Companies operating in the energy sector are faced with two distinct risks relating to a cyber-attack. Firstly there is the risk that a cyber-attack may cause physical loss or physical damage. The other risk is that of the non-physical consequences of a cyber-attack.
The vast majority of energy companies will be purchasing some form of ‘All-risks’ physical damage coverage, and for those with oil and gas well exposures most will be purchasing some form of ‘Operators Extra Expense’ cover (control of well costs, redrill costs and pollution cover). Some companies will also be purchasing Business Interruption (BI) or Loss of Production Insurance (LOPI).
Most insurance policies for onshore property risks will cover any fire and explosion following a cyber-attack by virtue of the standard NMA 2915 exclusion and limited buyback (the perils of fire and explosion are often expanded to cover other perils such as machinery breakdown). For most Insureds with onshore property risks, insured in the onshore property insurance market, this coverage is deemed to be sufficient in the event of the likely physical consequences of a cyber-attack.
However, in contrast to the onshore energy insurance market (covering midstream and downstream risk), the offshore energy insurance market (covering upstream risks, including onshore wells and onshore oilfield property) still typically have an absolute cyber-attack exclusion in the form of a standard exclusion known as CL 380.
Some upstream energy companies have purchased ‘CL 380 buy back coverage’ which is on offer from a number of different markets in a number of different formats. Some are also purchasing coverage for the non-physical consequences (such as loss of data, loss of personal information, extortion and ransomware etc.). However, many upstream energy companies run the risk of cyber-attack on an uninsured or self-insured basis, and likewise many midstream and downstream companies do not insure the non-physical consequences of a cyber-attack.
What, however, are the likely risks and possible consequences of a cyber-attack on energy companies?
To attempt to answer this we look first at prior losses, and then at the current and future trends in the industry of increasing automation and connectivity, and then look at some possible consequences facing Energy companies, and finally take a look at some of the Insurance products on offer.
LOSSES EXPERIENCE (A SECTOR UNDER ATTACK?)
According to a 2016 World Energy Council report, the energy sector is an attractive target for cyber-attacks, demonstrated by a massive increase in the number of successful cyber-attacks against energy firms.
The US Department of Homeland Security Industrial Control Systems Cybersecurity Emergency Response Team (ICSCERT) responded to 295 cyber incidents within the energy sector in 2015, a 20% increase compared to 2014. The energy sector accounted for 16% of the attacks, behind only critical manufacturing, at 33%.
Globally, cybercrime is now estimated to cost businesses USD 400bn a year (Estimating the Global Impact of Cyber Crime, Center for Strategic and International Studies, June 2014).
Assuming that the percentage of Energy attacks in the US is a fair proxy for the global figure, and assuming all attacks result in an equal loss, then the global loss, every year, for energy companies would be in the region of USD 64bn (16% of USD 400bn).
Another multi-country study found that the average annualised cost of cybercrime in the financial services and utilities and energy sectors is substantially higher than the cybercrime costs of organisations in healthcare, automotive and agriculture, with the average cybercrime cost in the utilities and energy sector at USD 12.8mm (Ponemon Institute LLC, 2015: 2015 Cost of Cyber Crime Study: Global).
Therefore the global figure for energy is likely to be a higher proportion of the total, if energy loses are generally higher.
In August last year, a petrochemical company with a plant in Saudi Arabia was hit by a new kind of cyber attack. It has been reported that official investigators believe the attack was not designed to simply destroy data or shut down the plant, but was meant to sabotage operations and trigger an explosion.
KNOWN LOSS EXAMPLES IN THE ENERGY SECTOR
Hackers attacked the network of a German steel manufacturer ThyssenKrupp by manipulating and disrupting control systems to such a degree that a blast furnace could not be properly shut down, resulting in “massive”—though unspecified—damage.
Iranian Natanz Uranium enrichment plant infected by Stuxnet malware said to be from a USB stick. Stuxtnet was designed to take over computers that controlled centrifuges which were separating different types of uranium, to isolate the type (called ‘enriched uranium’) that is critical for both nuclear power and nuclear weapons. Hundreds of centrifuges were hijacked and instructed to spin out of control. Over time, the strain from the excessive speeds caused infected machines to disintegrate. Around 1,000 fuel enrichment centrifuges at Natanz had to be replaced.
Hackers shut down alarms, cut off communications and super pressurized the crude oil in the Baku-Tbilisi-Ceyhan pipeline line which resulted in an explosion.
An explosion on a Siberian pipeline is believed to have been caused by a Trojan Horse virus in control software.
Computer Damage or Data Losses
Hackers said to be likely working for a nation-state invaded the safety system of a critical infrastructure facility in a malware attack dubbed ‘Triton’ that halted plant operations at a Middle East oil company, said to be in Saudi Arabia. It is believed that hackers could shut down a compromised safety system in advance of attacking other parts of an industrial plant, potentially preventing operators from identifying and halting destructive attacks.
