According to ENISA (the European Union Agency for Cybersecurity) the top emerging cybersecurity threats for 2030 are supply chain compromises of software dependencies, advanced disinformation campaigns, and the rise of digital surveillance authoritarianism. Additionally, human error and exploited legacy systems within cyber-physical ecosystems, are highlighted, as are targeted attacks enhanced by data from smart devices.
The evolving threat landscape poses risks to affirmative products and conventional ones, such as property and liability insurance. In this article, we will explore human error and legacy system exploitation to address some of the core issues in Cyber-Physical Systems (CPS) security.
CPS can be defined as networked systems where the computational (cyber) part is tightly integrated with physical components. A similar term, OT (operational technology), is also used to describe these systems. The CPS market is expected to grow at a considerable rate between 2024 and 2032, fuelled by the rapid advancement of intelligent features that enhance the capabilities of physical systems in several areas.
Examples of these systems include network monitoring, medical devices, & robotic systems. Key industries developing in this area include healthcare, cybersecurity, and utilities. From smart grids to Building Management Systems, cyber-physical systems are increasing efficiency across companies and society as a whole. The defence industry, transportation, as well as warehousing and storage, also utilise CPS.
Modern CPS include features such as real-time data acquisition, process automation, and monitoring by integrating sensors, the Internet of Things (IoT), and artificial intelligence (AI) to deliver increased automation, realise efficiencies and secure services, to name a few examples.
Although there are clear benefits to CPS, serious vulnerabilities have emerged, many of which create opportunities for cyber criminals and carry serious consequences.
When physical devices and systems are connected to one another—whether through cloud services or other internet connections—the data it generates, the functionality, and the solutions provided become vulnerable to potential cyberattacks and malicious activities. Examples of these vulnerabilities include the ‘isolation assumption’ which is based on the false belief that a hidden system is also secure. This is a common practice in modern companies and dangerous approach to cyber security.
Furthermore, with increased connectivity and uniform or similar CPS, both factors can be considered as vulnerabilities. For example, if CPS are connected through a centralised management system, hacking the main system grants access to all connected CPS. Alternatively, if CPS are of the same type but lack centralised management, a common vulnerability exploited in one device could make others equally easy to hack.
Failure to update legacy systems poses serious risks; unfortunately, these weaknesses are compromised regularly around the world. Maintaining legacy systems is, in fact, a major concern for many companies.
For example, in 2017, the WannaCry ransomware attack affected numerous organisations worldwide, including the UK's National Health Service (NHS). The attack targeted a security gap in the Windows operating system and spread rapidly through unpatched systems. The NHS was particularly vulnerable due to its reliance on legacy systems and a lack of adequate cybersecurity measures.
Human errors, such as clicking on malicious links, using weak passwords, falling victim to phishing attack, or accidentally disclosing confidential information, create substantial security risks that cybercriminals can exploit to access critical systems and data.
When it comes to cyber-physical systems, human error typically occurs in incidents involving a programmer or network engineer. These human issues include, poor coding, faulty updates, misconfiguration, inconsistent or misaligned network security, and reliance on legacy systems or outdated solutions for critical operations.
Unfortunately, in the insurance industry, we often encounter companies still using legacy systems.
Lars Hedensjö, Cyber Underwriter at If explains that “In the Nordic region, the number of ransomware attacks has increased marginally in 2023 when compared to 2022. Extortionists prefer to target large companies as they have more resources. Still, in 2023 the proportion of ransomware attacks against large companies (over 5 000 employees) has decreased in relation to medium-sized companies (501 – 5 000 employees). Currently, the distributions of ransomware attacks sorten by size of organizations, 17% of incidents in large companies, 34% in medium-sized companies, 25% in smaller companies (51 – 500 employees), and 24% in small companies (1 – 50 employees). Presumably, large companies' investments in improved security have had an impact, which then influences the extortionists to continue with more vulnerable medium-sized companies.[1]”
He continues, “In 2023, the most common type of attack in the Nordic region was extortion, accounting for 32% of cases. The second most common was contained attacks at 20%, where the attacker gained an initial foothold but was detected and stopped before further damage could occur. Business Email Compromise (BEC), accounts for 16% of cases. These attacks often begin with a phishing email that allows the attacker to obtain the victim's email login credentials. The attacker then monitors the email correspondence waiting for opportunities, such as intercepting account details. BEC attacks have seen a large percentage increase from 2022 to 2023.[2]”
The primary attack vectors used were vulnerabilities, which accounted for 38% of cases. These weaknesses were found in services that were directly accessible from the internet. When extortionists engage in mass exploitation, they often install backdoors to maintain access if the organisation updates its systems to remove the vulnerability, allowing them to return later for an extortion attempt. Additional attack vectors include valid accounts (26%), phishing (23%), trusted services and supply chain attacks (10%), and other methods (3%). Trusted services have shown the most growth in usage, although they are primarily used by the most advanced ransomware groups.[3]
According to Ghita Meyer, Head of Liability and Cyber Underwriting, the evolving cyber threat landscape continues to influence on the insurance industry.
