Oil and gas industry sitting on cyber-attack timebomb
A cyber-attack could cost the sector $2 billion by 2018
Cyber-attacks which cause physical damage to oil and gas infrastructure could cost the energy industry almost $2 billion by 2018 because of a lack of available insurance, a new report claims. Energy companies are sitting on 'an uninsured cyber-attack timebomb' from this increasing threat, according to Willis Group's 2014 Energy Market Review, published on 8 April. Around 40% of all US cyber-attacks on critical infrastructure assets in 2012 were against the energy sector, the report said. And the UK government estimates oil and gas companies lose around £400 million ($670m) every year because of cyber-attacks.
At a summit in February, Vince Cable, the UK Secretary of State for Business, Innovation and Skills, said cyber-attacks are growing threat to British businesses and industries providing essential services, and these industries, such as power, telecommunications and banking, must be protected.
The Willis Group report said the energy industry faced 'a new and highly ominous threat' from cyber-attacks which risks catastrophic physical damage to operations and financial loss to companies. The report said the risk has been increased by the energy industry employing a greater number of industrial control systems (ICS), which are connected to the internet.
Energy firms which have integrated their ICS with other internet-based IT systems are particularly vulnerable to cyber-attacks. Companies may have integrated systems to improve efficiency - allowing management to view field data in real time - or to cut costs. However, it has increased the possibility of oil and gas infrastructure being opened up to a cyber-attack. This could be a particular problem for the offshore sector if production platforms are operated remotely. If there is a cyber-attack on one or more platforms, causing a loss of process control, this could cause enormous physical damage and loss of profits across several satellite platforms, Willis Group said.
Major energy catastrophes on the same scale of the Exxon Valdez or Deepwater Horizon accidents could easily be caused by cyber-attacks, Willis said, whether these attacks were politically motivated or not. Willis added that controversial operations, such as those involving hydraulic fracturing or in the Arctic, could be at particular risk. "The problem is particularly acute when considering some of the areas of the world where high levels of oil and gas production and infrastructure sit side by side with political or environmental groups that are prepared to use cyber-attacks as a weapon," the report said.
In 2012, Saudi Arabia's energy flagship Saudi Aramco came under attack from the Shamoon virus, which erased large amounts of data on three-quarters of the company's computers. Although Shamoon didn't cause any physical damage to Aramco's operations, had to shut down 30,000 computers, which caused a considerable loss of data and productivity. Shamoon had spread across the company's computer network through exploitation of shared hard drives.
The Willis report said energy companies will become increasingly accountable to both shareholders and regulators for demonstrating that they have taken every possible step to counter the threat of cyber-attacks.
Willis said that there are insurance policies available which would cover energy companies for non-catastrophic damage resulting from cyber-attacks, such as the loss of data and intellectual property. However a truly catastrophic event, involving significant physical loss or damage, will not be covered. This is because of problems insurers face for assessing risk, such as liability for a control system which manages several different platforms in the North Sea or for projects which are jointly owned and operated. A lack of experience within the insurance industry in assessing the likelihood of a cyber-attack happening, or how successful it would be, is also a problem.
Willis said that a new physical cyber insurance market is beginning to emerge, but much more needs to be done to develop the sector. In the meantime, however, advances in technology, increased use of ICS which are connected to the internet and ongoing geo-political tensions around the globe suggest that a major cyber-attack is likely to occur - the only question is when.