Likelihood: HIGH
Impact: VERY HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is high because ABW has confirmed active breaches at five water treatment facilities by identified Russian and Belarusian APT groups exploiting known weaknesses in internet-exposed ICS/SCADA systems — low barrier to entry, broad exposure, and active campaign with documented operational intrusions. Impact is very high because successful interference with water, energy, or transportation control systems produces immediate public service disruption, potential physical harm, regulatory investigation under national critical infrastructure protection frameworks, and severe reputational and liability consequences for operators.
Treatment rationale: The threat is active, technically achievable with known techniques, and targets systems whose disruption cannot be absorbed operationally or transferred away — avoidance is not feasible for infrastructure operators, and acceptance is indefensible given confirmed breaches at peer facilities; aggressive network segmentation, ICS/SCADA exposure reduction, and OT monitoring are the only viable primary response.
Third-Party / Supply-Chain Risk
Organizations relying on third-party ICS/SCADA vendors, remote-access integrators, or shared industrial automation platforms face compounded exposure: ABW's findings indicate attackers are exploiting known weaknesses in internet-exposed industrial devices, meaning any vendor-managed or remotely administered OT component that touches the public network is a potential ingress vector. Per NIST SP 800-161, organizations should immediately inventory supplier-managed ICS connections, assess whether vendor remote-access pathways meet OT segmentation requirements, and confirm that third-party firmware and software update channels have not been tampered with.
Loss Exposure (illustrative)
Magnitude: very high — illustrative $5M–$50M+ per significant disruption event, depending on duration and sector; water or power interruption affecting a population center drives costs through emergency response, regulatory penalty exposure, remediation of OT environments, and potential civil liability
Frequency: For an internet-exposed ICS/SCADA operator in the affected sectors within the identified threat geography, illustrative event frequency is moderate-to-high given confirmed active campaign — on the order of 1 in 3 to 1 in 5 years for a meaningful intrusion attempt reaching operational systems, with lower frequency for an intrusion achieving physical disruption
Annualized: Illustrative ALE: at $5M–$50M loss magnitude and 0.2–0.33 annual frequency, annualized exposure range is approximately $1M–$17M per exposed operator — treat as order-of-magnitude framing only
Basis: Loss magnitude driven by: OT remediation costs for industrial environments (significantly higher than IT-only remediation due to specialized equipment and safety validation), public service restoration costs, regulatory investigation overhead, and potential civil liability for public harm — not drawn from any third-party benchmark report. Frequency derived from: ABW's documented confirmation of five facility breaches in an active campaign using low-sophistication known-vulnerability exploitation, implying a non-negligible per-organization probability for exposed operators in the threat geography. All figures are illustrative constructions, not actuarial outputs.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• Service disruption to the public from a confirmed ICS breach may invoke critical infrastructure incident-notification obligations under national cybersecurity or infrastructure protection regulations — verify with counsel regarding applicable jurisdiction-specific reporting timelines and thresholds.
• Physical consequences of an ICS disruption (public harm, property damage) may engage liability clauses or exclusions in existing cyber and general liability policies — verify with broker whether OT/ICS incidents are covered or excluded under current policy language.
• If any EU-based operations or cross-border infrastructure dependencies are involved, NIS2 Directive incident-reporting obligations may be triggered — verify with counsel.
• Confirmed breach of operator-controlled systems affecting public services may invoke contractual service-level or force-majeure clauses with government counterparties or regulated customers — verify with counsel.
