When Cyber Attacks Reach the Physical World: The Growing Insurance Gap in Critical Infrastructure

Modern life depends on systems we rarely see. Power stations keep the lights on. Pipelines carry fuel across long distances. Chemical plants manage fast and complex reactions. Transport networks move people and goods every day.

Behind all of this sits Operational Technology (OT). These are the control systems, sensors and safety tools that keep physical processes running safely.

For many years, these systems were built with one aim: to keep operations stable. Cyber security was not a priority. Most OT systems were isolated, used proprietary technology, and were run by engineers rather than IT teams.

Industrial systems are now connected to corporate networks, cloud platforms, remote access tools and supply chains. This has improved efficiency, but it has also created a new kind of risk: cyber attacks that affect the physical world.

When this happens, the impact is very different from a typical IT breach. Instead of lost data or downtime, the result can be damaged equipment, fires, explosions, pollution or long outages.

These events are still rare. But when they happen, the consequences can be severe.

They are designed to keep things like pressure, temperature and flow within safe limits. If those limits are exceeded, equipment can fail, sometimes in dramatic ways. That is why safety systems are built into industrial sites.

Cyber attacks can interfere with these safeguards. Any programmable safeguard designed for an intended function, can be re-programmed to behave in an unintended way.

Attackers might change sensor readings so operators think everything is normal. They might alter controls to change how machines behave. They could disable alarms or safety shutdown systems. In some cases, they may lock operators out of the system altogether.

In many cases, small changes can have big effects. Adjusting a valve, motor speed or sensor reading can push a system outside safe limits. Once that happens, problems can spread quickly.

What matters most is this: once a system crosses a safety boundary, physics takes over. Equipment will behave according to physical forces, not human intent.

They often begin with standard IT breaches. A phishing email, stolen login details, weak remote access or a third-party connection can give attackers a foothold. From there, they move through the network until they reach systems linked to industrial processes.

This pattern has been seen before.

A well-known example is the 2014 attack on a German steel mill. Reports suggest attackers entered through the corporate network using phishing. They then moved into the plant’s control systems.

The disruption meant the plant could not safely shut down a blast furnace. This led to serious physical damage.

The lesson is clear: an IT issue can become a physical incident once attackers cross into OT systems.

Not all attacks are highly advanced.

In Australia, a former contractor used radio signals to control sewage pumps, releasing waste into public areas. In Poland, a teenager reportedly used a simple device to interfere with tram systems.

These cases show that even basic weaknesses—like poor access controls or exposed systems—can lead to real-world damage.

Some of the most important warnings come from incidents where disaster was narrowly avoided.

The Triton malware attack in Saudi Arabia is a key example. The attackers targeted a system designed to prevent serious accidents, such as uncontrolled material release or unsafe conditions leading to fire/explosion.

A fault in the malware caused the plant to shut down before any damage occurred. No explosion happened.

But the message was clear. Attackers had reached the last line of defence.

From a risk point of view, a near miss is still a serious warning. It may reflect strong safety design—or simple luck.

Confirmed cases of cyber attacks causing physical damage are still uncommon.

Over several decades, only a small number of such incidents have been publicly reported.

However, this can give a false sense of security.

Many events are never disclosed due to commercial or regulatory concerns. In addition, OT systems often lack detailed monitoring, so incidents may go undetected or misattributed as a systems malfunction.

At the same time, industrial sites deal with high energy processes and hazardous materials. If something goes wrong, losses can escalate quickly.

A single major event could cost billions, including repairs, lost production, environmental clean-up and legal claims.

While awareness of OT cyber risk is growing, insurance has struggled to keep up.

Traditional policies were not designed for cyber-physical events. As a result, coverage often falls between two areas.

Property insurance usually covers physical damage, but many policies now exclude cyber-related causes.

Cyber insurance tends to focus on data breaches and IT disruption. It often excludes physical damage.

This creates a gap. If a cyber attack causes physical damage, it may not be covered by either policy.

For operators of critical infrastructure, this is a serious issue.

A single incident could lead to large losses that exceed cyber policy limits, while property insurers may reject the claim due to cyber exclusions. The risk owner pays the entire loss out of pocket.

Even without physical damage, cyber incidents can still have major effects.

The 2021 ransomware attack on Colonial Pipeline is a good example. The attack mainly affected IT systems, but the company shut down operations as a precaution.

Fuel supplies were disrupted across large parts of the United States.

This and hundreds of ransomware incidents each year shows how closely digital systems are linked to physical operations.

More broadly, many manufacturers have found that IT failures can stop production entirely. In modern industry, the link between IT and OT is often economic as much as technical.

There are several reasons why this risk is hard to assess.

First, there is limited data. There are not many well-documented cases to analyse.

Second, every industrial site is different. Processes, equipment and safety systems vary widely, including the rigor of their engineering, making standard models difficult.

Third, this risk sits across several fields: cyber security, engineering, safety and finance. Each uses its own language and approach.

This can make it hard for insurers and operators to fully understand each other.

Addressing this issue will require closer collaboration.

One approach is to use more quantitative risk models (in this context, risk is $$). Instead of relying only on checklists or broad assessments, these models estimate the financial impact of specific cyber scenarios.

This helps organisations understand where to invest in security. It also helps insurers assess potential losses more clearly.

The truth is, this is still an evolving area.

Cyber-physical incidents are rare, and data is limited. No single group—operators, insurers or security experts—has all the answers.

What is clear is that cyber risk is no longer just digital. As systems become more connected, attacks will increasingly affect the physical world.

Dealing with this challenge will require engineers, cyber specialists, insurers and policymakers to work more closely together.

The aim is not only to prevent attacks, but also to understand and manage the financial impact when they happen.

Only by bridging the gap between cyber security, engineering and insurance can critical infrastructure remain resilient in a connected world.