A report outlines a hypothetical scenario where a cyberattack on an industrial control system leads to flooding from a dam. The scenario describes how a contractor's credentials are stolen via malware, allowing an attacker to access the dam's control system. The attacker maps the network and identifies devices, then causes flooding by slightly raising water release gates without authorization. The flooding could result in significant property damage and economic losses. The report aims to raise awareness of potential "silent cyber" risks from attacks on critical infrastructure systems.
Call Girls In East Of Kailash 9654467111 Short 1500 Night 6000
Â
Cyber Attack Opens Dam Flood Gates Causing Economic Loss
1. Proprietary and Confidential
Silent Cyber Scenario:
Opening the Flood Gates
October 2018
This report was a collaboration
with the Cyence Risk Analytics
product team at Guidewire
2. Proprietary and Confidential
Silent Cyber Scenario: Opening the Flood Gates 2
Table of Contents
Introduction 3
Dams in the United States 3
Physical Dam Structures 3
Control Systems in Dams 5
Motivations for an ICS Attack 7
Dam Attack Scenarios 7
Resulting Damage 9
Economic Loss Analysis 10
Insurance Implications 12
Protection Gap Implications 12
Reinsurance Implications 12
Other Considerations 13
Mitigation Strategies 13
Conclusion 13
References 14
Contact Information 16
3. Proprietary and Confidential
Silent Cyber Scenario: Opening the Flood Gates 3
Introduction
Over the past few years, cyber risk has moved from imagined scenarios to a threat that is increasingly
real and prevalent. Cyber insurance products are growing quickly, but at roughly USD 4 billion in
premiums they comprise less than 0.3 percent of the global property-casualty market. The greater
concern for the insurance industry is the potential “silent cyber” risk residing in traditional property and
casualty policies—the risk that a cyber event could trigger payouts under existing policy wordings that
may not have been priced, or accounted for, by the issuing insurer or reinsurer.
This report presents a scenario that triggers “silent cyber” loss. Silent cyber risk is a byproduct of how
businesses have embraced network connectivity and become increasingly reliant on technology. The use
of programmable logic controllers (“PLCs”), Supervisory Control and Data Acquisition (“SCADA”) devices,
and generally the Industrial Internet of Things (IIoT) is growing rapidly, spanning industries such as
transportation, utilities, and logistics, with spending expected to reach USD 500 billion globally by 2020
(Accenture). As the number of connected technologies in control systems increases, so does the
cyberattack exposure of those systems. We aim to help insurers understand silent cyber risk by
describing and assessing a hypothetical situation in which a cyberattack compromises the control
systems of a hydroelectric dam, resulting in flooding to the surrounding area.
Dams in the United States
There are 90,580 dams in the United States (NID, 2016), serving purposes including irrigation,
hydroelectric power, flood control, and recreation. The federal government owns and operates only four
percent of these dams, but this accounts for 80 percent of the “largest and highest-consequence” dams in
the United States (DHS, 2015). In addition, 2,600 (~three percent) of the non-federally-owned hydropower
dams have a capacity of at least 10,000 megawatts, making them regulated by the Federal Energy
Regulatory Commission (FERC). The remaining 93 percent are owned by state and local governments,
public utilities, and private companies, and regulated primarily through state dam safety programs. Over
15,000 dams in the United States are categorized as high-hazard potential because their failure would
likely cause loss of life. This number continues to climb as land development and population increases.
According to the American Society of Civil Engineers, there are over 2,000 high-hazard potential dams
that are deficient due to lack of investment. The consequences of a dam failure could vary greatly
depending on the dam’s purpose, size, location, design, building material, and other factors.
Physical Dam Structures
Although each dam structure is unique, most share the same basic components. In general, a dam is
situated on a waterway such that it restricts the flow of water, resulting in an upstream pool called the
reservoir. Water from the reservoir may be released through gates or outlets to rejoin the river
downstream. In a hydropower dam, the outflow from the reservoir moves through a penstock to reach a
turbine. The kinetic energy of the falling water moves the turbine, and this mechanical energy is
converted into power by an on-site generator (U.S. Department of Interior, 2016).
