Cyber threats on infrastructure

Targeted cyber attacks on critical national infrastructure are expected to rise “significantly” this year, according to a political and security risk consultancy.

By the end of 2016, Control Risks forecasts a 37% rise in the severity of cyber attacks targeting industrial control systems (ICS), such as those relating to power, transport, water, gas and other critical infrastructure.

In December, a cyber attack on a power network in Ukraine resulted in a blackout for thousands of energy customers for more than six hours. The outage, which Ukrainian authorities blamed on Russia, was caused by a sophisticated attack using malware.

In another worrying trend, Control Risks forecasts at least 45 nation states will be actively conducting cyber attack operations in 2016. It predicts that the impact of those attacks will increase by more than 15%, although not all countries will be targeted equally, however.

According to Deloitte’s Asia- Pacific Defense Outlook 2016, the ‘Cyber Five’ – South Korea, Australia, New Zealand, Japan and Singapore– are nine times more vulnerable to cyber attack than other Asian economies.

“Attackers will also increasingly focus on manipulating data, affecting its integrity rather than its confidentiality or availability,” Control Risks Hong Kong managing director Ben Wootliff added.

Should the government intervene?

The boss of the largest Lloyd’s insurer has called on governments to cover the risk of cyber attacks, arguing that the potential liabilities are too large for insurers to cover alone. Stephen Catlin, founder of Catlin Group, said cyber security presented the “biggest, most systemic risk” he had encountered in his 42-year career, in part because a vulnerability in widely-used software or internet architecture can affect systems globally, putting the industry on the hook for simultaneous, multibillion-dollar payouts.

At a StrategicRISK event last year, Zurich Singapore chief executive Jonathan Rake mooted a public- private partnership: “By bringing the public and private sectors together, enforcing regulation and bringing in companies like ourselves to advise and provide some capacity, you’re creating a new industry, effectively.”

XL Catlin financial lines underwriting manager, Asia, Ralph Sherbahn agreed. “The effort to mitigate and safeguard against cyber attacks has to be shared by both industry and government to be truly effective,” he said. “This is especially relevant in Singapore where the government most recently unveiled its blueprint to develop Singapore into a ‘Smart Nation’.”

Governments have established schemes to provide cover for events such as terrorism and floods – such as Pool Re in the UK and the Australian Reinsurance Pool Corporation – when the insurance market was unwilling to do so independently. But FireEye Asia- Pacific chief technology officer Bryce Boland said: “We must be wary of using public funds to pay for the failings of duty of care and diligence in operating private institutions.” As with bailing out banks, such a plan risked privatising benefits and socialising losses.

Lockton Singapore chief executive Peter Jackson said governments should be doing more. “But how much can a government do when the criminals are in central Europe, West Africa or North Korea? It’s a global problem and co-ordination among governments is notoriously slow and inconsistent.”