Business & Technology

What is the Appropriate Level of Cybersecurity for OT Systems? Cyber Insurers Want to Know

By Ronald J. Hebert, Jr and Michelle Balderson | December 12, 2017

Cybersecurity seems to be more of an art than a science. Different countries have different requirements for cybersecurity compliance, with a wide range of regulations, mandates, and laws in place. Even critical infrastructure organizations that produce essential goods and services have varying levels of cybersecurity protection deployed in their Operational Technology (OT) environments. Put a group of cybersecurity engineers in a room and you’re as likely to get an argument as you are to get a security plan produced.

So, how much should a company invest in the cybersecurity of their OT systems and what is the appropriate level of cybersecurity required for them?

That question has different answers depending on the financial implications of a catastrophic event. Most businesses use some sort of formula to determine the Return on Investment for their physical security and cybersecurity investments. For example, meeting the cybersecurity requirements of compliance mandates or laws can be determined, and the ROI can be measured against the cost of failing to meet those requirements in terms of fines or sanctions. Likewise, the amount of insurance required for protection against normal events such as equipment failures, fires, floods, tornadoes, hurricanes, etc. are known and predictable. Such events have happened in the past and can be quantified from a risk point of view by insurance adjustors. Insurance companies can assess the potential of such an event occurring, calculate the impact should one happen, and then determine the cost of a premium to protect the organization.

The harder question for insurance companies is assessing the risk of an industry failure due to a cyberattack. There is no certainty as to if or when such an event will occur, or the impact of such an attack. It is also difficult to determine the appropriate amount of cybersecurity investment that needs to be made above and beyond what is imposed on the business by the country in which operate in order to provide adequate protection. However, determining the amount of cybersecurity that a business must implement in order to protect itself from a security breach is exactly the sort of thing that cyber insurers need to be able to quantify.

A successful cyberattack against critical infrastructure can run the gamut from simply manipulating the OT system, devices, and/or equipment without causing any harm, to destroying those systems, resulting in catastrophic damage to life and property, not only at the site, but potentially even the surrounding communities. And this doesn’t even take into account the potential ramifications of such an event for those organizations or individuals who rely on those critical services, especially in the case of things like water, electricity, or oil and gas.

There are also other factors to consider, such as determining the potential motivation of criminals, terrorists, or activists to target such a system. These are all aspects of risk that an organization has little control over, but that have a significant impact on potential risk. What they do have control over, however, is the security solutions they have in place to defend their OT systems against such an event.

So, the question, beyond simply how much to charge for cyber insurance, is how does an insurance company determine the amount to charge or the degree to which they should discount their premiums to such businesses based on the level of cybersecurity implemented in their OT systems?

It begins by understanding the entire attack surface of an OT system, from the HMI (human machine interface) out to the end devices, as well as at the convergence points at the corporate IT/OT boundary. Mapping and analyzing these systems is key to determining the kinds of cybersecurity solutions needed to protect an OT network against a cyberattack, or to effectively mitigate its impact should a breach occur.

 The other side of that question is, how much should a critical infrastructure organization spend on OT cybersecurity to lower its insurance premium to the lowest possible price? One way to do this is by determining the highest degree of cybersecurity protection possible across an entire OT system, including the corporate IT/OT boundary. This amount of cybersecurity protection will likely go well above and beyond what is required by regulations, laws, or mandates. It may also be cost prohibitive.

However, companies should be rewarded with progressively lower premiums as their implementation extends along that continuum between what is required, which has one insurance rate, and what has been determined as ultimate protection, which would receive the lowest rate possible. Such an approach would provide organizations with a basis against which to determine the ROI on their insurance investment calculated against their tolerance for risk, while simultaneously reducing the risk against the entire system in the event of a cyberattack.

Of course, that’s easier said than done. The challenge is in accurately assessing all aspects of a critical infrastructure and determining the potential for loss due to a cyberattack. Fortunately, a growing number of insurance companies have accepted this challenge, and have been developing and refining cybersecurity risk plans for such systems. These insurers, such as American International Group, Chubb Limited, and XL Group Ltd. in the US market, have been working to supply critical infrastructure industries with cybersecurity insurance options since 2015. Part of this is being driven by the fact that the market for cybersecurity insurance in the United States was estimated at $2.49 billion in 2016, with exponential growth predicted for the future.

The other, and arguably more important reason, however, is that the changing threat landscape that has resulted in a growing need to protect the OT environments of our increasingly connected and interconnected critical infrastructures. While companies implementing the highest protection implementation should be rewarded with lower insurance premiums, and insurers will potentially find this market to be valuable, we shouldn’t forget that the end result of such a program is also that it puts in place a financial incentive for organizations to raise the bar on their OT security. And that benefits everyone.

Watch Jonathan Nguyen-Duy's recent video where he talks about cyber insurance and cybersecurity today.  

For more information, download our paper and learn about the top threats that enterprise security leaders are being forced to address and the security approaches to evalutate to protect against them.