The digital age is transforming the way in which businesses operate. Thanks to technological advancements over the past decade, economies and industries across the world are operating faster and more efficiently than ever before. But with this improvement comes a major risk: the growth and increasing complexity of cyber-related attacks.
Cyber-attacks in the energy sector have an impact not only on the sector itself but also on the whole economy. As the energy sector seeks to improve its efficiency and reliability, infrastructure operators must be aware that the increased use of hyper connectivity, including Supervisory Control And Data Acquisition (SCADA) and Industrial Control System (ICS), can increase exposure to cyber-attacks across the energy value chain.
The World Energy Council worked with Swiss Re Corporate Solutions and Marsh&McLennan on the Road to Resilience: financing resilient energy infrastructure report which finds that by 2018, the oil and gas sector could be spending $1.87bn each year on cyber security as cyber-attacks become more sophisticated and frequent.
Cyber risk must not be considered purely as an IT risk. Rather it should be addressed as an enterprise-wide concern and as a key operational risk that demands effective risk management and strong management involvement at the highest level.
To get to this point, risk managers need to step up to the plate and work with IT professionals to establish the right security culture. This begins with a risk assessment that looks specifically at a company’s exposure to cyber-related vulnerabilities.
The increasing interconnection and digitisation of the energy sector (including smart grids, smart devices and the growing Internet of Things) along with the sector’s critical role in the functioning of a modern economy, makes the energy sector a highly attractive target for cyber-attacks geared to disrupt operations. The increasing interconnection also makes cyber risk management increasingly complex.
During this process, risk managers must identify their company’s data assets and intellectual property, classifying them into groups. Cyber exposures in the energy sector present particular concerns because an attack could transcend from the cyber realm to the physical world if a cyber attacker was able to create a large operational failure of an energy asset. Large centralised infrastructures are particularly at risk due to the potential ’domino effect‘ that an attack on a nuclear, coal, or oil plant could cause.
With a collaborative, risk- and IT-focused prevention plan the board of directors is more likely to sit up and take notice. Consequently, risk managers can then get involved in strategic conversations about why and how they can align cyber risk prevention with the company’s objectives, how a preventative strategy could save the company significant amounts of money and how the business can measure the effectiveness of its new cyber security programme.
It is paramount to take a systemic approach and review cyber risks across the entire energy supply chain, as this will improve the protection of IT systems by limiting any domino effects potentially caused by a failure in one area of the energy value chain.
Technology vendors can play an important role in furthering or hindering the resilience of energy infrastructures. These firms must ensure that they provide technologies including security standards built into their processes. Without doing so, ICS and SCADA controls can compound cyber risks, and increase the vulnerability of attack within energy operations.
High level discussions will explore these cyber risks to the energy industry and, crucially, what policy and financial solutions are needed to adjust to the changed landscape at the forthcoming 23rd World Energy Congress held in Istanbul. The Cyber threat: Are we at risk of the lights going out? Session is on Tuesday 11th October.
Willy Stössel, is head of Cyber, Technology & Construction at Swiss Re Corporate Solutions