Cyber security and related security breaches are an increasing problem generally. The energy sector, with its complex and critical infrastructure, is however particularly at risk and needs to be extra vigilant both in its defences against an attack and its plans for responding to an incident.
The offshore health and safety and environmental risks add an additional layer of complexity and risk to an already challenging issue.
As recently as June, we saw companies in the oil and gas sector including Maersk and Rosneft reportedly affected by the Petra ransomware attack. The damage from such attacks can take a company offline for hours, sometimes days, as well as leading to damages claims and operational issues. Businesses can also suffer immense reputational damage as the attacks are reported in the press and across social media. If a cyber breach results in the disclosure of, or unauthorised access to, any personal information, there will likely also be liability under data protection legislation (with potential fines under the new EU regulation coming into force in May 2018 increasing to the greater of £20million or 4% of global annual turnover for the preceding financial year).
Some of the most common types of cyber risk include:
• Ransomware attacks like Petra whereby downloaded malware encrypts an enterprise’s files and threatens to either leave the files encrypted or delete such files unless a ransom is paid;
• Trojans (where a user is duped by a seemingly legitimate communication or website into downloading a piece of software that allows a third party access);
• Use of unpatched software (simply the use of software with a known vulnerability that has not been rectified, such as using an outdated version of an operating system);
• Phishing attacks (the receipt of a communication that appears legitimate, say a e-mail purporting to be from Microsoft but actually from a third party, asking for login details via a seemingly legitimate but in fact fraudulent website) – this can happen over the phone as well as e-mail; and
• Viral worms (also known as network-travelling worms) which once into a system from an e-mail attachment or downloaded link can travel quickly and mutate through an organisation’s infrastructure avoiding attempts to easily detect and eradicate the program.
The best form of cure with cyber breaches is most definitely prevention in the form of vigilant cyber security. This starts with having in place a strong cyber security policy, which is rigorously implemented and updated. Enterprises should ensure that they have the latest software patches installed, and do not use software with known and published vulnerabilities.
Businesses should consider restricting executable code in e-mail attachments and as downloads, and placing restrictions on the insertion of unknown USB drives into networked machines. Penetration testing (where a third party tests the system by attempting to compromise it) should be considered on key systems to ensure that no vulnerabilities exist, or that any identified are suitably addressed.
Additionally, the weakest link in most enterprises’ cyber security – the end users – should be routinely trained and kept abreast of any developments (for example if there are known scams, users should be informed and reminded to always check with internal IT).
However, despite the best preparations and defences, cyber attacks are sometimes still successful and in this case it is very important to have on hand a team of legal, IT and PR advisors with an agreed plan who are able to implement that plan in real-time, 24/7 in the case of an attack.
In the first hour of the known cyber attack, the advisors should be briefed including instruction of IT forensics, background briefing and creation of a specific project plan. As the IT forensics team starts to uncover what is occurring, in the 12-24 hours after the attack the organisation should consider the appointment of an outside counsel “breach coach”/cyber crash team: such legal advisers typically perform a co-ordination and project management role, but may also be able to maintain legal privilege in communications. IT forensics will assist with identification of the source/leak/compromise including, crucially, geographical identification of the location of affected servers and data subjects. They will also conduct analysis of the nature of any compromised material.
In the 24-48 hours after the attack, there should be an early stage evaluation with recommendations including when and how to notify any affected data subjects (if appropriate), and if needed an appointment of PR/external communication strategy advisor.
The IT forensics team will continue to identify the source/leak/compromise, provide patches and viable alternatives, and bring back online network critical infrastructure, where feasible. The legal advisors can assist with determining if there is a need to notify data subjects/ regulators, and with such notification (by e-mail if appropriate or by a mail order fulfilment centre).
In this phase of the response, PR communications and key staff briefings should be readied as more details of the attack, its cause and its impact are known. Affected parties may be offered post-breach support, such as: basic advice on security upgrades, improvements, virus patches; web crawling/monitoring; and credit monitoring/identity theft protection.
Finally after the attack is curtailed, and generally in a time period of around 72 hours or more from the start of the attack, the legal advisors will assist with any necessary claims defence and regulatory issues and the IT team will implement longer term defences and fixes.
This can include notification of commercial third parties such as customers; liaison with regulators; defence of third party claims (such as breach of contract for inability to deliver services due to the outage); discussion with insurers regarding loss adjustment and valuation; implementation of IT upgrades/amendments (responsibility for funding/betterment); and identification of longer term risks and consequences.
Given the increase of cyber threats, and the potentially devastating risks to the energy sector in particular, a good defence strategy and a considered response plan should be considered as crucial to businesses as a plan for responding to a pollution incident or other offshore incident.
Penelope Warne is senior partner and head of energy at CMS