Did you know that exposure to equipment breakdown and property damage exist if Industrial Control Systems (ICS) are compromised, either due to human error or cyber-attack? With advancements in technology, ICS are migrating to require extensive operator training, while also being subject to greater risk of cyber hacking. The advancement in ICS enables industrial processes to be remotely monitored and managed from a central location. This allows organizations to achieve greater efficiency and productivity, however, this comes at the cost of infiltrating the physical network that protects the legacy systems from cyber threats.
ICS is referred to as Supervisory Control & Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations like Programmable Logic Controllers (PLC). ICS have been utilized for years to control and document operating parameters of machinery in all types of power plants, chemical plants, miscellaneous industrial sectors and infrastructures.
In the past, manufacturing companies were connected within the network of a single organization, but a connection with the outside world through the internet was limited. However, when technology evolved, the internet connections became worldwide with the evolution of iCloud, Google Drive, Dropbox, and many others. All these digital media platforms are vulnerable to infiltrations by unauthorized sources, often referred to as hacking.
While I do not specialize in underwriting and insurance coverages, it’s my understanding that damage to equipment/property and business loss due to compromised ICS is covered under EB coverage. A major global property insurance company is providing extensive training to field staff in evaluating and recommending ICS/Cyber security exposures and BI Loss as the result.
There are two major sources of EB due to ICS failure:
- Human error in operating ICS by staff and authorized contractors. In addition to technical training, the training program should include procedures to evaluate proficiency in the use of ICS.
- Improper and purposeful misuse of access given. If contractors are given access, there should be a monitoring system to detect improper and misuse of access.
Cyber Security, in the context of ICS, is defined as “the protection of industrial control systems from threats from cyber attackers”. It is often referred to as Operational Technology (OT) Security and includes a wide range of practices including:
- Asset inventory and detection
- Vulnerability management
- Network intrusion protection and detection
- Endpoint detection and response
- Patch management
- User and access management
Those involved in completing the CERR type of AXA report employ the use of a form in the report – Cyber Exposure to Equipment Control. It addresses the compromised areas of ICS with respect to its cyber security network. In completing this section, the exposures and management program should be discussed and proper information provided.
Additionally, a corporate program for development of a centrally-driven cyber security policy for effective management, operation, and security of the ICS is necessary. There is a range of standards; CIS Top 20, NIST CS, IEC 62443, and others, that address cyber security issues. Several ICS manufacturers require certification as qualified anti-terrorism technology under the US Safety Act (Homeland Security). One such system that is widely used in power generation is Emerson Ovation DCS. Ovation supports integrated vibration monitoring, generator excitation control, Safety Instrument Systems (SIS), scalable footprints for small or distributed applications, virtualization and embedded simulation.
At our level of property inspection surveys, the most important factor to address is the operator training, review of operator performances and a corporate policy to ensure that contractors and vendors are not provided access without proper security screening. Also, cyber security is the responsibility of corporate management. It is advisable to discuss if there exists a formal ICS security strategy, policy and cross functional teams for effective management, operation and implementation of ICS security programs.
Anzar Hasan
