Energy companies need insurance cover for cyber attack 'time bomb'

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://uk.reuters.com/article/2014/04/08/uk-energy-cybercrime-idUKBREA371DR20140408

Energy companies have no insurance against major cyber attacks, reinsurance
broker Willis said on Tuesday, likening the threat to a "time bomb" that
could cost the industry billions of dollars.

Willis highlighted the industry's vulnerability to cyber threats in its
annual review of the energy sector's insurance market, which called on
insurers to find a way to provide cover.

"A major energy catastrophe - on the same scale as ... Exxon Valdez or
Deepwater Horizon - could be caused by a cyber attack, and, crucially, that
cover for such a loss is generally not currently provided by the energy
insurance market," the insurance broker said.

Most insurance products currently available will cover minor things such as
data losses or downtime caused by IT issues, but not major events like
explosions at multiple facilities triggered remotely by hackers, Willis
(WSH.N) said.

It said the lack of coverage stemmed from a clause included in most energy
sector insurance agreements over the past 10 years that explicitly excludes
loss or damage caused by software, viruses or other malicious computer code.

"There can be little doubt that the removal of this exclusion would be the
most effective way for coverage to be provided to the energy industry," it
said.

But the exclusion clause has remained because cyber security is not
well-understood by the insurance industry, making it difficult to design
comprehensive products. Additionally, problems lie with how insurers agree
to cover damage to multiple plants or platforms caused by a single attack.

The issue is attracting more attention after high-profile events including
Stuxnet - a virus that afflicted a uranium enrichment facility in Iran -
and Shamoon - a virus linked to cyber assaults on energy firms in Saudi
Arabia and Qatar in 2012.

Technology now allows entire oil and gas networks to be operated remotely,
but connecting that infrastructure via the internet has also opened the
door for hackers and computer viruses to target anything from refineries to
pipelines.

The effects of such attacks can range from viruses spreading across a
network of household smart electric meters to hackers triggering oil spills
or explosions.

Britain estimates that cyber security breaches cost UK energy firms around
400 million pounds ($664 million) annually. The U.S. Department of Homeland
Security said over 40 percent of attacks on the United States' critical
infrastructure assets were aimed at the energy industry in the year to
September 2012.

Research firm ABI estimates that global cyber security spending by the
industry on critical oil and gas infrastructure will reach $1.87 billion by
2018.

Willis also said companies are also coming under pressure from shareholders
and the government to beef up cyber defences, a trend that could lead to
the introduction of regulatory requirements aimed at protecting key
infrastructure.

"While many in the energy industry may not see regulation as the answer to
the problem of cyber-attacks, it remains a strong possibility that energy
companies will increasingly be accountable for demonstrating that they have
taken every possible step to counter this threat," it added. ($1 = 0.6020
British Pounds)

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!