Product Family


Associate – Risk Consulting, Environmental, AXA XL

There is a common misconception that the effects of cyber attacks are limited to the digital world. A phishing attack leads to a data breach. A ransomware attack results in encrypted files. A denial of service (DNS) attack on a website results in the site being offline. All costly. All inconvenient. But all effectively limited to a virtual space.

The truth is much more complicated. In today’s ever-more-connected world, a hacker from hundreds or even thousands of miles away can cause IRL (In Real Life) consequences like fires, explosions and even chemical spills. That’s right. Cyber crime or cyber terrorism can be a pollution liability risk.

Imagine this. You work for a water treatment authority that is interviewing for a new IT staffer. One of the rejected applicants takes the decision personally and decides to retaliate by hacking your systems. Once compromised, the attacker is able to release hundreds of thousands of liters of raw sewage, resulting in extensive environmental and physical damage.

If you think that sounds like a plotline from a new streaming crime drama, you’d be wrong. That very scenario happened in Australia back in 2000. You might be tempted to further think, “That was SO long ago. Systems are much more secure now.”

Again, you’d be wrong.

Of course, there are more sophisticated tools available to protect against attacks. But there are also much more sophisticated techniques that cyber attackers are using. There is a literal arms race going on in this global digital ecosystem with the good guys trying to stay a step ahead of the bad guys. And vice versa.

What’s in a name?
Terms such as cyber crime and cyber terrorism seem to be interchangeable and somewhat confusing.

  • Cyber crime is generally defined as a crime in which a computer is the target (hacking, phishing, spamming, etc.) or is used as a tool to commit an offense
  • Cyber terrorism uses the internet to conduct violent acts that result in, or threaten, loss of life or significant bodily harm, in order to achieve political or ideological gains through threat or intimidation

Strip away the term “cyber” and definitions are analogous to their IRL cousins. A key difference is that the weapon of choice is lines of code.

Are you a target?
No organization is immune to cyber threats. But as with all risks, the effects greatly vary by industry. Of the critical industries and infrastructure identified by the US Department of Homeland Security (DHS), there are numerous categories that have pollution exposures from a cyber attack, including:

  • Refineries
  • Bulk storage facilities
  • Pipelines
  • Power plants
    Wastewater treatment plants


There is a literal arms race going on in this global digital ecosystem with the good guys trying to stay a step ahead of the bad guys.

There’s a cliché for that
It’s said that those who do not learn from history are doomed to repeat it. That is certainly true in the realm of cyber risk. Here are a few notable examples of cyber attacks from the last few years:

Year Target Result
2014 Steel Mill Blast furnace damage
2015 Ukraine Power Grid Extensive, prolonged power loss; disabled and destroyed IT infrastructure
2017 Saudi Arabian Petrochemical Plant Production system shutdown (the intent was to trigger an explosion)
2017 US Power Companies A proof of concept attack that compromised systems to a point where they could have been disabled or sabotaged
2018 City of Atlanta, Georgia (US) Phishing and ransomware attack forced shutdown of city digital service and Atlanta International Airport WiFi
2019 Oil & Gas Machinery Companies (worldwide) Attacks on more than 200 different companies attempted to steal secrets and erase data

Being vulnerable. And not in a good way.
Companies are at risk of attacks that come in two basic categories – opportunistic and targeted. Most attacks via the internet fall into the former category.

As the name implies, attacks take place when a vulnerability is found. Targeted attacks, on the other hand, are aimed at a specific person or entity for a specific reason. Because targeted attacks are tailored to the intended victim, they are harder to combat.

In either case, hackers will deploy a variety of tactics to penetrate a network and organizations must pay attention to threats that can come from:

  • Malware
  • Unsecured wireless connections
  • Social engineering, such as phishing
  • USB devices
  • Unsecured network connections
  • Poor data storage/data security practices
  • Substandard physical security

What a tangled web
The “Internet of Things” (IOT) has created a world of connected convenience. It has also help create a world of increased cyber liability. We’ve heard stories of residential camera and other home systems being hacked. And just like homes use IOT and other interconnected systems for convenience and efficiency, so do critical industries used for petroleum, chemical, manufacturing, marine, water/wastewater and electric utility facilities.

