Policy Paper No.7

Cyber Insurance as a Contribution to IT Risk Management

RiskViz – Providing a risk situation picture of industrial IT security in Germany

Cyber attacks on critical infrastructures are having an increasingly negative impact on the private sector and governments and thus on the general public who depend on their services as well. At the same time, many operators of critical infrastructure are increasingly connecting their Industrial Control Systems (ICS), which are also used in many critical infrastructures, to the Internet to monitor and control their operations in an uncomplicated and inexpensive way. However, security incidents in the past have shown that connecting an internal IT environment to the Internet can increase vulnerabilities to network breaches, data theft and Denial-of-Service activities in the industrial environment of electricity plants and other critical infrastructure. Yet, the federal government, federal states or municipalities, which are in charge of critical infrastructures, have no appropriate means to assess the intensity of threats, vulnerabilities and potential impacts and to make them transparent for operators. Moreover, it is extremely difficult to insure critical infrastructures against damages due to IT security breaches.

Within the framework of its IT Security Research Program, the Federal Ministry of Education and Research is funding the project "Providing a risk situation picture of industrial IT security in Germany" (RiskViz). In a consortium with the University of Applied Sciences Augsburg, the Freie Universität Berlin, Genua mbH, Koramis GmbH, LEW Verteilnetz GmbH, Technologie Centrum Westbayern and MunichRe (associated partner), the Brandenburg Institute for Society and Security (BIGS) will develop methods and instruments to identify ICS that have insufficient protection against cyberattacks. The research project aims to create a search engine that is capable of finding ICS and of collecting relevant information about the system and its risk situation without interfering with its operations.

The overall aim of this project is to improve the German economy's IT security, in particular with regard to critical infrastructures. Within this scope, BIGS will analyze the regulatory framework that is necessary for the development of a market for cyber insurance and will highlight and develop further political and economic instruments that could help to close identified security breaches.

bmbf rgb gef l