22 February 2017

The article at a glance

The loss of sensitive information gets all the headlines, but lesser-known threats from cyber attacks also deserve attention, say risk experts at …

The loss of sensitive information gets all the headlines, but lesser-known threats from cyber attacks also deserve attention, say risk experts at Cambridge Judge Business School conference.

A silhouette of a hacker with a black hat in a suit enters a hallway with walls textured with red digital glowing security threat icons 3D illustration cybersecurity concept

News headlines are full of reports about the privacy risks of hacking and other cyber attacks – ranging from the loss of customer bank details to embarrassing conversations involving US diplomats or Sony movie executives.

But what about burning buildings caused by a maliciously attacked laptops exploding and catching fire in an office complex?

This is but one lesser-known cyber security risk explored earlier this month at a panel discussion at Cambridge Judge Business School on the “cyber-security overlap” – part of a conference on the Risks and Benefits of Artificial Intelligence & Robotics hosted by the Cambridge Centre for Risk Studies (CCRS) in collaboration with the United Nations programme on Journalism and Public Information.

Other such less-discussed risks include cyber-enabled marine cargo theft from ports, and cyber attacks on industrial control systems in industrial processing plants.

While 92 per cent of insurance products on cyber risk cover breach of privacy and 81 per cent cover data and software loss, only 19 per cent of such insurance products explicitly cover “physical asset damage” such as the exploding laptop-fire scenario and 15 per cent cover explicitly death and bodily injury stemming from cyber events.

Jennifer Copic
Jennifer Copic

“More and more companies are going to insurers due to cyber risk, which is a product growth area for insurers,” Jennifer Copic, Research Associate at the CCRS, told the conference, “but there is a very wide variation in coverage language, as no two cyber insurance products are the same.”

Both insurers and regulators are growing increasingly concerned about “accumulation risk” for insurers related to coverage for systemic cyber attacks, in which large numbers of people seek compensation at the same time.

Professor Daniel Ralph, Academic Director of the CCRS, also spoke about how physical assets could be at risk through cyber attacks on operational technology – such as SCADA (supervisory control and data acquisition) systems that monitor and control plants in sectors such as water and energy – in contrast to the more publicised attacks on information technology systems such as websites.

Speaking about the “Triangle of Pain” – how policy interacts with the public and private sectors regarding cyber threat – Professor Ralph said that authority in meeting the threat is currently fuzzy. “The more networked we are the less clear it is who is responsible for maintaining security” to basic systems, he said – adding that the private sector is held to account for service issues (online bank accounts that suddenly don’t work) but not necessarily the underlying cyber attack.

Professor Daniel Ralph
Professor Daniel Ralph

A “Triangle of Pain” chart demonstrated how government and regulators do not own critical private-sector infrastructure systems, but are held ultimately responsible for the provision of service those systems provide to society. “These issues are not clearly linked up,” Professor Ralph said.

Operational technology “lags well behind” IT in cyber security, because many people unwisely decide that “if it’s not broken don’t fix it” with regard to such systems, said Simon Ruffle, Director of Research & Innovation at the CCRS.

The rapid spread of the Internet of Things (sensors that control many aspects of everyday life) could worsen such operational risks, he added, because there is a “lot of cost cutting in the Internet of Things” such as the failure to include secure passcodes in such devices.

But there is at least one bright spot, he added: While skilled computer hackers can steal information through cyber attacks on information technology, “hacking skills are not sufficient in OT (operational technology) attack as someone also needs engineering skills.”