4. Proprietary and Confidential
Silent Cyber Scenario: Opening the Flood Gates 4
Exhibit 1: Basic structure of a hydroelectric dam
Source: Guidewire
The dam normally conforms to a strict, standard regulation plan which includes water releases during low-
inflow (normal, non-flood) or high-inflow (e.g. rainfall event or snowmelt) conditions. Under a high-inflow
condition, the water level of the reservoir is reduced to accommodate the inflow by releasing water
through various outflow valves and over the spillway. In the February 2017 Oroville Dam crisis, heavy
rains and flooding in the area forced operators to use the main spillway, and then the emergency spillway
after the main spillway failed. More than 180,000 occupants of the Feather River Basin were evacuated
due to erosion of the emergency spillway, and the incident ultimately caused more than USD 870 million
in damage. This loss resulted from the normal course of operations, combined with unexpected weather
and the aging infrastructure of the dam, rather than malicious activity (Oroville 2018).
Water releases from the reservoir are a vital part of dam function, but they can also be dangerous,
especially for those dams that also serve as recreational areas for the local population. In 2011, a nine-
year old girl drowned after tubing in the Chattahoochee River during a release from Buford Dam. “The
Chattahoochee can change quickly from a serene slow-moving stream to a swift and treacherous river
when water is released at Buford Dam. During water release, the river can rise up to 11 feet within a
matter of minutes,” cautions the U.S. Army Corps of Engineers. Operators of large dams control powerful
infrastructure assets and must make careful decisions about release timing and outflow rate, sometimes
in an urgent manner.
5. Proprietary and Confidential
Silent Cyber Scenario: Opening the Flood Gates 5
Control Systems in Dams
Many dams use automated control systems, SCADA devices, and PLCs to obtain both real-time data and
agile reaction to factors such as changes in water level or flow rates. Although some dams still rely solely
on manual operations or electromechanical controls, many use a combination of sensors, automated
controllers, and computers utilizing logic controllers to monitor and adjust water levels and flow. During
our research for this scenario, Guidewire’s Cyence Risk Analytics team and Aon interviewed multiple dam
operators, owners, regulators, and experts involved with dam operations, many of whom spoke with us off
the record. According to one major dam operator, “Each dam has a specific preference for equipment and
vendors used in their installations, and those are supported both internally and externally.” In other words,
the equipment and vendors found in dam systems are very heterogeneous, with a high degree of
customization, making specificity in security standards more difficult to implement across the dam
industry.
These dam control systems are supported by external vendors as well as internal parties, adding to the
number of users with access to sensitive systems. A typical SCADA system in a large dam might include
water level, pressure, and temperature sensors connected to a series of programmable logic controllers
(PLCs) or remote terminal units (RTUs) that convert sensor signals into digital data and perform basic
scripted logic functions – for example, if the sensor detects a water level is too high, the PLC could signal
for an increase in water released from the reservoir. These PLCs and RTUs also communicate with
computers, allowing an operator to interface with the system through a software client, usually provided
by the vendor as part of a packaged SCADA solution. The computer and the field components are
connected in a variety of ways including a local area network (LAN) of telephone, Ethernet, or fiber-optic
cables. This network also hosts a SCADA server and usually a database server for log storage. If longer
connections are required between components, a wide area network (WAN) may be required, using
telephone lines, power cables, or cellular networks. The modern system allows operators to see
visualizations of valve, motor, or electric activities, as well as water level and pressure. A distinguished
researcher and expert in the field said that the motivation for dam owners to install control systems is
related to both performance and profit. “Owners want to get the best return on their investment, which
means adding automation and remote monitoring capabilities.”
The cybersecurity of critical infrastructure assets, such as dams, has become a focal point in recent years
because of several prominent examples of malware designed for industrial control systems (U.S. ICS)
and the physical damage that could occur if these systems were compromised. A notable real-world
example occurred in the deep winter of 2015, when Ukraine experienced widespread power outages
lasting about 6 hours due to a cyberattack that compromised an industrial control system in its power grid.
In addition, sophisticated cyberattacks continue against critical infrastructure in other countries, as seen in
the GreyEnergy campaign observed in the middle of 2018 (Cherepanov, 2018).
