Cyber-attacks: A question of when, not if, for the energy industry

In May, cyber risk in the energy sector received global attention following a ransomware attack that caused the shutdown of the largest fuel pipeline in the US. The increasing frequency of cyber threats means organizations cannot ignore the implications that even a single event can have on their operations, or the economic and social jeopardy it may pose. In 2019, 65% of energy organizations found it difficult to keep pace with evolving cyber risks.[1] Three years on, the 2021 Global Risks Report by the World Economic Forum and Marsh, found that cybersecurity failure remains a top risk in terms of both likelihood and impact.

The scale, sophistication, and severity of cyber-attacks continue to evolve, driven by nation states, criminals, terrorists, hacktivists, and insiders. Digitalization in the energy sector and greater reliance on operational technology (OT) data broadens the interface between IT and OT, creating a dramatically larger attack surface for potential hackers. These operational transformations create opportunities and risks that must balance the benefits of digitalization and the need for cybersecurity. At a whole of system level, the interconnectivity and complexity of energy sector value chains increases the susceptibility of critical infrastructure to malfunction or sabotage, with a potential ripple effect and cascading impact.

Malicious actors often target energy companies through ransomware motivated by financial goals. However, the emerging risk profile is a shift towards cyber physical risk. The discovery of the Triton malware, which specifically aims to breach safety control systems, and attacks leading to physical plant damage such as the Stuxnet attacks, indicate the escalating threat. These types of attacks have the potential to result in large-scale property damage and/or loss of life.

Risk transfer is a critical consideration of any cyber risk management program, both for physical and non-physical impacts.

The cyber insurance market is in transition. The global cost associated with ransomware recovery is expected to exceed USD20 billion in 2021. Ransomware related losses have accelerated the deterioration of market conditions, and some leading cyber insurers are introducing coverage limitations, such as co-insurance on ransomware losses. Silent cyber exclusions are proving challenging due to the increase in residual risk retained on balance sheets. However, risk transfer options remain available for malicious cyber events, while the traditional property insurance markets are better placed to underwrite accidental and physical property damage.

A standard cyber insurance policy can cover the first-party costs of non-physical impacts arising out of confidentiality, availability, or integrity of data and technology. Cover is provided for loss of income and extra expenses to mitigate an income loss, data restoration to recreate the critical process information, and forensic investigation costs and expenses incurred in remediating and responding to a cyber event. Figure 1 below shows a full list of available coverages.

While organizations cannot eliminate cyber risk, they can proactively prepare for an attack. The steps organizations can take include:

Bring together key stakeholders including risk management; information security, both the operational and information technology teams; and treasury, finance and legal teams to ensure there is alignment in how you would manage an attack.  

• Evaluate existing controls and address identified network and security vulnerabilities. The most common ransomware attack vectors in the first quarter of 2021 included remote desktop protocol (RDP) compromise and email phishing. Implementing appropriate controls can help to thwart an attack — or at least identify one before threat actors can move laterally within your network. For example, early identification can allow you to take operational technology offline once corporate networks are known to have been compromised, but before any industrial control systems are compromised.
• Assess and test your cyber incident response plan, or develop a ransomware “playbook” of activities to respond to a threat. The plan should be re-evaluated following an incident.
• Measure your organization’s cyber risk exposure in financial terms. This will help you prioritise the cyber risks presenting the greatest exposure to your balance sheet. This also enables you to evaluate the return on investment of cybersecurity products, as well as how much risk to retain or transfer.
• Evaluate your entire insurance portfolio, including cyber insurance coverage, to assess whether the various programs are aligned. Verify that coverage includes various material costs incurred as a result of a ransomware attack, including an attack that leads to physical damage and/or bodily injury.

Effective preparation can help you build a cyber-resilient organization.

[1] Based on the 2019 Marsh Microsoft Global Cyber Risk Perception Survey. Read more Winning the Cyber Risk Challenge (mmc.com)