We are sorry but your browser is not supported by Marsh.com.

For the best experience, please upgrade to a supported browser:


Risk in Context

Cyber-attacks Against Critical Infrastructure– Know Your Risk

Posted by Simon Bell Monday, 22 January 2018

Recent reports of a cyber-attack  that has affected systems within a critical infrastructure facility have raised concerns regarding cyber risks and their possible impact. The attack, thought to have been nation-state sponsored, used malware against the critical safety systems for industrial control units of an organization in the Middle East.

This type of cyber breach marks the first of its kind against a safety control system.  By compromising the safety system of the industry control unit, hackers could shut down parts of a plant in advance and could potentially stop operators from identifying and stopping destructive cyber-attacks.

Critical infrastructure facilities, manufacturing plants, and utilities organizations are increasingly becoming targets for hackers.  For example, the Shamoon virus in 2012 and Shamoon 2 in 2017, a data wiping malware that swept across public entities, government organizations, and large oil and gas facilities, resulted in severe system outages and damage to hardware.  The impact from recent attacks could be similar.

As critical infrastructure relies increasingly on technology to monitor essential and key systems, this opens it up to new vulnerabilities from cyber-attacks.  An attack on systems such as these has the potential to cause:

  • Business interruption:  as a result of forced emergency shut down where there was no emergency
  • Property damage: Attacks against systems have the potential to cause physical damage if an emergency shut down system becomes disabled and is not triggered.  It could also result   injury to employees.
  • Reputational impact:  Public awareness of your systems having being compromised, including press coverage, can be damaging to your organization’s reputation.

If systems are infected with malware, you may not become immediately aware the issue exists, meaning it could be infected for months before interruption occurs, or the attackers could exploit large amounts of data before the organisation can take steps to halt the attack.

Have You Taken Steps to Protect Your Organisation?

Taking recent examples into consideration, organisations should take steps now to protect themselves against the impact an attack could have.

  • Be prepared for a similar attack: And know that you may not immediately be aware that your systems have been infected.
  • Conduct a risk management assessment: Know which systems are interconnected, the exposures a facility has, and the impact if an outage occurs.
  • Review your insurance: Make sure you know whether your policy would compensate a cyber breach and pay close attention to exclusions; they may not cover for physical damage.

The more critical infrastructure providers, manufacturing plants, and utilities organizations implements new, interconnected technology, the more important assessing and mitigating the impact of an attack becomes.

Simon Bell

Financial and Professional Liability Practice