More than a decade ago, hackers gained access and took control of a blast furnace inside of a German industrial site. Turning the temperature up well beyond 2,000 degrees, the attack resulted in a portion of the factory burning down and met the hackers’ goal of closing the plant.
This was one of the earliest reported “jackware” attacks.
“It is not just people going in and doing a typical ransomware attack for money. They are motivated by other reasons, or at least claim they are,” said Daniel J. Healy, a partner with Anderson Kill. “Those are the types of people that have historically engaged in jackware attacks.”
Jackware is similar to ransomware in that it features an outside hacker taking control of a system and disrupting the flow of information. However, jackware is different in that the attack isn’t aimed at the computer system itself, but rather embedded devices in machinery or smart devices themselves that perform other functions, according to Healy.
“With ransomware, they (hackers) are really trying to hold onto your data, they want to take control of it and make you pay to get it back,” Healy said during a RISKWOLRD education session. “Jackware is not focused on that. Jackware wants to take over your machine and make it do things you don’t want it to do.”
While the term jackware is relatively new, these types of events have been occurring for more than a decade, he explained, adding: “What has really been changing is the prevalence that we are seeing it take place. For risk managers and people who are concerned about insurance, this is becoming a much bigger topic.”
In addition to a different focus, jackware also results in much different insurance loss, Healy said, explaining these types of incidents can lead to bodily injury and property damage.
“For those that are familiar with cyber policies, they aren’t really designed to cover that (injury/property damage),” he said. “Even though this is a cyber event, you could be looking at losses that are dramatically different than a ransomware scenario.”
As an example of the potential losses caused by jackware, Healy said to imagine someone taking over a connected car, driving it to a port and having it crated up and “off it goes.”
“It is funny to think about, but it could be done,” he said. “Maybe that isn’t going to affect every business, but if you have fleets of vehicles that are semi-autonomous then you’re at risk. If someone takes them over and crashes that could lead to property damage.”
One of the easiest places to look for coverage following a jackware event is a commercial general liability (CGL) policy, which is designed to cover bodily injury and property damage.
“They (CGL policies) have also repeatedly found in widely reported, recent cases to apply to cyber events and cyber-related losses, what the people in London would call ‘silent cyber,’” Healy said. “Even though you have a cyber event, think about your CGL policy if jackware is involved and you have bodily injury or property damage.”
A recent example of a CGL policy responding after a cyber incident is a case involving Target and the cost to replace payment cards from the retailer.
CGLs also have a broad duty to defend cases involving third-party property damage.
“As you know, cyber policies are not a standard form. There isn’t a whole set of case law that says how broad the duty to defend is under the cyber policy,” he said. “A CGL policy has all of that and in most states the duty to defend is caught broad.”
Property policies are the next place to look for coverage after a jackware incident, according to Healy, who noted case law in the past two to three years has been found coverage under property policies for cyber-related losses.