21.4bn, rising to $71.1bn in the most extreme version of the scenario. One of the important considerations identified by this report for insurers is the wide range of claims that could be triggered by an attack on the US power grid, revealed in the matrix in Figure 4 at page 40.
The scenario in this report describes the actions of sophisticated attackers who are able to penetrate security as a result of detailed planning, technical skill and imagination. A relatively small team is able to achieve widespread impact, revealing one of the key exposure management challenges for insurers. However, the report also describes the constraints faced by the attackers, and shows that insurers should not believe this type of threat to be unlimited in its potential scope.
Introduction to the scenario
The scenario was developed by the University of Cambridge Centre for Risk Studies and reflects a fictionalised account based on several historical and publically known real-world examples. The attack scenario was designed by subject matter experts and subjected to peer review to ensure that the effects could plausibly be achieved.
The Erebos Cyber Blackout Scenario is an extreme event and is not likely to occur. The report is not a prediction and it is not aimed at highlighting particular vulnerabilities in critical national infrastructure. Rather, the scenario is designed to challenge assumptions of practitioners in the insurance industry and highlight issues that may need addressing in order to be better prepared for these types of events.
Zu ‚is not likely to occur‘ ist ein Querverweis zum Buch Weltrisikogesellschaft – Auf der Suche nach der verlorenen Sicherheit angebracht:
‚Der Glaube, die moderne Gesellschaft könne die in ihr erzeugten Gefahren kontrollieren, zerfällt – nicht aufgrund von Versäumnissen und Niederlagen der Moderne, sondern aufgrund ihrer Siege.‘ S. 26.
‚So hat beispielsweise eine Expertenkommission Präsident Bush die Terroranschläge in den USA wenige Monate vor ihrer Durchführung vorhergesagt und ihre Folgen beschrieben. Diese Warnung wurde als „zu hypothetisch“, als völlig unglaubwürdig in den Wind geschlagen. Nach dem global-massenmedial erfahrenen Trauma der Gewalt und Hilflosigkeit ist die Befürchtung, es komme zu weiteren Terrorattentaten, plötzlich allpräsent. Die Katastrophe selbst ist örtlich, zeitlich und sozial fixiert, sie hat einen klaren Anfang und ein klares Ende. Dies gilt nicht für das Terrorrisiko, die Inszenierung, die Erwartung der Katastrophe.‘ S. 81.
‚Die Wahrscheinlichkeit unwahrscheinlicher Unfälle wächst mit der Zeit und der Zahl durchgesetzter Großtechnologien.‘ S. 87.
It aims to bring awareness to the potential physical damage caused by cyber attacks against Operational Technology (OT).
Genau darum geht es. Es ist nicht so schlimm, dass etwas passieren kann, denn es gibt nirgends 100 Prozent Sicherheit. Unverantwortlich ist nur, wenn wir uns einfach darauf verlassen, dass nichts passiert und keine Rückfallebenen vorsehen, wie das derzeit weitgehend der Fall ist. Zum anderen ist es aber auch notwendig, dass bisherige Systemdesign zu überdenken. Denn in vielen Bereichen fehlen überlebensnotwendige Reichweitenbegrenzungen!
Direct impacts on the economy
Approximately 50 generators that supply power to the Northeastern United States are damaged by the malware. Power is restored to some areas in an average of three days but other places remain in the dark or with rolling blackouts for weeks.
Health and safety
Although only a few people are hurt in the initial incident, the long power outage does take its toll in human deaths and injury. There are many accidents resulting from the blackout, including road traffic and industrial accidents. There are people hurt in riots, looting and arson attacks. As the power cuts continue through the hot summer months, heat stress affects older and infirm people, with a rash of deaths reported in nursing homes. Backup generator failures in hospitals result in treatment equipment failing. People are reported sick from eating food that has defrosted or not been properly cooked. In some cases industrial accidents cause environmental damage, and water treatment failures result in pollution to water courses.
The power outage causes a decrease in business productivity as workplaces close and people are unable to get to work. Although some manufacturing and commercial facilities have backup generators, these typically provide only partial replacement. While some workers may be able to perform duties even without electricity many, particularly in the cities, are unable to get to their place of employment due to the wider disruptive impact of the blackout on public transportation and fuel stations. Productivity remains low, therefore, even as some businesses are returned to power.
Maritime port operations are suspended during the power outage. Loading and unloading container ships becomes impossible without electricity, and import and export activity is interrupted. Goods for export that do make it to the port are backed up awaiting the resumption of port activities, prompting a halt in production and a cascading impact along the supply chain as demand for inputs into production processes are temporarily curtailed. Any economic activity relying on imports for production is also disrupted.
Although the first day of the outage sees an upturn in the rate of consumption due to panic buying, this effect is quickly overtaken by the far more disruptive impact of the failure of electronic methods of payment. Cash quickly becomes the only accepted form of payment but the shortage of serviceable ATMs means that many citizens are unable to obtain paper money. Consumption levels remain low until all affected customers are returned to power.
Water supplies are impacted during the blackout due to the loss of power to pumps. Supplies of potable water become limited across the affected area.
