When Cyber-Physical Risk Becomes A Life-Safety Threat
For decades, cybersecurity was largely viewed as a technology problem. Organizations worried about stolen data, ransomware and disruptions to business systems. While those concerns remain valid, discussions at the Cyber Safety Summit held June 10 th in Washington, D.C., highlighted a growing reality: cyber threats are increasingly targeting systems that control the physical world.
Hosted at the National Academy of Sciences and supported by organizations including Building Cyber Security, the National Academy of Construction and the Society of American Military Engineers, the summit brought together leaders from government, engineering, cybersecurity, insurance and academia. The central theme was cyber-physical risk – the threat posed by cyber incidents to disrupt essential services, physical operations and public safety.
As buildings, utilities, transportation systems, healthcare facilities and industrial operations become increasingly connected, cyber risk has moved beyond the IT department and become a broader operational and governance challenge.
Cyber-physical Risk Threatens Critical Infrastructure
Nick Andersen, acting director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency , described a threat environment in which adversaries are increasingly focused on infrastructure and operational technology. He compared the current state of cybersecurity practices to unregulated medicine before professional standards existed, when consumers were sold on magic elixirs and tonics.
Andersen emphasized the difference between disruptions that affect convenience and those that affect essential services. “It’s one thing for people to be inconvenienced when they can’t log in to Instagram or check their email,” he said. It is another when cyber incidents affect access to healthcare or other critical services, and he stressed the responsibility that industry and government have to push the conversation. “We are asking the American public to live with a tremendous amount of risk that I don’t think they realize,” he said.
Anderston and other speakers noted that adversaries are pre-positioning within critical infrastructure systems and waiting for opportunities to act. He also warned that advances in artificial intelligence are lowering barriers to entry for cyber attackers, making sophisticated capabilities accessible to a much broader population.
The concern extends beyond nation-state actors. Participants noted that criminal groups often create unintended operational consequences when targeting systems for financial gain. The result can be disruptions that affect public services even when the original objective was economic benefit rather than physical threats or terrorism.
For boards and executives, the implication is straightforward: cyber threats and incidents cannot be viewed solely through the lens of data and reputation protection. Increasingly, they have the potential to affect operations, safety and public trust.
Cyber-Physical Risk Creates a Different Insurance Challenge
While cybersecurity professionals discussed threats, insurance leaders focused on consequences.
Gerry Kennedy, CEO of Observatory Strategic Management, framed the issue through the lens of insurability. In opening remarks, he noted that the insurance industry has spent decades developing models for hurricanes, earthquakes, floods, wildfires and other catastrophic events. Operational technology, however, presents a fundamentally different challenge.
“Never in the history of insurance have we ever seen this level of aggregation of risk,” Kennedy said. He further explained that traditional catastrophes such as hurricanes and wildfires are generally limited to one region. Operational technology introduces the possibility that a single vulnerability could exist simultaneously across thousands of facilities and many regions.
Kennedy argued that a cyber event involving widely deployed operational technology could trigger losses across multiple lines of insurance at once, including cyber, property, business interruption, professional liability, workers’ compensation, environmental liability and even directors and officers coverage.
This is a significant shift in perspective for insurers, as it shifts the discussion from whether an individual organization is vulnerable to whether a common technology dependency creates exposure across entire industries. Traditional underwriting models were not designed to evaluate this level of systemic risk.
Sezaneh Seymour, vice president and head of regulatory risk and policy at Coalition, observed that property insurers would never knowingly insure every house on a single beach, to avoid a concentration of risk in one area. Yet cyber insurers often discover that large portions of their portfolios depend upon the same technologies, platforms or service providers.
Steven Schwartz, co-founder and general partner at FireTower Risk Solutions, also noted that one technology vulnerability can extend across many facilities and thousands of customers simultaneously, with property insurance often containing specific exclusions for cyber-attacks. “A lot of the market is not covering the exposure today,” he said. “Those who will not be covering this exposure will only be so relevant.” As a result of this risk, his focus is on introducing new risk transfer products .
For insurers, owners and operators, the challenge is understanding what technologies exist, where they are deployed and how those technologies connect to critical operations. It is difficult to assess, price or mitigate risk effectively without this visibility.
Long-Lived Assets Increase Cyber-Physical Risk
Nicholas Leiserson, senior vice president for policy at the Institute for Security and Technology, noted that many infrastructure decisions remain in place for decades. Technologies deployed today will continue operating for decades, making it difficult to determine liability. Decisions about connectivity, remote access and operational technology made today will influence risk for the useful life of the infrastructure.
Cyber incidents affecting physical infrastructure can create ripple effects well beyond the original target. Disruptions to logistics, transportation, communications, healthcare or energy systems can quickly spread through supply chains and regional economies. The result is a category of risk that extends beyond cybersecurity teams and into broader business continuity planning.
Summit organizer Lucian Niemeyer, CEO of Building Cyber Security and former assistant secretary of defense for energy, installations, and environment, pointed out that architects and engineers carry professional liability and errors and omissions insurance, and builders carry builders' risk insurance. He asserts that the discussion needs to extend to cover the cyber risk inherent in these roles.
Cyber-Physical Risk Is A Governance Issue
One of the most important takeaways from the summit was that cyber-physical risk cuts across organizational silos.
Traditional cybersecurity programs are often led by information technology teams. Operational technology, however, frequently falls under facilities, engineering, manufacturing, operations, safety or security functions. As those systems become increasingly connected, responsibility becomes more distributed. Technology controls alone are insufficient, and coordination across disciplines and leadership teams is required.
Alison King, vice president of government affairs at Forescout, argued that organizations should prioritize risk mitigation over risk transfer. Insurance remains important, but it does not eliminate the need to reduce exposure before an incident occurs.
For boards, this raises important questions. Do directors understand which operational systems are connected? Do they know which services are most critical to continued operations? Have they evaluated how disruptions to physical systems would affect customers, employees, and communities?
Those questions increasingly belong in enterprise risk discussions rather than technology or audit committee reviews.
Preparing For A Future Defined By Cyber-Physical Risk
The Cyber Safety Summit focused on understanding how the growing convergence of digital and physical systems is changing the nature of risk. As organizations continue to connect buildings, infrastructure, manufacturing systems, healthcare equipment and transportation networks, cyber incidents will increasingly have consequences beyond data loss.
Cyber-physical risk is no longer a cybersecurity issue. It is an operational issue, a resilience issue, and increasingly, a governance issue. Insurance and professional standards need to evolve to respond.
Did you enjoy this story on cyber-physical risk? Don’t miss my next one: use the blue “follow” button at the top of the article near my byline to follow my work, and check out my other columns here .
Loading article...