Industrial control systems (ICSs), such as production systems or critical infrastructures, are an attractive target for cybercriminals, since attacks against these systems may cause severe physical damages/material damages (PD/MD), resulting in business interruption (BI) and loss of profit (LOP). Besides financial loss, cyber-attacks against ICSs can also harm human health or the environment. Thus, it is of utmost importance to manage cyber risks throughout the ICS’s lifecycle (i.e., engineering, operation, decommissioning), especially in light of the everincreasing threat level that is accompanied by the progressive digitization of industrial processes. However, asset owners may not be able to address security risks sufficiently, nor adequately quantify them in terms of their potential impact (physical and non-physical) and likelihood. A self-deceptive solution might be using insurance to transfer these risks and offload them from their balance sheet since the underlying problem remains unsolved. The reason for this is that the exposure for asset owners remains and mitigation measures may still not be implemented adequately while the insurance industry is onboarding unassessed risks and covering it often without premium and without managing the potential exposure of accumulated events. This Dagstuhl Seminar aims to provide an interdisciplinary forum to analyze and discuss open questions and current topics of research in this area in order to gain in-depth insights into the security risks of ICSs and the quantification thereof.

In this seminar, we will focus on the issues of managing security risks in the context of ICSs with special emphasis on the economic aspects relevant to (re)insurance companies. Since academics and industry experts from diverse fields are involved in this highly interdisciplinary topic, we start the seminar by discussing specific terminologies and concepts of participating disciplines. After establishing a common ground, we outline key issues and research questions from different perspectives (viz., computer science, automation engineering, actuarial science), which will be addressed in this 5-day seminar. In line with the overall theme of the seminar, these issues or questions will concentrate on cyber insurance aspects. For instance, consider the issue of cyber accumulation that reinsurers have to deal with. Malware can spread rapidly and infect ICSs around the globe, including critical infrastructures. If multiple reinsurers fail to cover the damages caused by such cyber epidemics, the insurance industry could collapse. To counter the threat of world-wide cyber catastrophes that can even have devastating effects on the economy, we will discuss attacker models necessary to launch large-scale cyber-attacks against multiple industrial plants as well as the quantification of such cyber threat scenarios.

Based on the identified issues or questions, the participants will be divided into small groups to discuss a specific set of topics. Furthermore, the participants are encouraged to change groups throughout the seminar to contribute with their expertise on various topics. Group discussions and short presentations given by participants are complemented by individual work time to provide participants the opportunity to reflect on the topics discussed. As we cherish the philosophy of Dagstuhl seminars, we want to provide an open, vibrant, and inspiring atmosphere.

Creative Commons BY 3.0 DE

Simon Dejung, Mingyan Liu, Arndt Lüder, and Edgar Weippl