When cyber threats get physical

In a series of three articles on the evolution of cyber risks, Laura Oliver and Seaton Gordon consider what developers, owners and occupiers should do to protect themselves – beginning this week with a look at how cyber threats can cause physical damage and disruption to bricks and mortar.

Originally published in Estates Gazette on 16 January 2021

In 2013, Google was successfully hacked. Not through its online platforms, but through its building management system (BMS). The hackers, two IT security researchers, were proving a point. The BMS installed in Google’s Wharf 7 office in Sydney, Australia, used older software which was vulnerable to cyber attack. Once logged in, the hackers could access various control functions including alarms and overrides. Had they had malicious intent, the outcome could have been both disruptive and expensive.

When we talk about cyber threats, the inclination is to think about hackers stealing data or installing malware that shuts down IT systems. The fact is, the physical buildings we occupy are themselves vulnerable to cyber attacks because the modern built environment is hardwired into technology that requires access to online platforms. If those platforms are compromised, there is real potential for serious disruption to occur.

Moreover, physical damage to the buildings is not impossible. Heating, cooling and power management systems are examples of functions that, if attacked, have the potential to generate physical damage. It is also not unusual for IT infrastructure (the hardware) to be affected by an attack and rendered useless (“bricking”). Since the late 2000s, the risk of physical damage has become a reality, and we have seen a series of high-profile hacking incidents hitting international headlines.

Cyber threats in the headlines

• In 2010, a malware program called Stuxnet (widely thought to have been developed by the US and Israeli governments) was discovered to have targeted Iran’s uranium enrichment plant and manipulated computer systems to cause systematic failures in the plant itself – the first confirmed cyber attack that caused physical destruction.
• In 2014, hackers struck a steel mill in Germany using a spear-phishing attack (targeted e-mails containing malware that appear to come from a trusted source) to infiltrate the corporate network. The mill’s systems were compromised to such an extent that a blast furnace could not be shut down correctly, causing massive physical damage to the mill.
• In 2017, Saudi Arabia’s oil refineries were attacked by Triton, another malware programme designed to attack safety systems, which caused the refinery processes to shut down. It later emerged that a poorly configured firewall allowed hackers to access computers within the organisation and, from there, operational technology.

Identifying vulnerabilities

Industrial buildings are particularly exposed to physical disruption and damage flowing from cyber attacks due to their reliance on industrial control systems that were never intended to be connected to the internet.

Computerised industrial controls have been in use for some time but legacy systems were designed to operate in isolation and frequently use ageing software. Connecting them to the internet can generate efficiencies, but also exposes older systems to modern attacks. High profile industrial and critical infrastructure cyber attacks are alarming, but more everyday targets are also vulnerable, including shopping centres, distribution warehouses, offices and hotels.

Like Google’s Wharf 7 office, most modern commercial buildings use a BMS to monitor and control mechanical and electrical equipment and other systems. With more affordable and widespread wireless technology, these BMS have become increasingly sophisticated but, if inadequately secured, come with increased risk. If hackers manage to access the network, they can cause physical damage and disruption by manipulating the mechanical and electrical equipment.

For example:

• Manipulating the HVAC systems can make working in a building uncomfortable at best or dangerously impossible at worst.
• The energy consumption of a building can be destabilised by unauthorised powering up or down of lights.
• Security cameras or motion detectors can be turned on or off, or footage deleted to mask criminal activity.
• Access control systems can be manipulated so that privileges can be revoked or granted to the whole building (via card readers or otherwise) or doors opened to off-limits areas.
• Fire-monitoring and suppression systems can be triggered, including alarms and sprinklers.
• Lift access controls can be suppressed or overridden.

Apart from the physical damage and disruption, personal data and confidential information can also be compromised through inadequately secured BMS devices, as we will explore more in our next article.

Responsibility for these vulnerabilities may lie with any number of stakeholders.

