Whenever I get into my car it is never my intention to have an accident, as safe as I drive there is no way to eliminate risks on my journey, care, due diligence, patience on my part and insurance to take care of everything else. This is also true for our OT systems; we know there are risks of unplanned downtime outside of our control, and not all disasters are cyber related, so insurance is there to offset occurred losses when disaster strikes.
Cyber insurance (also referred to as cyber liability insurance or data breach insurance) provides coverage for events including data breaches, downtimes, and cyberattacks. Cyberattacks may include malware, ransomware, phishing, DDoS, hacking, insider threats, and more.
Protection and coverage will vary depending on the underwriter and the established controls measure you have in place. Insurance underwriters recognise that security controls are foundational to the organisational security posture and weight the policy as such.
Hiscox View in 2022
According to Hiscox in their Cyber Readiness Report 2022, Gareth Wharton, Cyber CEO stated that “While the cyber criminals have long targeted high-value companies, it is clear they are now moving down the food chain. International agencies have recently warned that more mid- and small-sized businesses are being targeted” He also states that “Companies with revenues of $100,000 to $500,000 can now expect as many cyber-attacks as those earning $1m to $9m annually”.
For the first time, the attack vector has changed and now the most common point of assault is on cloud servers, it would appear the move to remote working has shifted the focus of attacks. The main way in for the hackers is corporate servers often through email as the initial vector, and there has been a big jump in the numbers reporting entry via cloud server. This aligns with the warning from international agencies that bad actors are increasingly targeting cloud infrastructure
A New World Order?
While each insurance broker evaluation process differs, there are certain security controls that are almost always required for an organisation to obtain and keep cyber insurance coverage. Such controls often mandate best practices in alignment with industry standards such as ISO 27001 and IEC 62443 for example.
SolutionsPT have observed through conversations with our customers, renewal prices have risen in some cases by 600% or the level of cover has been reduced to 10% for the same premium. In some cases, the implementation of the missing control(s) has been cheaper that the insurance renewal uplift meaning investment has reduced costs and significantly improved the security posture of the organisation.
Now… who wouldn't mind some free security solutions eh?
While the controls vary depending on who is underwiring the insurance, there are many commonalities which appear in pretty much every security framework. Insurers are getting much more aware of the risk they are taking on, especially for OT customers and mandating they have a good level of foundational security to receive cover without eye watering increases.
Now that all makes sense for IT, but is it possible to place all of this security onto an aging control system?
The answer is subjective and quite complicated, while you may not be able to apply all of the controls which are required, it is possible to make significant headway into the requirements from the insurance company. This is all based on risk management and applying appropriate control measures and compensatory controls.
In our experience we found there are 12 common factors that influence the cost of cyber insurance, all which can be addresses in one way or another on pretty much any control system. While it is not always possible to apply all controls directly at all locations, there are some ways to compensate and initiate a different discussion with the underwriter, some examples are:
- All patches up to date – Apply patches certified by the vendor, apply on a risk score basis if you can only apply a subset thereof
- Obsolete software – Apply application whitelisting to turn the device into a fixed function. Not all software is current, and some may be no longer supported
- AV Signatures out of date – Use a solution that uses AI and does not need signatures
- Two Factor Authentication – Not often possible on the IACS, then consider use on the engineering workstation and necessary on the remote access gateway
- Endpoint Firewall – The best kept secret in OT as this is nearly always switched off, take the time to configure this and switch it on
- Network Control – Segregate IT and OT systems using Firewalls, enable security features on managed switches
- Monitoring – Deploy a monitoring solution so that you get early warnings of potential issues
- Backups – If you do nothing else that ensure that you can recover back from a failure AND test this process actually works!
- Encryption – While data is protected, this can also be difficult to monitor especially over the network. There are reasons to encrypt and others to forgo security for visibility and ease of recovery. Consider the approach of:
- Encrypt everything you would rather lose than have stolen
- Don’t encrypt anything you would rather have stolen than lose
Beat the Increase
If your cyber insurance is due for renewal and you haven’t done anything to address foundational security, then expect to see significant increases in your premiums. Planning ahead and implementing best practice approach and controls will not only make you more secure in the short term, but it is also likely to save you time, money and worry for the future.
At SolutionsPT we take a balanced approach to the management of assets and the security throughout its lifecycle. We understand that it is not always possible to apply all IT best practice to every part of the plant floor, however by using the correct tools, frameworks and a pragmatic approach we can offer advice and solutions that reduce risk and improves operational efficiency and security.