Last week’s power cuts across England and Wales affected up to 1 million people. The power cuts were a timely reminder of both the fragility and vulnerability of our critical infrastructure and although the cause of the outage was ultimately pinpointed to an almost simultaneous failure of two power supply sources, a spokesman for the UK grid operator (National Grid) nevertheless felt obliged to announce that the company was “very confident that there was no malicious intent or cyberattack involved”. This denial demonstrates the sentiment highlighted in our previous blog that cyber-attacks are now at the forefront of risks faced by businesses globally; since then yet another study (the BDO 2019 Global Risks Landscape Report) has put cyber-crime in the top 3 business risks.
The energy infrastructure is a critical part of our daily lives, which is why it has become a focus for concerns about cyber-security; we worry that a single malicious attack could cripple the power supply over a large area or cause a catastrophic explosion at a key petrochemical plant. Until recently, cyber-attacks were considered primarily an Information Technology (IT) problem (i.e. PCs, workstations, data security etc.); however factors as diverse as increasing labour costs, greater outsourcing of O&M work and regulatory oversight have driven digitisation of operational technology (OT) systems through devices such as smart meters and self-monitoring transformers, rendering these systems critically dependent on digital communications and computer networks (i.e. IT). This convergence of IT with OT systems has expanded the scope for malicious attacks on the critical energy infrastructure, with both systemic and individual attacks (from an insurance perspective, a systemic attack would involve at least two separate facilities) made more likely because of greater interconnectivity between IT and OT and increased frequency of updates demanded by most IT systems. Consequently, awareness of cyber exposure has increased but quantification and categorisation of the exposure remains challenging for both the energy sector and its insurers.
Quantification of cyber-exposure is a key element of risk management; it helps to clarify cyber supply-chain accountability and allows the identification of the vulnerable parts of a production process so prioritising protection for critical assets. However, being a relatively new exposure, it is often only after an event that the vulnerabilities become apparent and can be calculated.
For example, in March 2018 an attack on Energy Service Group (ESG), a US utility services provider, caused five major energy suppliers, including Duke Energy Ohio, to sever their electronic connections with ESG. Although energy supplies were not affected, the probable ransomware incident highlighted both the interconnected nature of today’s energy infrastructure and the vulnerability to attack of the electronic data interchanges that linked all these companies; the possibility that potential hackers could use these shared corporate networks to jump to key industrial control systems (ICS) and cause widespread energy supply failures was particularly concerning.
Categorisation of cyber-attacks also needs careful consideration. Individual attacks, such as localised ransom demands or data theft are criminal acts that can easily be attributed as such and thus mitigated by an insurance claim, whereas systemic or foreign attacks may be hastily identified as acts of terrorism or even war; such a categorical assertion can materially alter the insurability of the exposure. For example, several insurance claim disputes have arisen over losses resulting from the NotPetya cyber-attack of 2017; according to the US Government this attack was part of Russia’s campaign to destabilise Ukraine and it quickly spread from Ukraine to other countries and businesses, including the food company Mondelez. Mondelez had a general property insurance policy that included some cyber-cover, but which also had a war exclusion clause (this is a normal exclusion for most insurances). Mondelez’s claim has been rejected by the insurance company because the attack was an ‘act of war’, as declared by the US government, and is therefore excluded; several other claims have been treated in a similar way. This demonstrates that categorising a systemic cyber event could undermine the insurances purchased to mitigate exposure, but it also shows that a comprehensive assessment of cyber vulnerability coupled with carefully arranged mitigation measures must be part of the of any business continuity plan.
About the Author
Mark Tetley has wide experience gained from senior positions across the London insurance market as both an underwriter and a broker , in a variety of sectors. He provides advice and assistance on a wide range of insurance and risk issues, including comprehensive nuclear liability and property insurance assistance, complex infrastructure project programme design and review, claims and policy reviews, assistance with project insurance design and implementation in developing countries, and many other aspects of risk mitigation.
Prospect Law is a multi-disciplinary practice with specialist expertise in the energy and environmental sectors with particular experience in the low carbon energy sector. The firm is made up of lawyers, engineers, surveyors and finance experts.
This article remains the copyright property of Prospect Law Ltd and Prospect Advisory Ltd and neither the article nor any part of it may be published or copied without the prior written permission of the directors of Prospect Law and Prospect Advisory.
This article is not intended to constitute legal or other professional advice and it should not be relied on in any way.
For more information or assistance with a particular query, please in the first instance contact Adam Mikula on 020 7947 5354 or by email on firstname.lastname@example.org.