The BMS supplier might not have built a secure product; the property developer might not have installed or integrated the BMS adequately; the end user may have weak security practices (technical or physical). The common theme is that with greater integration of technology into the fabric of our buildings, there is a corresponding need to ensure that the technology that sits behind it is properly maintained and replaced.

The boom in cyber threats has led to a corresponding boom in cyber security services. Most well-advised corporations invest in them, and building managers should ensure that their systems and controls are up to date.

Insuring against cyber attacks

While there is no substitute for a robustcyber-security profile (prevention being better than cure), insurance will form a part of many organisations’ risk mitigation strategy. The cyber insurance market is comparatively mature, having been at the forefront of assessing the exposure to cyber risks for more than a decade now. Issues remain, however, and physical damage caused by cyber attacks is by no means a risk covered as standard.

The ability for cyber risks to fall into the gaps between traditional insurance coverage lines is well understood: the losses can have elements that may trigger claims under several different types of policies – for instance, damage to tangible property (“bricked” laptops), traditional buildings insurance, business interruption, crime (theft following payment diversion fraud) and professional negligence (claims following a loss of data).

When it comes to physical damage to buildings covered by traditional buildings insurance policies, there is the potential for a cyber-generated loss to constitute “malicious damage”, which is typically included as an insured risk. This is because, for the most part, it is comparatively easy to assess malicious motive in a cyber event – most breaches we see are malicious, apart from the odd instance of negligence or mistake. The same cannot be said for “terrorist threats”, which require a political, religious or ideological motive.

A key battleground, given the potential losses, is business interruption. The physical damage to a building may itself be negligible, but could still generate issues that cripple the business. For example, an attack that leads to failures in the HVAC systems or an air quality monitor could easily render a building temporarily unsuitable for occupation. Depending on the building’s function, that may generate immediate and costly issues – for instance, within a factory or distribution warehouse.

A claim under a business interruption policy may trace the root cause of the issue back to a cyber event and result in associated coverage issues. For insurers, this is the “silent cyber” problem – ie the extent to which a cyber event may prompt cover in an unexpected way, simply because it falls broadly within a defined trigger or defined loss and wasn’t specifically excluded. It has led to some high-profile wrangles.

The insurance market is beginning to adjust to these new challenges. Since 1 January 2020, Lloyd’s underwriters writing first-party property damage insurance policies have been required explicitly to affirm or exclude coverage for cyber events. However, cover for physical damage is hardly the norm in such policies (and this extends to any consequent business interruption losses).

Depending on the nature of the damage and the terms of the various insurance policies in place, a potential gap in cover therefore remains, and owners and occupiers should not assume that physical damage or disruption will be covered by insurance.

Who pays?

Depending on whether they have outsourced their IT security functions, owners and occupiers may have a claim against their technology provider in relation to a cyber attack if they can establish that negligence or breach of contract in the provision of the relevant services resulted in loss.

Where a building is subject to an occupational lease, the lease will dictate who pays for insurance cover and what happens if a building is damaged by an insured risk. It would be unusual for a lease to specify cyber attack as an insured risk, but (as explained above) a reference to malicious damage or terrorism may well be sufficient to bring a cyber attack within the insurance provisions in the lease.

Those provisions will determine whether the landlord has an obligation to procure cover and whether the landlord or the tenant bears the risk of any physical damage caused, but landlords and tenants who are particularly concerned about cyber risks (perhaps because the nature of the building makes it particularly vulnerable to cyber attack or the tenant itself is a high-risk target) should consider including specific provisions in the lease. Tailored insurance may be a solution, but cover for physical damage may come at a premium.

An evolving risk

Real estate has embraced technological advances, and buildings are more responsive, ecological and user-friendly than ever. Cyber threats must not be allowed to derail this evolution, but property developers, owners and occupiers should be aware of the physical risks inherent in the technology and ensure they have the means to prevent, combat and mitigate the risks of cyber attacks.