In 2016, for the first time, the Industrial Control Systems Cyber Emergency Response Team (U.S. ICS-
CERT) included dams in its assessments along with other types of infrastructure such as chemical plants,
manufacturing facilities, and wastewater treatment. ICS-CERT performed 98 assessments in FY2016 and
recorded 94 instances of weak boundary protection of the control system, which could facilitate
unauthorized access. ICS-CERT discovered 42 unnecessary services, devices and ports on subjects’
control systems, as well as 36 instances of weak identification and authentication management.
According to ICS-CERT, U.S. national infrastructure, including the dam sector, continues to be a target-
rich environment for cyberattacks. In 2016, the Justice Department unsealed an indictment of an Iranian
national, Hamid Firoozi, who is believed to have breached the control system of the Bowman Avenue
6. Proprietary and Confidential
Silent Cyber Scenario: Opening the Flood Gates 6
Dam in Rye Brook, New York between August 28th and September 18th, 2013. The SCADA system,
installed only a few years earlier, was connected to the Internet through a cellular modem. Aon Cyber
Solutions says that improper network segmentation for SCADA networks, such as improper firewalling
between corporate and SCADA networks or direct connection to the Internet, continues to be the most
common problem in the field when testing SCADA system security.
The level of access Firoozi allegedly obtained would allow him to obtain water level and temperature
information and to remotely operate the dam’s gate—except that during that period, the electronic gate
was taken offline for maintenance. Rye Brook is a relatively low-population area in Westchester County,
but a 2007 flood caused more than USD 80 million of damage to the nearby City of Rye. If a hacker had
been able to open the floodgate during a storm, he could have caused comparable damage to local
homes and businesses. As one dam-operating company says, “Cyber threats are one of the highest
concerns due to safety of the general public. Historically, manually-operated components are increasingly
becoming more complex and supplemented with remote capabilities.”
Exhibit 2: Possible network configuration for a dam with ICS components
Note: Once inside the network firewall, access to other devices is possible.
Source: Guidewire
Furthermore, even larger and more significant dams may be at risk for unauthorized access. A 2018
report from the Office of the Inspector General (U.S. OIG) highlighted poor security practices at two
unnamed critical infrastructure dams operated by the U.S. Bureau of Reclamation (USBR). The
evaluation by OIG found that there were 30 total user accounts with system administrator rights and only
25 active users. Ten of these critical access accounts had not had password changes for more than a
year. There were also 18 group accounts with passwords shared among 11 different persons. Seven of
the group accounts had not been used for over a year. These were found to be in violation of the principle
of least privilege and NIST 800-53 Rev. 4. Among other potential vulnerabilities, these weak password
7. Proprietary and Confidential
Silent Cyber Scenario: Opening the Flood Gates 7
policies and access control policies would potentially allow malicious actors to breach and operate the
control systems.
Motivations for an ICS Attack
Many cyberattacks, especially the most advanced attacks, are not conducted in isolation but rather are
part of a larger agenda by the attacking group. We assess these factors to be called motivational factors.
Cyberattacks are unique in the sense they carry a level of deniability and lack of absolute attribution,
especially in the case of advanced and methodical hackers. These groups can quickly grow in numbers to
amplify the damage. Cyber motivations can range dramatically, but we propose that they could stem from
some of the following ideologies.
Political and economic relations between nation states could influence cyber threats against one other.
These factors range from preemptive strikes for intelligence gathering, to deep persistence for activated
disruption. Even if companies are not directly targeted, they may still be collateral damage in disputes
between nation states, as seen with the NotPetya attack. We believe these attacks will continue to
advance in the future. Individuals or focused groups with negative sentiment towards a company or
service provide another motivational factor. These groups include hacktivists, insiders, and terrorists, all
motivated to create havoc, cause disruption, garner attention, or make a statement. And lastly, economic
espionage and financial gain is another motivational driver, with the goal of monetizing a cyberattack
through physical or non-physical threats, theft of important secrets or data, diversion of funds, or data or
system hijacking. Should an advanced cyberattacker want to target systems for financial gain, extortion
(such as ransomware) has been a proven method in recent years.