A week into the outage, it is revealed that a chemical plant accidentally allowed a dangerous compound to enter the local water supply due to lack of power and a broken backup generator. This causes a localised bout of sickness involving 10,000 people being treated for moderate to serious symptoms.
Several accidental spills occur from sewage plants suffering power outages, leading to further contamination of the water supply serving 2 million people in a different part of the region. Malfunctioning and overflowing sanitary systems force many businesses to shut down due to health concerns.
Siehe auch Energy blackouts and water outages.
Traffic signals cease functioning as soon as the blackout hits leading to a sharp spike in road accidents and gridlock. There is a run on vehicle fuel and a rapid reduction in the number of operational fuel stations. The majority of people stop using their cars. All electric locomotive railroad services are nonoperational during the crisis. City subways are taken offline during the outage and replacement bus services are provided.
Regional airports are shut down due to lack of power for security screening equipment. All major airports serving New York City and Washington DC are also closed for the first day of the outage due to the lack of electronic ticket verification, constituting a serious security risk. They reopen the next day but spend another week dealing with the chaos caused by the power outage.
All forms of communication systems without backup power supplies are hampered by electricity failure. Telephone communication circuits are initially overloaded, making it extremely difficult to make calls. Mobile phone data and service providers remain in operation for several hours after the initial outage but begin to shut down as their backup batteries fail and generators run out of fuel. The backup diesel generators for emergency services keep 911 online, but the loss in communication means that, for most, the service is unavailable. Internet service also fails. Over-the-air TV remains broadcast in some areas but few have power to receive it. Emergency radio and word-of-mouth are the primary means for people to receive information.
Information and communication technology (ICT) is a core activity and a significant contributor to valueadded in the economy. All sectors rely on some form of ICT, particularly finance, services and retail. Most sectors depend on electronic financial transactions, email and the internet for commercial activity. None of these systems work in the event of electricity failure, forcing these businesses to either shut down or find alternative methods of communication. Communication failure makes it very difficult for response agencies to know what areas have been impacted and where to prioritise resources, slowing the recovery and prolonging economic disruption.
The outage has a serious impact on tourism as airports and rail services are shut down. Tourists are unable to get to their destinations and abandon their travel plans. Spending by tourists is severely reduced for the duration of the outage and does not return to normal levels until several weeks after power is fully restored.
Outbreaks of looting and stealing occur as the outage drags on, with criminals exploiting the lack of lighting and security systems coupled with overstretched police forces. Looting intensifies as people run low on food and water in the hot summer and become increasingly frustrated. By the second week without power, many communities suffer a general sense of social unrest, with many people choosing not to go out after dark.
As the power outage continues to deny basic services, social unrest increases. Health and safety suffers owing to factors such as contaminated water and food supplies, difficulties in using at-home healthcare equipment or securing repeat prescriptions, added noise and air pollution from generators, increased physical exertion and poor emergency response. These factors all contribute to a higher death rate in periods of power outage.
The rapid pace of change and the increasing interdependency between different sectors of the economy means that it is difficult to fully predict how different technical, social and economic systems will react to large power system failure.
Currently over 95% of outage costs are borne by the commercial and industrial sectors due to the high dependence on electricity as an input factor of production.10 The majority of these costs (67%) are from short interruptions lasting five minutes or less.
Several studies have estimated the value of lost load to industrial customers as being in the range of US$10 and US$50 for each kWh of electricity unserved.
Note that the economic impacts are non-linear with respect to the size and duration of the outage. Even though the marginal cost of electricity failure decreases for direct losses, the reverse is true for indirect losses. The marginal cost of indirect losses grows as the severity of the outage increases and the duration is extended across scenario variants. The economy is slow to rebound to pre-disaster levels once power is returned. The relationship between direct and indirect impacts concurs with the existing literature, which suggests indirect impacts are of much larger magnitude than direct impacts.
Cyber as an emerging insurance risk
Corporate risk managers see cyber attacks as one of their most serious concerns and obtaining cyber insurance protection is becoming an increasingly important part of business risk management.
While there have been large individual business losses attributed to cyber attacks there have so far been no examples of catastrophe-level losses from a widespread cyber attack having a severe impact on many companies all at once.
It is a dynamic risk – the technology applications, software vulnerabilities, preferred attack practices by perpetrators, legal case law and compensation practices, and insurance product design and coverage offerings, are all rapidly changing.
Insurers may be holding more cyber exposure in unexpected lines of business in their portfolio than they realise.
The greatest concern for insurers, however, is that the risk itself is not constrained by the conventional boundaries of geography, jurisdiction or physical laws. The scalability of cyber attacks – the potential for systemic events that could simultaneously impact large numbers of companies – is a major concern for participants in the cyber insurance market who are amassing large numbers of accounts in their cyber insurance portfolio.
Die fehlenden Reichweitenbegrenzungen und die homogenität der Systeme (Monokulturen bzw. die fehlende Diversität) haben ein sehr hohes Bedrohungspotenzial. Nassim Taleb bringt das etwa mit dieser einfachen Grafik zum Ausdruck:
Huge improvements in security by corporate systems have not fully alleviated the fear of widespread and systemic attack.
