We're sorry but your browser is not supported by Marsh.com

For the best experience, please upgrade to a supported browser:


Risk in Context

Ukraine Power Outage Caused by Cyber-Attack Raises Red Flag for Power and Utility Sector

Posted by Paul Whitstock January 25, 2016

A cyber-attack against a Ukrainian utility in December is the first such event known to have caused a blackout. The incident demonstrates the vulnerability of the power and utility sector to cyber-attacks.

Closer to home, the US, the Department of Homeland Security Industrial Control Systems Cybersecurity Emergency Response Team (ICS-CERT) responded to 295 cyber incidents in its fiscal year 2015, a 20% increase over 2014. The energy sector accounted for 16% of those, behind only critical manufacturing, at 33%.

As a critical infrastructure industry, power and utilities organizations have unique cyber risk exposures and responsibilities. In addition to IT security concerns, you must secure your ICS and supervisory control and data acquisition (SCADA) systems from cyber threats.

The cost of a cyber breach can be steep — and not only in monetary terms. The potential costs of a power grid interruption include reputational damage in addition to lost revenue, expenses to restore operations, and regulatory fines. Along with securing your systems, mitigating financial risk through insurance should be a key part of your defenses.

Consider the following issues:  

  1. Operational systems and connections with data systems. Connections to various data systems need to be reviewed. For example, pipelines are often connected directly to the internet and to enterprise IT networks. Consider evaluating cyber insurance policies to ensure that they provide explicit coverage for operational systems.
  2. Bodily injury and property damage.  At an energy company, systems that are not running correctly have the potential to cause catastrophic physical damage or bodily injury.  Insureds should seek clarity of coverage regarding physical damage caused by cyber perils.
  3. Business interruption. A lengthy outage could cause substantial business income loss and related expenses. While a cyber event has yet to cause a significant insured business interruption loss in the power sector, the potential exists. This is an important consideration when evaluating cyber insurance limits.
  4. Network security regulatory investigations. Regulators are likely to investigate any cyber-attack on critical infrastructure. Many cyber insurance policies only cover the costs of regulatory investigations following a privacy event. Consider obtaining coverage for regulatory actions as well as for fines and penalties following a network security breach.
  5. Remote access. It’s crucial to limit remote access to your systems. Though most power and utility companies have focused on security and have implemented multifactor protections , ensure yours are sufficient.

Assessing your cybersecurity posture with outside professionals — including a review of your cyber insurance needs and coverage — can help protect your organization and keep the lights on for you and your customers.

Related to:  Power & Utilities

Paul Whitstock

Paul Whitstock fulfills multiple roles within Marsh including serving as the US Power & Utilities Practice Leader, as a client executive and senior relationship officer for Marsh Power & Utilities sector clients. He has also served as the global analytics leader for Marsh’s Power & Utilities Practice assisting Marsh clients refine and optimize their risk financing strategies using Marsh’s proprietary state-of-the art risk analytics.