Dam Attack Scenarios
In the following scenarios, we draw on a mix of processes and procedures currently in place at dams
across the United States, without naming any specific company or provider.
A local, privately-owned dam based in the United States provides hydroelectric power for many
communities, businesses, and residents, as well as a safe recreation area down the river. The dam is
remotely operated and monitored, and only has workers on premises every few weeks to test systems,
update hardware and ensure structural integrity.
To conduct these checks, the dam owner contracts several engineering consulting firms for services that
range from construction and physical damage repair to integration and upgrades of IT systems.
Contractor X employs 50 personnel that provide professional services to a variety of industrial sectors,
including manufacturing, energy, and utilities. They provide installation and technical support for products
from many major PLC and SCADA vendors that are in use at the dam and have worked on the dam’s
hydroelectric control systems for years.
Contractor X is targeted by an attacker, who sends carefully crafted phishing emails to engineers at
Contractor X which contain a malicious payload under the guise of a corporate document with macros.
One of the engineers unknowingly downloads the malware, which runs code that scans, searches, and
captures information and data from the engineer’s computer and the Contractor X network using a
combination of built-in and open-source penetration testing tools. This allows the attacker to install a
keylogger that captures each keystroke the engineer types. At this point, the attacker merely waits for the
engineer to log in remotely to the dam’s control systems and captures the engineer’s login credentials.
8. Proprietary and Confidential
Silent Cyber Scenario: Opening the Flood Gates 8
Exhibit 3: Timeline of the attack scenario
Source: Guidewire
Because of the need to operate the dam remotely, each technician who works on the dam has an
individual VPN account to access the human-machine interface (HMI) system at the dam site. They are
granted local administrator rights to perform system updates, maintenance, and operations. The HMI
includes a client application for the SCADA system, with monitoring and control panels of various
components of the system. Once the contractor enters his VPN credentials for the HMI system from his
laptop and authenticates with his username and password, the attacker uses the information he has
obtained to access the system himself.
Once on the dam network, the attacker sets up a rogue Transmission Control Protocol (TCP) proxy and
Address Resolution Protocol (ARP) spoofing to determine common protocols used on the network. ICS
devices are known to communicate to each other using a variety of proprietary and open protocols. The
attacker notices a protocol of interest, the Simple Network Management Protocol (SNMP) and crafts
broadcast requests to look for connected devices on the same network. By using default strings in the
SNMP protocol, the attacker discovers the system name and IP address of several devices from well-
known vendors. Typically, firewalls block unwanted and unusual traffic at the perimeter of the network to
prevent abuse, but because the request is made from inside the network, devices are configured to
respond appropriately. Other devices on the network are probed, logged, and sent to a remote server for
inspection via encrypted communications, which go undetected by the intrusion detection systems on the
dam network.
Based on the attacker’s enumeration of the connected devices, the malicious actor can locate the specific
product, version, and purpose of many types of equipment. In this dam system, these devices include
autonomous gates and outlets that control the release of water from the reservoir, as well as water level,
pressure, and flow sensors.
For multiple days, the attacker’s presence on the system is both persistent and undetected due to the
stolen credentials. The attacker familiarizes himself with the commands used to perform legitimate dam
operations, including the controlled release of water by slightly raising the gates and outlets. After his
preparation is complete, the attacker executes a command to raise all gates and outlets to maximum
height, causing an uncontrolled and unscheduled outflow of water during the late evening. Due to the flow
and pressure of the water coming down the penstock, the turbine fails, damaging the structure and
reducing the resistance faced by the rapidly moving water. Flooding ensues downriver, causing massive
9. Proprietary and Confidential
Silent Cyber Scenario: Opening the Flood Gates 9
destruction to the downstream recreation area and to homes and businesses in the wider river valley.
Over the course of the next 24 hours, emergency crews arrive to repair and start containment of the water
outflow.
Resulting Damage
We analyzed the potential impacts of these scenarios to commercial and residential property at three U.S.
hydroelectric dams. These dams were selected to illustrate low, medium, and high insurance exposures,
respectively. A summary of the dam characteristics appears below in exhibit 4.