“Cyber threats influence the insurance industry in the broadest sense. They appear across different coverages, from property and liability to personal lines. Historically, the cyber insurance product was developed to address cyber risk, which has allowed our B2B business to identify and cover the risk in a more transparent way. Still, the distinction between cyber insurance and traditional property and liability insurance will need practical application over the coming decade.”
Lars Hedensjö provides insights from recent studies to add perspective. “According to one source, there has been a 75% increase in attacks on the healthcare sector since last year. This is likely due to the fact that medical and health industry providers hold customers' protected health information (PHI), financial information (such as card and account number), and personable identifiable information (PII), all of which are valuable targets for attackers.” He adds, “Attacks on consulting and professional services have increased by 141% since last year. This sector also has access to sensitive information, either directly or through close interaction with clients.[4]”
He also explains that there are statistics available on how companies fare after paying extortionists. In cases where a company has paid its attacker, the blackmailers’ promises were fulfilled in 67.7% of the cases, unfulfilled in 20.6%, and partially fulfilled in 3.9%. In 7.8% of cases, the outcome was unclear.[5]"
In its simplest form, consider a customer producing a product in a factory. The systems at risk are those that control the production machines, or for instance, the power to the building itself. In other cases, the risks can be more elusive. Cyber threats may target numerous smaller devices scattered around the world, where attackers look to track people or items that register and send information.
Lars explains, “The consequence of a cyber-attack can involve more obvious losses such as interruption of service or unauthorised access to information in the service. There are also more evasive aspects, depending on the system’s function and the attacker's form of attack.”
He highlights the example of Stuxnet, a malicious worm, noting “Stuxnet clarifies the range of what is possible. It targeted supervisory control and data acquisition (SCADA) systems, specifically programmable logic controllers (PLCs), which allow the automation of electromechanical processes, such as gas centrifuges for separating nuclear material. Exploiting four zero-day flaws, Stuxnet targets machines using the Microsoft Windows operating system and networks, then seeks out Siemens Step7 software.”
Reportedly, Stuxnet compromised Iranian PLCs causing fast-spinning centrifuges to tear themselves apart, by manipulating rotor speed, first increasing the speed and then lowering it, likely with the intention of inducing excessive vibrations or distortions that would destroy the centrifuge. Stuxnet allegedly ruined almost one-fifth of Iran's nuclear centrifuges.[6]”
When asked if these cyber threats impact affirmative products and conventional ones, such as property and liability insurance, Ghita Meyer comments, “Manufacturing products and production techniques are changing and becoming increasingly digital. This brings new challenges for both product liability and property insurance.”
“As cyber risks evolve, legislation seeks to follows—which is natural,” she notes. “The most recent legislation from the European Union includes the new Product Liability Directive and Cyber Resilience Act. Both increase the producer’s responsibility when selling digital, online-connected products that pose a risk for potential data loss.”
[1] Threat Intelligence Report 2024, page 4, 8, Truesec
[2] Threat Intelligence Report 2024, page 5-6, Truesec
[3] Threat Intelligence Report 2024, page 7, Truesec
[4] 2024 Threathunting report, page 10, CrowdStrike
[5] Incident response report 2024, page 22, Palo Alto
[6] Stuxnet - Wikipedia