Written by Asaf Ashkenazi
Industry estimates suggest the global cyber insurance business could reach approximately $20 billion by 2020. Currently, most cyber insurance policies cover damages related to data leaks, such as the inadvertent publication of SSNs, bank account or credit card numbers and patient medical history. Other cyber insurance policies offer compensation for ransomware payments.
The industry is also preparing itself for actual physical damage caused by cyber criminals. This is because Internet of Things (IoT) devices connect the physical world with the digital realm. Hijacked IoT devices and systems can potentially cause significant damage and are a huge liability if they remain unprotected. For example, in 2015, cyber criminals targeted a steel mill in Germany, manipulating and disrupting various control systems. According to Wired, a blast furnace in the mill could not be properly shut down, resulting in “massive” (though unspecified) damage.
Perhaps not surprisingly, Booz Allen Hamilton warns that the impact of cyber-attacks against Industrial Control Systems (ICS) could be devastating.
“Attacks can cause extended operational halts to production and physical damage and even jeopardize the safety of employees and customers,” the organization stated. “The attack surface for ICS is larger than just the ICS devices, equipment and networks: It extends to all parts of an organization, including the extended supply chain.”
One basic premise of any insurance policy is the ability to precisely assess risk versus potential damage. Clearly, the risk for cyber security insurance that covers physical damage caused by a cyber attack will be negatively affected by the extent of the attack vector. This vector is also represented by the number of connected endpoints and the physical damage each IoT endpoint can potentially cause if compromised.
Increased risk, incurred by unprotected endpoints, will inevitably result in higher policies, deductibles and other limitations that makes cyber insurance all but unaffordable for many businesses. Moreover, insurance companies could potentially require proof of specific security measures taken by the policy owner to reduce the risk of attacks. In the future, insurance companies may also demand their policy holders implement a certain level of security before coverage begins.
From our perspective, reducing the IoT attack surface starts with adequately protecting both services and endpoints. It is important to note that an attacker cannot compromise an endpoint without first establishing an unauthorized communication channel. An IoT security solution should therefore only allow legitimate, verified cloud services to ‘talk’ with each device by detecting and thwarting unauthorized communication attempts. In addition, IoT devices should be uniquely and cryptographically verified to determine if they are authorized to connect, thereby reducing the attack surface of the service by preventing remote attacker access directly or through malicious or compromised endpoints.
In conclusion, the industry must prepare for a new era in which IoT security solutions adequately protected the physical world from the digital realm.