Exhibit 4: Overview of selected dams
Characteristics Dam 1 Dam 2 Dam 3
Construction type Earth and rock fill
embankment dam
Earth and rock fill
embankment dam
Concrete gravity dam
Dam height 170m 240m 100m
Dam width 910m 2,100m 430m
Reservoir capacity 180,000,000 m3 4,400,000,000 m3 1,205,000,000 m3
Floodplain area 140 km2 3,470 km2 1,340 km2
Floodplain population 115,000 170,000 695,000
Exposed Value -
Residential
$10,000mn $24,400mn $110,500mn
Exposed Value -
Commercial
$24,500mn $12,900mn $90,300mn
Exposed Value - Total $34,500mn $37,300mn $200,800mn
Source: Aon
Dam 1 is an earth and rock embankment dam with only a few outlets for water release. This dam is
located in a rural area with a low population density, but it is part of a larger water system that services
some larger cities in the region. The floodplain of the dam has an area with a population of 115,000 and
total exposed value of USD 34.5 billion. Dam 2 is an earth and rock embankment dam with several
outlets and gates for controlled water release. Dam 2 is located upstream of an area with a population of
about 170,000 and total exposed value of USD 37.3 billion. Dam 3 is a large, concrete gravity dam with
several outlets and gates for controlled water release. Dam 3 is located very close to a large metropolitan
area, with a floodplain population of about 695,000 and USD 200.8 billion in total exposed value.
If one of these scenarios were to occur, it would likely result in property, liability, and affirmative cyber
insurance losses for the dam operator. For purposes of this study though, we are focusing on the much
larger potential impacts resulting from downstream flood damages.
10. Proprietary and Confidential
Silent Cyber Scenario: Opening the Flood Gates 10
Economic Loss Analysis
With a team of flood modeling experts, we estimated both residential and commercial loss for each of the
three dams1. To provide a range of outcomes, we modeled each dam scenario under a conservative
(“high”) set of assumptions as well as a less conservative (“low”) set of assumptions. The results are
shown in exhibit 5.
Exhibit 5: Economic losses (USD millions)
Dam 1 Dam 2 Dam 3
Residential loss Low 2,088 3,001 18,218
High 3,467 5,677 37,006
Commercial loss Low 3,885 1,857 7,940
High 5,668 2,956 18,977
Total loss Low 5,973 4,858 26,158
High 9,134 8,633 55,983
Source: Aon
The estimated losses represent a wide range of values. With up to USD 56 billion of economic loss
estimated for Dam 3, these numbers indicate the damage that such a cyber risk could cause in the
physical world. Note that Dam 3 is much smaller in size and reservoir capacity than Dam 2, but its
presence near a population center greatly increases its loss potential.
While Dam 3 shows the highest severity, this does not necessarily imply that it would have the lowest
frequency. A threat actor looking to cause disruption to the U.S. would likely seek out more extreme
impacts. As a result, the peril of cyber risk may serve to “inflate” the tail and increase the likelihood of
extreme events relative to what safety experts and flood modelers would expect to see from natural
disasters and accidental failures.
With economic loss estimates completed, we then estimated the insured loss impact for each of the three
dams, which is shown in exhibit 6 on the next page2.
1 Flood damage estimates were first calculated for each of the three dams on an economic loss basis. For residential exposures,
we used a residential industry proxy portfolio leveraging industry data by zip code, disaggregated to individual locations. For
commercial exposures, we used the Aon proprietary commercial industry portfolio database. Low and high loss estimates were
created by varying the first floor height assumptions and the depth of water throughout the flood area.
2
Insurance take-up rates, limits, and retentions were then applied to calculate insured losses based on economic losses.
Assumptions were provided by a team of experts in Aon’s flood practice group. Take-up rate assumptions varied by flood zone, and
commercial insurance assumptions varied between small commercial and large commercial entities. We assumed small commercial
insureds obtain coverage from the NFIP program, as did all residential insureds. We assumed large commercial insureds obtain
varying levels of coverage depending on their total exposed value.
