Last week’s power cuts across England and Wales affected up to 1 million people. The power cuts were a timely reminder of both the fragility and vulnerability of our critical infrastructure and although the cause of the outage was ultimately pinpointed to an almost simultaneous failure of two power supply sources, a spokesman for the UK grid operator (National Grid) nevertheless felt obliged to announce that the company was “very confident that there was no malicious intent or cyberattack involved”. This denial demonstrates the sentiment highlighted in our previous blog that cyber-attacks are now at the forefront of risks faced by businesses globally; since then yet another study (the BDO 2019 Global Risks Landscape Report) has put cyber-crime in the top 3 business risks.
Theenergy infrastructure is a critical part of our daily lives, which is why ithas become a focus for concerns about cyber-security; we worry that a singlemalicious attack could cripple the power supply over a large area or cause acatastrophic explosion at a key petrochemical plant. Until recently,cyber-attacks were considered primarily an Information Technology (IT) problem(i.e. PCs, workstations, data security etc.); however factors as diverse as increasinglabour costs, greater outsourcing of O&M work and regulatory oversight havedriven digitisation of operational technology (OT) systems through devices suchas smart meters and self-monitoring transformers, rendering these systemscritically dependent on digital communications and computer networks (i.e. IT).This convergence of IT with OT systems has expanded the scope for maliciousattacks on the critical energyinfrastructure, with both systemic and individual attacks (from an insuranceperspective, a systemic attack would involve at least two separate facilities)made more likely because of greater interconnectivity between IT and OT andincreased frequency of updates demanded by most IT systems. Consequently, awarenessof cyber exposure has increased but quantification and categorisation of theexposure remains challenging for both the energy sector and its insurers.
Quantification of cyber-exposure is a key element of risk management; it helps to clarify cyber supply-chain accountability and allows the identification of the vulnerable parts of a production process so prioritising protection for critical assets. However, being a relatively new exposure, it is often only after an event that the vulnerabilities become apparent and can be calculated.
For example, in March 2018 an attack on Energy Service Group (ESG), a US utility services provider, caused five major energy suppliers, including Duke Energy Ohio, to sever their electronic connections with ESG. Although energy supplies were not affected, the probable ransomware incident highlighted both the interconnected nature of today’s energy infrastructure and the vulnerability to attack of the electronic data interchanges that linked all these companies; the possibility that potential hackers could use these shared corporate networks to jump to key industrial control systems (ICS) and cause widespread energy supply failures was particularly concerning.
Categorisation of cyber-attacks also needs careful consideration. Individual attacks, such as localised ransom demands or data theft are criminal acts that can easily be attributed as such and thus mitigated by an insurance claim, whereas systemic or foreign attacks may be hastily identified as acts of terrorism or even war; such a categorical assertion can materially alter the insurability of the exposure. For example, several insurance claim disputes have arisen over losses resulting from the NotPetya cyber-attack of 2017; according to the US Government this attack was part of Russia’s campaign to destabilise Ukraine and it quickly spread from Ukraine to other countries and businesses, including the food company Mondelez. Mondelez had a general property insurance policy that included some cyber-cover, but which also had a war exclusion clause (this is a normal exclusion for most insurances). Mondelez’s claim has been rejected by the insurance company because the attack was an ‘act of war’, as declared by the US government, and is therefore excluded; several other claims have been treated in a similar way. This demonstrates that categorising a systemic cyber event could undermine the insurances purchased to mitigate exposure, but it also shows that a comprehensive assessment of cyber vulnerability coupled with carefully arranged mitigation measures must be part of the of any business continuity plan.
About the Author
Mark Tetley has wide experience gained from senior positions across the London insurance market as both an underwriter and a broker , in a variety of sectors. He provides advice and assistance on a wide range of insurance and risk issues, including comprehensive nuclear liability and property insurance assistance, complex infrastructure project programme design and review, claims and policy reviews, assistance with project insurance design and implementation in developing countries, and many other aspects of risk mitigation.
Prospect Law is a multi-disciplinary practice with specialist expertise in the energy and environmental sectors with particular experience in the low carbon energy sector. The firm is made up of lawyers, engineers, surveyors and finance experts.
This article remains the copyright property of Prospect Law Ltd and Prospect Advisory Ltd and neither the article nor any part of it may be published or copied without the prior written permission of the directors of Prospect Law and Prospect Advisory.
This article is not intended to constitute legal or other professional advice and it should not be relied on in any way.
For more information or assistance with a particular query, please in the first instance contact Adam Mikula on 020 7947 5354 or by email on [email protected].
Judgements, Orders, Decisions