Globally, it is estimated that cyber-attacks against oil and gas infrastructure will cost owners $1.87billion by 2018.
In the US, 40% of all cyber-attacks on critical infrastructure in 2012 occurred against the energy sector.
The UK Government estimates that oil and gas companies in the UK already lose approximately £400million every year as a result of cyber-attacks.
These sobering statistics are reported in the Willis Energy Market Review of 2014 which chose cyber-attacks in the energy sector as its special focus.
Willis also notes that for the first time, cyber risk has this year made it into the Top-10 global business risks in the Allianz “Risk Barometer”.
The increasing incidence of online attacks from “hacktivists”, organised crime-groups, terrorists and organisations with quasi-national links means that companies must be vigilant in addressing ever-present and unseen cyber threats.
In recent times we have seen the “Night Dragon” attacks by Chinese hackers who infiltrated several high profile energy companies stealing significant intellectual property (IP), as well as the Shamoon attack on Saudi Aramco in 2012, thought to be among the most damaging on a company to date, with up to 30,000 computers attacked by a virus designed to erase all data.
Such attacks create not only operational and financial risks, but can see confidential information relating to reservoir performance, days to drill and environmental impact assessments leaked with severe commercial and reputational consequences.
Of concern also is the potential for hackers to infiltrate industrial control systems (ICS) or supervisory control and data acquisition systems (SCADAs) that could render planned infrastructure inoperable, create delays or even safety hazards – particularly with the renewed emphasis on the potential for machine-to-machine communications.
This is not all about sinister strangers attacking your systems.
Symantec has placed the annual cost of IP theft to US companies at $250billion and FBI reports indicate insiders are a leading source of this.
Consequently, companies must also ensure that their internal security procedures offer adequate protection – something even more important as companies consider mobility and employee “bring your own device” initiatives, which also raise possibilities of cameras, smartphones and GPS devices being used by attackers, not to mention the issues created by contractors using laptops to test, commission and repair supplied equipment.
Despite all the evidence, it appears many companies do not fully appreciate the risks, with computer security firm Kaspersky concluding that measures taken by businesses are often “woefully inadequate”, and that significant numbers of IT managers had insufficient knowledge of corporate cyber threats such as SpyEye, Zeus, Stuxnet and Flame.
Governmental attempts to address these issues such as President Obama’s Executive Order establishing a framework between the US Government and private sector and the proposed EU National Information and Security Directive, which aims to ensure that banks, energy companies and other “market operators” involved in the operation of critical infrastructure maintain sufficiently secure systems, as well as more specific initiatives like ICS-CERT, are all important.
However, it is critical for companies to actively engage with the issue and to make employees aware of the threat and how, for example, advanced attackers use social engineering to help gain a foothold in the organisation.
According to Verizon, 96% of cyber attacks are avoidable through internal controls and proper adherence to standards.
Companies need to take structural, technical and human measures to protect data assets – this includes proactive steps such as a digital security plan and investment in security solutions but also reactive steps such as a cyber-response strategy to contain and mitigate loss.
Lawyers have an important role to protect companies who should review existing and proposed contracts with suppliers, particularly where engaging external information security providers, to ensure they contain clear commitments to address cyber security threats such as:
• A clear statement of the scope of the provider’s responsibilities to prevent security breaches.
• Steps to be taken if a security breach takes place (including business continuity arrangements, timelines for remedial actions and responsibility for handling publicity).
• Enhanced treatment for areas of particular sensitivity, such as mobile services and IT services made accessible to third parties/contractors.
• An obligation to comply with international security standards.
• Rights of audit.
• An obligation on the provider to periodically conduct penetration testing on the system to assess and address weak spots.
• Terms that appropriately address liabilities, liability caps, indemnities and termination.
Information security service providers are unlikely to guarantee absolute protection from what is a constantly evolving range of cyber threats but companies should carefully consider and negotiate liability for breaches of security based on the nature of the breach.
Naturally, given the importance of these issues, companies will want to resist or at the very least scrutinise the use of standard service provider terms.
Companies should also consider additional methods of covering any potential loss, such as cyber insurance. A 2012 cross-industry survey of risk managers at large US companies found that nearly half the respondents had not taken out cyber insurance because they considered their internal controls were adequate or because they did not have a significant data exposure.
The statistics above suggest this may be naive at best and possibly negligent at worst.
However, the Willis report highlights that while cyber risks are excluded from most upstream and downstream energy policies the current mainstream cyber insurance market does not fully address the needs of the energy sector as its focus is data loss, it does not provide coverage for physical loss or damage, and the waiting periods for business interruption coverage can be significant in terms of energy networks.
Energy companies and their supply chains too should take specialist advice on the more innovative products now being introduced into the Lloyds market as the policy wording is critical.
Penelope Warne is senior partner and head of energy at international law firm CMS Cameron McKenna