11. Proprietary and Confidential
Silent Cyber Scenario: Opening the Flood Gates 11
Exhibit 6: Insured losses
Dam 1 Dam 2 Dam 3
USD mn %TIV USD mn %TIV USD mn %TIV
Residential
loss
Low 95 .95% 154 .63% 3,025 2.74%
High 121 1.21% 274 1.12% 4,340 3.93%
Commercial
loss
Low 1,392 5.67% 585 4.54% 1,681 1.86%
High 1,890 7.70% 788 6.12% 5,387 5.96%
Total insured
loss
Low 1,486 4.31% 739 1.98% 4,706 2.34%
High 2,011 5.83% 1,063 2.85% 9,727 4.84%
Source: Aon
Residential and commercial properties have very different insurance outcomes. Residential losses will
flow almost entirely into the National Flood Insurance Program (NFIP), with a negligible amount of risk
covered by private flood policies. Some of the properties affected by these selected dams fall into FEMA
Special Flood Hazard Areas, where flood insurance is mandatory for homeowners with a mortgage. But
most of the properties fall outside these SFHAs, where take-up rates are extremely low. As a result, these
scenarios illustrate a significant protection gap, or underinsurance problem, among U.S. homes that could
be affected by the hacking of a significant dam. At the same time, our model results suggest that a
cyberattack could cause losses to the National Flood Insurance Program ranging from USD 95 million to
at least USD 4.3 billion.
For commercial properties, results will differ between small businesses and large complex entities. Small
businesses typically buy package policies which do not include flood protection. Like residential
properties, small businesses can obtain NFIP coverage, but most do not. Large businesses generally do
obtain flood protection through their commercial property policies, with insurers requiring sublimits in
Special Flood Hazard Areas. In our scenarios, we estimated commercial flood insurance losses ranging
from USD 585 million to USD 5.4 billion across the three dams.
Combining residential and commercial losses, we estimate a total insured loss impact ranging from USD
739 million to USD 9.7 billion, depending on the dam and the intensity of the flooding.
12. Proprietary and Confidential
Silent Cyber Scenario: Opening the Flood Gates 12
Insurance Implications
In what ways would the insured losses from this scenario be considered “silent cyber” losses?
We define “silent cyber” exposure as the potential for cyber risk to trigger losses on policies where
coverage is unintentional, unpriced, or both. “Unintentional” coverage means not explicitly excluded or
affirmed (with any applicable sublimit). Flood policies have unintentional cyber risk because the proximate
and covered cause on the policy would be the flood—not the cyberattack that causes the flood. Similarly,
flood policies will not be priced for a rise in flood frequency or severity as a result of cyberattacks. As a
result, we conclude that both residential and commercial flood policies will generally have silent cyber
risk.
Protection Gap Implications
As recent natural disasters have shown, a dam hacking scenario of this kind would highlight the
significant underinsurance problem for flood-related perils, as seen in exhibit 7. We estimate an uninsured
loss of USD 4.1 billion to USD 46.3 billion depending on the scenario—meaning that only 12 to 25
percent of economic losses would be covered by insurance.
Exhibit 7: Protection gap losses
Dam 1 Dam 2 Dam 3
USD mn % USD mn % USD mn %
Residential
uninsured
Low 1,993 95.5% 2,847 94.9% 15,193 83.4%
High 3,346 96.5% 5,402 95.2% 32,666 88.3%
Commercial
uninsured
Low 2,493 64.2% 1,272 68.5% 6,259 78.8%
High 3,778 66.7% 2,168 73.3% 13,589 71.6%
Total
uninsured
Low 4,487 75.1% 4,119 84.8% 21,452 82.0%
High 7,123 78.0% 7,570 87.7% 46,256 82.6%
Source: Aon
Reinsurance Implications
Generally, private insurers would get protection from their reinsurers in these scenarios. Property
reinsurance treaties provide for direct physical loss arising from cyber events. Often this protection is for
named perils, and insurers should ensure that flood is on the list of perils.
However, cyber-enabled flood damage could have implications for reinsurers of the NFIP. In the scenario
for Dam 3, reinsurers would be exposed to flood losses.