These highly complex systems control operations that have the capacity to release poisonous chemicals, crude oil, toxic gases and even sewage. The transportation industry also relies on these systems to get people and materials safely from place to place. Vulnerabilities in these systems can result in devastating consequences.

New innovations bring new risks
The very nature of what makes tech so beneficial is also what makes it so risky. Every new tech advance brings with it a commensurate set of risks. Areas of emerging risk include:

  • 5G technology
  • Cloud services
  • Autonomous vehicles and drones
  • Artificial intelligence (AI) and machine learning
  • “Internet of Things”

Even a relatively benign system, like traffic navigation, can be vulnerable in ways its developers never imagined. For example, in February 2020, a German artist turned Google Maps against itself using nothing but a wagonload of 99 mobile devices using Google Maps. As he walked slowly through the streets with the wagon, the result was a traffic jam that didn’t even exist. Even though his intention was ostensibly artistic expression, the result was a well-established system that was disrupted in a completely new way. Just imagine the damage that hacked transportation safety systems could create from accidents involving multiple hazardous materials.

But there’s good news
It may sound like fighting the hackers is an uphill battle. And sometimes it is. But there are steps your organization can take to protect itself, especially the following:

  • Appointing a cyber security officer
  • Managing access control to company computer systems
  • Implementing effective password management
  • Setting appropriate levels of system access for each user
  • Providing effective and recurring training and awareness
  • Implementing system monitoring and incident management
  • And more

Yes. It can happen to you. And probably will.
You don’t need to be a major multinational corporation to be victim of a cyber attack. Remember, one of the largest data breaches happened because a relatively small HVAC contractor had access to Target’s systems that were vulnerable to attack.

And, unfortunately, there is no cookbook or “off the shelf” prevention template with blanks to be filled in for critical industry cyber security. You must perform in-depth vulnerability analysis of your operations, equipment, procedures, physical security and personnel to develop a security program tailored to deter and manage cyber exposures.

Fortunately, AXA XL’s teams can help. You can learn more about this topic by reading our whitepaper. Then contact your broker. Our expert underwriters and claims people will sit down with you to help you manage your risks.


To contact the author of this story, please complete the below form

Invalid First Name
Invalid Last Name
Country is required
Invalid email
Invalid Captcha

Global Asset Protection Services, LLC, and its affiliates (“AXA XL Risk Consulting”) provides risk assessment reports and other loss prevention services, as requested. In this respect, our property loss prevention publications, services, and surveys do not address life safety or third party liability issues. This document shall not be construed as indicating the existence or availability under any policy of coverage for any particular type of loss or damage. The provision of any service does not imply that every possible hazard has been identified at a facility or that no other hazards exist. AXA XL Risk Consulting does not assume, and shall have no liability for the control, correction, continuation or modification of any existing conditions or operations. We specifically disclaim any warranty or representation that compliance with any advice or recommendation in any document or other communication will make a facility or operation safe or healthful, or put it in compliance with any standard, code, law, rule or regulation. Save where expressly agreed in writing, AXA XL Risk Consulting and its related and affiliated companies disclaim all liability for loss or damage suffered by any party arising out of or in connection with our services, including indirect or consequential loss or damage, howsoever arising. Any party who chooses to rely in any way on the contents of this document does so at their own risk.

US- and Canada-Issued Insurance Policies

In the US, the AXA XL insurance companies are: AXA Insurance Company, Catlin Insurance Company, Inc., Greenwich Insurance Company, Indian Harbor Insurance Company, XL Insurance America, Inc., XL Specialty Insurance Company and T.H.E. Insurance Company. In Canada, coverages are underwritten by XL Specialty Insurance Company - Canadian Branch and AXA Insurance Company - Canadian branch. Coverages may also be underwritten by Lloyd’s Syndicate #2003. Coverages underwritten by Lloyd’s Syndicate #2003 are placed on behalf of the member of Syndicate #2003 by Catlin Canada Inc. Lloyd’s ratings are independent of AXA XL.
US domiciled insurance policies can be written by the following AXA XL surplus lines insurers: XL Catlin Insurance Company UK Limited, Syndicates managed by Catlin Underwriting Agencies Limited and Indian Harbor Insurance Company. Enquires from US residents should be directed to a local insurance agent or broker permitted to write business in the relevant state.