Gerade wie jüngste Beispiele wieder zeigen ist die Sorge sehr berechtigt! Siehe etwa die Android-Sicherheitsschwachstelle Stagefright (durch eine Sicherheitslücke in Android lassen sich rund 950 Millionen Smartphones in Wanzen verwandeln) oder Scada-Sicherheit: Angriff auf Steuerungsanlagen, Hacker schalten bei Jeep per Funk die Bremsen ab, usw.
However, cyber attacks and IT events are not unlimited or infinitely scalable. They can have significant constraints that limit attack severity and curtail the amount of loss that insurers may face. A successful cyber attack has to overcome all the security systems put into place to protect against it, requires expertise and resources by the perpetrators who face their own risks of identification, prosecution and retribution, and the loss consequences of attacks are mitigated by risk management actions.
Dennoch ist – kleine Ursache, große Auswirkung – wie die Studie ja eindrucksvoll aufzeigt, möglich!
A cyber attack of this severity is an unlikely occurrence, but we believe that it is representative of the type of extreme events that insurers should assess in order to understand potential exposures. One of the key features of cyber risk brought to life by the scenario is the broad reach of a major event: insurers should consider cyber attack to be a peril that could trigger a wide range of economic losses.
Cyber risk is already an embedded feature of the global risk landscape, and insurance has the potential to greatly enhance cyber risk management and resilience for a wide range of organisations and individuals who are exposed to its impacts. Nevertheless, the likelihood and impact of severe events remain subject to much uncertainty, and the pace of insurance innovation should be linked to the rate at which this uncertainty can be reduced.
This report also reveals the vital contribution of research and analysis in reducing uncertainty concerning cyber risk. Data will be a key factor for enabling further analysis and the development of models to enhance the understanding of cyber risk. The systemic, intangible, constantly evolving nature of cyber threats presents significant challenges for gathering the data required to achieve accurate quantification of the risk for insurance portfolios which could span the global economy. A key mechanism, therefore, by which any insurance or research organisations might be able to achieve the insight needed to capture the full extent of the risk could be enhanced data exchange.
The sharing of cyber risk data is a challenging undertaking involving many complex issues. Examples of sharing arrangements for cyber attack data are already in operation around the world, and these offer the promise that much can be achieved. However, the scale of event described in this report reveals the very wide scope of data that insurers require in order to reduce uncertainty concerning severe events. The sharing of insurance loss data attributable to cyber events among insurers could contribute to this, but this is unlikely to be sufficiently comprehensive in isolation to accurately assess extreme events spanning the full spectrum of threat and every economic sector. Voluntary sharing of cyber attack data, involving a wide range of parties with an interest in developing resilience to cyber attack, offers the most promise for enabling the insurance solutions required to meet this key emerging risk.
U.S. utilities are looking hard at their cyber vulnerabilities and whether they can get insurance to cover what could be a multi-billion dollar loss after hackers cut electric power to more than 80,000 Ukrainians last month. The Dec. 23 incident in Ukraine was the first cyber attack to cause a power outage, and is one of just a handful of incidents in which computer hacking has caused physical effects on infrastructure rather than the loss or theft of electronic data [siehe First known hacker-caused power outage signals troubling escalation].
A similar attack in the United States could cripple utilities and leave millions of people in the dark, costing the economy more than $200 billion, an insurance study estimated last year.
Security experts, insurance brokers, insurers and attorneys representing utilities told Reuters that the Ukraine attack has exposed long-standing ambiguity over which costs would be covered by insurance in various cyber attack scenarios.
Cyber insurance typically covers the cost of attacks involving stolen personal data. Some general property and liability policies may cover physical damage from cyber attacks, but insurers do not always provide clear answers about coverage for industrial firms.
Security experts have warned for several years that a cyber attack could cause power outages due to the growing reliance on computer technology in plants that is accessible from the Internet.
In the Ukraine attack, hackers likely gained control of systems remotely, then switched breakers to cut power, according to an analysis by the Washington-based SANS Institute.
Im Buch Weltrisikogesellschaft – Auf der Suche nach der verlorenen Sicherheit von Ulrich Beck gibt es einige Hinweise auf die zunehmende Nicht-Versicherbarkeit von globalen Risiken, wie beispielsweise:
Die „Restrisikogesellschaft“ ist eine versicherungslose Gesellschaft geworden, deren Versicherungsschutz paradoxerweise mit der Größe der Gefahr abnimmt. S. 61.
Je größer die Gefahr, desto geringer der private Versicherungsschutz. S. 240.
Kein Zweifel, die Ergebnisse dieser Studie widerlegen die Hypothese einer klaren Grenze – eines Entweder-Oder – zwischen versicherbaren und nicht-versicherbaren Risiken, Die Fallstudie bestätigt meine These andererseits allerdings insofern, als sie nachweist, daß die private Versicherungsindustrie bei Katastrophen an ihre Grenzen stößt und auf staatliche Mitversicherung (Subventionen) angewiesen ist. Zugleich deckt die Studie das Ausmaß der inneren Fragilität des privatwirtschaftlichen Versicherungssystems in der Weltrisikogesellschaft auf. S. 241.