13. Proprietary and Confidential
Silent Cyber Scenario: Opening the Flood Gates 13
Other Considerations
The preceding flood assessment and loss calculations are based on three existing dams of varying size
and significance and were selected to demonstrate a range of levels of damage that would occur from a
silent cyber incident. We acknowledge that this analysis is not exhaustive, and we excluded several
potential complicating factors—loss of life, negative health effects, agricultural impacts, damage to the
hydroelectric power plant, the breach of multiple dams in the same water system or that use the same IT
contractors—from the cost model for the sake of simplicity.
Mitigation Strategies
This whitepaper has assumed that a sophisticated attacker is able to carry out the scenario described
above. We understand that dam operators may employ a variety of security controls designed to prevent
this type of unauthorized access from occurring, including: multi-factor authentication, whitelisting,
enforcing least privilege, network segmentation, third-party risk management, and others. It is because of
these controls—as well as the geopolitical repercussions—that we view this scenario as a plausible but
extreme event. The scenario as described is only one way that a motivated actor might carry out the
attack described.
Conclusion
These scenarios illustrate how technology and connectivity, while generally seen as beneficial, could
have unforeseen and undesirable consequences for businesses and homeowners, and by extension,
their insurers. Businesses must consider the security risks that new technologies could introduce into
their environment, including potential impacts on their clients and communities.
Insurers must also consider how changing technologies can cause “established” perils such as flood to
morph into new risks, with resulting changes to frequency and severity. By using scenarios such as these,
insurers have the ability to stress test their portfolios against new and emerging perils created by cyber
risk. With that knowledge, insurers can take steps to mitigate risk, through reinsurance as well as working
with businesses to increase their resilience.
Lastly, we hope this whitepaper draws additional attention to the importance of closing the protection gap
by which flood risk causes harm to society in the U.S. and across the globe.
14. Proprietary and Confidential
Silent Cyber Scenario: Opening the Flood Gates 14
References
Accenture. 2015. Driving Unconventional Growth through the Industrial Internet of Things. Available at:
https://www.accenture.com/us-en/_acnmedia/Accenture/next-gen/reassembling-industry/pdf/Accenture-
Driving-Unconventional-Growth-through-IIoT.pdf
American Society of Civil Engineers. 2017. Infrastructure Report Card: Dams. Available at:
https://www.infrastructurereportcard.org/wp-content/uploads/2017/01/Dams-Final.pdf
Business Blackout: The insurance implications of a cyber attack on the U.S. power grid - Lloyd's of
London
https://www.lloyds.com/~/media/files/news-and-insight/risk-insight/2015/business-blackout/business-
blackout20150708.pdf
Cherepanov, Anton. 2018. GreyEnergy: A successor to BlackEnergy. Available at:
https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf
Coppolino, Luigi, Salvatore D’Antonio, Valerio Formicola, and Luigi Romano. 2011. Integration of a
system for Critical Infrastructure Protection with the OSSIM SIEM platform: a dam case study. Available
at:
https://link.springer.com/chapter/10.1007/978-3-642-24270-0_15
Donat, Markus G., Andrew L. Lowry, Lisa V. Alexander, Paul A. O’Gorman and Nicola Maher. 2016. More
extreme precipitation in the world’s dry and wet regions. Available at:
