“Who here speaks German?” I asked somewhat rhetorically, spinning around to address the rest of the Advisen office.
Truth is, I didn’t do that. But I almost did. Turns out, I might have seen a hand raise. I learned our CFO indeed speaks some German.
But because I happen to like my CFO, I wouldn’t have thrown the German government’s Bundesamt für Sicherheit in der Informationstechnik (BSI) December 2014 report on his desk, demanding an English translation.
My CFO would not have been able to give me the answer to questions that have been keeping me up at night:
“What the heck is the name and location of the German steel plant everyone refers to when the topic of cyber-induced property damage comes up? And when did this happen?”
This information is not contained in the Bundesamt für Sicherheit in der Informationstechnik, or Federal Office for Information Security (the extent of my translation efforts), report. The BSI said a German steel factory suffered massive damage caused by a cyberattack on its network because unknown hackers gained control, via spear phishing, of a blast furnace.
The report, however, does not satisfy the general who-what-where-when requirements of journalism. And I simply do not know the Germans well enough to take their word for it. Nevertheless, this story got a heck of a lot of play and still is the go-to example of physical damage caused by a cyberattack (Never mind that Stuxnet digital weapon the US used to throw a giant wrench in Iran’s efforts to build nuclear weapons).
Advisen’s Property Insights Conference on June 4 will address the topic of cyber property risks and within our description of the sessions we also refer to this unnamed German steel plant. Two (2!) solo presentations–from the likes of AIG’s John Gambale and Beecher Carlson’s Chris Keegan will follow a panel discussion including Chris DeMunbrun, a special agent with the US Secret Service. Surely he’ll be able to tell us the name and location. You know, don’t you Mr. DeMunbrun. Gambale? Keegan?
I’ve asked around. Earlier this month at our Cyber Risk Insights Conference in Chicago the topic of property damage from cyberattacks came up. I must have asked a half dozen people for the name. At least three used it–as everyone does–as an example of the catastrophic thing that could happen. No one knew the name of the plant. “Do you know?!” they asked, half-heartedly chuckling.
I found a report from SANS Industrial Control Systems, in glorious English. Following SANS’ summary of the incident, it includes a “credibility rating,” which I thought was a cool idea. This one ranked a 4. On a scale of 0-5, a 4 means “probably true.” SANS apparently has some experience with BSI and said has “shown accuracy with regards to incident reporting.”
I’m by no means denying the possibility of severe property damage from a cyberattack. No way. But this is like talking about property damage from an asteroid strike and referring to a Chinese report claiming one hit them a while back…a few months ago, sometime…somewhere. You know. It was really bad. Lots of stuff got crushed.
We need examples. It’s just our nature, especially in the insurance industry. Of course we know how bad it would be if a giant asteroid hit Philadelphia and of course we know that because of the interconnectedness of everything, our infrastructure is at risk. But we need to know it happened somewhere for it to be real.
But, please, someone tell me the name and location of this German steel mill. I’ll buy you a drink afterward if you just tell me. I swear I won’t repeat it. I probably won’t even be able to pronounce either the plant name or location.
I just need some sleep.