Recently disclosed and highly-publicized cyberattacks on commercial entities have justifiably captured the public’s attention. These hacks highlight the increasingly sophisticated threats that corporations face online today, whether from organized crime rings, nation-states or even just teenagers with access to powerful software that does not require a strong technical background to operate.
Unfortunately, the cyberattacks prompting this recent media frenzy obscure a potentially more significant threat. Critical infrastructure, which often relies on networked computers not just to function but, in some cases, to prevent significant and widespread harm to people and property, is also becoming a target for hackers. Three recent news stories demonstrate the enormity of this risk.
First, Bloomberg reported late last year that a 2008 oil pipeline explosion in Turkey was the result of a cyberattack likely perpetrated by Russia. Hackers were able to shut off alarms that would indicate potential issues with the pipeline, erase 60 hours of surveillance video to cover their tracks, and increase the pressure in the pipeline to the point that it exploded. No evidence of physical tampering was found, although a lone camera recorded images of men dressed in black walking near the pipeline with laptops in hand. While the pipeline is covered with sensors that send key data to a central control room, its operators only became aware of the massive explosion when, 40 minutes later, a security worker saw the flames.
Next, a report issued by the German government revealed that a local steel factory suffered substantial damage after sophisticated hackers were able to compromise the control system for a blast furnace. During the attack, the plant was unable to shut down the furnace in a controlled manner, causing massive damage.
In addition, the South Korean government found evidence of a computer worm on various machines connected to the control systems for certain nuclear plants. Although the South Korean energy minister said the worm was unrelated to recent threats made by hackers, and that it was likely introduced through workers’ use of unauthorized USB devices, some lawmakers voiced doubt about the veracity of this claim. The use of unauthorized USB devices is a well-known attack vector and was reportedly used to introduce Stuxnet to Iran’s nuclear centrifuge control systems in 2010.
These incidents differ from better-known commercial data breaches in that the intrusion either did or could result in physical destruction or significant damage of the asset controlled by the compromised system. As sophisticated hacks become common in the commercial space, the possibility of deadly cyberattacks against critical infrastructure grows. Critical infrastructure hacks pose significant risk to the general public, and the corporations that own most of these assets face tremendous potential liability as well.
A pipeline explosion in a populated area could lead to deaths, serious injuries, property destruction and environmental contamination. The resulting downtime from an attack on infrastructure, such as pipelines, ports, factories and financial markets, could lead to lost business. Azerbaijan’s State Oil Fund, for example, reportedly lost $1 billion in export revenue due to a pipeline attack. This downtime also leaves entities open to breach of contract claims by business partners. For public companies, loss of share value and an onslaught of third-party lawsuits—not to mention potential regulatory investigations and enforcement actions—could also result in additional shareholder suits, proxy fights and mass sell-offs. Put simply, the liability and repercussions resulting from a sophisticated cyberattack on a critical infrastructure industrial control system could dwarf the costs imposed by even the most successful data breaches seen so far.
These risks are not new. For several years, industrial control systems’ vulnerability to cyberattack has been the subject of much discussion, and the challenges in protecting this equipment are well known. In 2013, President Obama issued an executive order to prioritize critical infrastructure cybersecurity. But with nation-states and criminal groups becoming increasingly brazen in their attacks on commercial entities, and numerous reports of attackers probing and planting malware on critical infrastructure in the United States, corporations that own these assets are faced with a new risk management concern.
In order to manage these liability risks, critical infrastructure owners and operators can and should regularly assess their cybersecurity programs to ensure that their practices are effective and commensurate with the risks they face. The National Institute of Standards and Technology Cybersecurity Framework is an essential tool for this exercise. Industrial control systems require a much different set of tools and best practices than traditional IT systems, and assessments need to consider the unique nature of control systems. These systems should be hardened to the greatest extent possible, drawing upon all available third-party resources. These assessments should be performed at the direction and under the management of counsel to cover the investigation with the protection and confidentiality of attorney-client privilege.
Owners and operators should also maximize their use of risk hedging. Organizations need to review their insurance policies to ensure that their interests would be sufficiently covered in the event of a cyberattack, including those that cause physical damage, and purchase additional coverage as necessary. It may also make sense to involve experienced counsel in this process to maximize the consideration of potential liabilities while protecting any discussions under attorney-client privilege.
At the same time, critical infrastructure faces unique problems when it comes to insurance, and it may be impossible to obtain sufficient coverage to entirely hedge an organization’s cyberrisk. A key tool that can be used to reduce potential liability, however, is the SAFETY Act. This can either cap third-party damages arising from such an attack at the covered entity’s level of insurance or ostensibly eliminate third-party liability entirely, depending on the level of protection obtained.
Finally, corporate boards—especially those that are publicly held—must be sure to effectively oversee the management of cyberrisk to ensure that it is mitigated appropriately and effectively. More than just good business practice, active and effective board oversight of cyberrisk is an increasingly important component of the fiduciary obligations directors owe their corporations and shareholders.
With cyberattacks becoming part of the new reality for commercial entities, corporations that own or operate critical infrastructure must brace for the possibility of a sophisticated malicious attack. For them, the stakes are even higher.