https://www.nature.com/articles/nclimate2941
5 Promising Water Power Technologies, 2017. Department of Energy Efficiency & Renewable Energy.
Available at:
https://www.energy.gov/eere/articles/5-promising-water-power-technologies
Guide to Industrial Control Systems (ICS) Security, 2014. NIST Special Publication 800-82. Available at:
https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-82r2.pdf
Industrial Control Systems Cyber Emergency Response Team. 2017. ICS-CERT Annual Assessment
Report FY2016. Available at:
https://ics-cert.us-
cert.gov/sites/default/files/Annual_Reports/FY2016_Industrial_Control_Systems_Assessment_Summary_
Report_S508C.pdf
Kutner, Max. 2016. Alleged Dam Hacking Raises Fears of Cyber Threats to Infrastructure. Available at:
http://www.newsweek.com/cyber-attack-rye-dam-iran-441940
Oroville Dam Spillway Incident Independent Forensic Team. 2018. Final Report. Available at:
http://www.ussdams.org/our-news/oroville-dam-spillway-incident-independent-forensic-team-final-report/
15. Proprietary and Confidential
Silent Cyber Scenario: Opening the Flood Gates 15
The National Dam Federal Emergency Management Agency Biennial Report to the United States
Congress, Fiscal Years 2014–2015 FEMA P-1067, 2016 Available at:
https://www.fema.gov/media-library-data/1470749866373-
5de9234b8a02a3577c2646ffdf6eb087/FEMAP1067.pdf
National Inventory of Dams, Corps Map. 2016. Available at:
http://nid.usace.army.mil/cm_apex/f?p=838:5:0::NO
U.S. Army Corps of Engineers. 2018. Water Safety, Lake Sidney Lanier. Available at:
http://www.sam.usace.army.mil/Missions/Civil-Works/Recreation/Lake-Sidney-Lanier/WaterSafety/
U.S. Department of Homeland Security. 2016. Dams Sector Cybersecurity Capability Maturity Model
(C2M2). Available at:
https://www.dhs.gov/sites/default/files/publications/dams-c2m2-508.pdf
U.S. Department of Homeland Security. 2015. Dams Sector Cybersecurity Framework Implementation
Guide. Available at:
https://www.dhs.gov/sites/default/files/publications/dams-cybersecurity-framework-implementation-guide-
2015-508.pdf
U.S. Department of Homeland Security. 2015. Dams Sector-Specific Plan: An Annex to the NIPP 2013.
Available at:
https://www.dhs.gov/sites/default/files/publications/nipp-ssp-dams-2015-508.pdf
U.S. Department of Homeland Security. 2015. Roadmap to Secure Control Systems in the Dams Sector.
Available at:
https://www.hsdl.org/?abstract&did=726297
U.S. Department of the Interior. 2016. Hydroelectric power: How it works. Available at:
https://water.usgs.gov/edu/hyhowworks.html
U.S. Department of the Interior. 2018. U.S. Bureau of Reclamation Selected Hydropower Dams at
Increased Risk from Insider Threats. Available at:
https://www.doioig.gov/sites/doioig.gov/files/FinalEvaluation_ICSDams_Public.pdf
U.S. National Institute of Standards and Technology. 2014. Framework for Improving Critical
Infrastructure Cybersecurity. Available at:
https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf
16. Proprietary and Confidential
Silent Cyber Scenario: Opening the Flood Gates 16
Authors
Cyence / Guidewire
Matthew Honea
Dr. Yoshifumi Yamamoto
Special thanks to:
Aon Cyber Solutions
Aquarion
Maggie Engler
Dr. Na Xu
Our off-the-record interviewees
Aon
Jonathan Laux
Craig Guiliano
Dr. Megan Hart
Contact Information
Guidewire - Cyence Risk Analytics
Paul Mang
General Manager of Analytics and Data
Services
pmang@guidewire.com
George Ng
Chief Technology Officer
gng@guidewire.com
Matt Honea
Director of Cyber
mhonea@guidewire.com
Julie Eichenseer
Director of Global Client Solutions
jeichenseer@guidewire.com
Aon
Greg Heerde
Head of Analytics & Inpoint, Americas
+1 312 381 5364
greg.heerde@aon.com
Catherine Mulligan
Global Head of Cyber
+1 212 441 1018
catherine.mulligan@aon.com
Jon Laux, FCAS
Head of Cyber Analytics
+1 312 381 5370
jonathan.laux@aon.com
17. Proprietary and Confidential
Silent Cyber Scenario: Opening the Flood Gates 17
About Aon
Aon plc (NYSE:AON) is a leading global
professional services firm providing a broad
range of risk, retirement and health solutions.
Our 50,000 colleagues in 120 countries
empower results for clients
by using proprietary data and analytics to deliver
insights that reduce volatility and improve
performance.
The information contained herein and the
statements expressed are of a general nature
and are not intended to address the
circumstances of any particular individual or
entity. Although we endeavor to provide
accurate and timely information and use sources
we consider reliable, there can be no guarantee
that such information is accurate as of the date it
is received or that it will continue to be accurate
in the future. No one should act on such
information without appropriate professional
advice after a thorough examination of the
particular situation.
Copyright 2017 Aon plc