In 2024, the CEO of Power Information Technology Company (PITC) - a subsidiary of Pakistan’s Ministry of Power – disclosed that Pakistan had faced 40 million cyberattacks in just one year. 1 (opens a new window)Many of those were directed against the country's infrastructure. The country’s natural resources sectors have also been targeted, including pipelines. These attacks not only threaten energy supply and economic growth, but they can also result in highly costly material damage, operational shutdowns, or safety system failures.
The attacks in Pakistan have been varied. An electricity provider was hit by a ransomware attack in 2020, which disrupted its billing and online services. In 2021, a transportation company was targeted, causing disruptions to online booking and other online services. More recently, in mid-August 2025, Pakistan's National Cyber Emergency Response Team (NCERT) issued a critical advisory warning of a ‘severe risk’ from the emerging Blue Locker ransomware group.2 (opens a new window) This attack targeted one of Pakistan's largest exploration and production companies, which supplies over 20% of the nation's natural gas. Pakistan, power plants, refineries, and the upcoming Reko copper-gold mine are especially attractive targets because they underpin national economic resilience. The question for private, public and government organisations in Pakistan is this: do current insurance plans cover the mix of digital and physical risks, or should companies update their methods to better align with emerging realities?
“Power plants and refineries, are especially attractive targets because they underpin national economic resilience.”
Automated and Remote Digital Access Points
Traditional cyber risks such as ransomware and phishing are increasingly converging with cyber-physical damage risks that can shut down plants or grids. Despite this, some businesses believe they are safe from big financial hits (like lost sales or income) because they have what they perceive as traditionally robust backup systems that protect them from ransomware or phishing. This can create a false sense of security and a sense of ‘this won't happen to us.’ This can be a dangerous way of thinking, particularly with entire supply chains being digitally linked.
Supply chains themselves – increasingly integrated through the digital economy – are more vulnerable than ever. Digital processes that link organisations through their IT systems are often deeply embedded and business-critical, such as remote tools for managing grids. Remote natural resource locations in Pakistan, for example, use satellite links alongside older or more basic digital tools, which can make them (and those linked through their supply chains) more susceptible to exploitation compared to more mature systems in global benchmarks. Additionally, potential delays in critical updates or a lack of trained staff can exacerbate matters for the country’s security. This can sometimes be more so in Pakistan than in places with stronger systems.
The Changing Nature of Attacks
In Pakistan, like most countries, threats can come from external foreign interests, and recent alerts have noted ransomware aimed at energy firms. Over recent years, we have seen major power outages in India, major ransomware attacks in South Africa, malware attempts on petrochemical facilities in the GCC, and fuel shortages caused by malware in the United States.
Such events are serious real-world examples – yet despite this, many companies believe that they have robust strategies simply because they can mitigate direct revenue losses. But the changing nature of attacks demands a more nuanced approach. Built-in backups help with some losses, but other issues, such as longer downtime or added checks, still cause harm. They cause immediate operational halts, potentially costing millions in daily lost production for mines or grids, while rippling out into broader economic fallout, including the collapse of energy supplies across industries and national productivity losses. Given the changing nature of cyber-physical damage, companies need to rethink their approach to coverage.
“Many companies believe that they have robust strategies simply because they can mitigate direct revenue losses. But the changing nature of attacks demands a more nuanced approach”
Cyber-Physical versus Traditional Cyber-Attacks
Within this changing risk environment, companies should be looking at insurance policies that offer coverage for cyber-physical damage (opens a new window) in addition to coverage for ‘traditional’ cyber-attacks, which remain the most common type of attack, such as ransomware.
Technical risk assessments can play an important part in getting the balance right – particularly for organisations within critical infrastructure ecosystems where technical assessments can include penetration testing or OT security audits. Specialist brokers and consultants with in-depth sector knowledge of power and natural resources vulnerabilities, technical proficiency in OT/ICS evaluations, and global perspectives can help businesses to develop nuanced policies that reflect their unique exposure profile.
In Pakistan, leveraging global expertise alongside a deep understanding of the country’s unique cyber-physical landscape is essential for helping organizations reassess their coverage and challenge existing assumptions. This approach is critical to gaining a comprehensive view of the risks and developing resilient protections for critical infrastructure, industries, and assets across the nation.