Maersk Group was forced to reinstall 4,000 servers, 45,000 computers and 2,500 applications as a result of the ‘NotPetya’ ransomware attack (see recent major cyber-attack-incidents) which they estimated cost them between USD 200mm and USD 300mm, including lost revenue. (French owned global construction firm Saint Gobain is also said to have suffered around USD 300mm of lost revenue from ‘NotPetya’).
A phishing attack, infected a number of computers on the Israel Public Sector power grid network with malware.
Attack on Ukraine Power Grid by ‘Crash Override’ or ‘Industroyer’ malware. Hackers were able to successfully compromise information systems of three energy distribution companies in Ukraine and temporarily disrupt electricity supply to the end consumers.
Korea Hydro and Nuclear Power Co suffered a series of attacks aimed at causing nuclear reactors to malfunction. The attacks only succeeded in leaking non-classified documents.
As many as 300 Energy Companies targeted by hackers in the largest ever co-ordinated cyberattack in Norway leading to loss of confidential information.
An attack on a company that operates over 50 power plants in the US and Canada began through information stolen from a contractor. Hackers were able to steal critical power plant designs and system passwords.
SolarWorld (a German solar energy company) was the target of IP theft, with US Federal prosecutors ultimately indicting five Chinese nationals on charges of espionage, trade secret theft, and computer fraud for hacking the networks of six U.S. companies, including U.S. subsidiaries of SolarWorld, over a period of eight years.
85% of Saudi Aramco’s hardware (some 30,000 computers) was destroyed by a malicious virus called Shamoon.
Philippines oil company had intellectual property stolen through Trojan horse virus called ‘Mirage’ or ‘MirageFox’.
Several global oil and gas companies in US, Taiwan, Kazakhstan and Greece lost confidential data through ‘Night Dragon’ Cyber Attack against energy companies, involving social engineering, spearphishing attacks, and exploitation of computer operating systems vulnerabilities.
A US power utility was infected with a virus when a 3rd-party technician used an infected USB drive to upload software to the systems. The virus resulted in downtime for the systems and delayed the plant restart by approximately 3 weeks.
US oil and gas company lost confidential data through a malware attack called ‘ShadyRAT’.
Cyber espionage attacks allegedly by the Chinese Military on several industries including oil and gas to steal competitive proprietary information.
A computer worm attacked the private network at an idle nuclear power plant in Ohio, disabling a safety monitoring system for 5 hours. Five other utilities were also affected.
Source of above loss info: Munich Re / publically available documents.
CURRENT AND FUTURE TRENDS
The oil and gas industry is beginning to adopt new techniques made possible by modern computers that can store and process large and complex data sets. Often these techniques will employ ‘machine learning’, a form of artificial intelligence that uses algorithms to draw conclusions by studying large data sets. The applications include:
- Seismic data storage and analysis
- Production optimisation
- Predictive maintenance
More and more electronic data is being used in real-time for operational and business decision making with greater internet connectivity, and this is a trend that is likely to continue exposing an increasing number of energy company’s operations to a cyber-attack.
More companies are now storing data on the ‘cloud’ and giving permission for various personnel to access this data. The issue is how companies ensure the equipment used to access the cloud is ‘clean’. By using the ‘cloud’ the data is easier to attack. There are already a number of examples of unmanned offshore platforms being controlled remotely and there are examples of onshore drilling contractors shifting experts from out in the field to offices, from where they can watch over operations for multiple wells at a time.
According to the Financial Times, on the Top 500 list of the world’s most powerful supercomputers today, the leading private sector owners include a number of energy companies. The FT also reported that the chief information officer of a US major oil company as saying the volume of data the company handles has been doubling every 12-18 months.
Types of Cyber attacks
A code with malicious intent (including Trojans, viruses & worms) that typically steals data or destroys something on the compute. Malware is often introduced to a system through email attachments, software downloads or operating system vulnerabilities.
A subset of malware in which the data on a victim’s computer is locked, typically by encryption, and payment is demanded before the ransomed data is decrypted and access returned to the victim. The motive for ransomware attacks is nearly always monetary, and unlike other types of attacks, the victim is usually notified that an exploit has occurred and is given instructions for how to recover from the attack. Payment is often demanded in a virtual currency, such as bitcoin, so that the cybercriminal’s identity isn’t known.
Often posing as a request for data from a trusted third party, phishing attacks are sent via email and ask users to click on a link and enter their personal data. Phishing emails have gotten much more sophisticated in recent years, making it difficult for some people to discern a legitimate request for information from a false one.
A third party trying to gain access to computer systems by cracking a user’s password. Programs use many methods to access accounts, including brute force attacks made to guess passwords, as well as comparing various word combinations against a dictionary file.
Denial-of-Service (DoS) Attacks
Attackers send high volumes of data or traffic through the network (i.e. making lots of connection requests), until the network becomes overloaded and can no longer function.
Through malware on a legitimate website, a program is downloaded to a user’s system just by visiting the site. It doesn’t require any type of action by the user to download.
POSSIBLE LOSSES FACING ENERGY COMPANIES
Whilst most Energy companies will have robust defences against cyber-attack there is always a possibility that the perpetrator of cyber-attacks may breach a company’s defences. For an Energy company the following types of losses could in theory occur if a cyber-attack is successful.
- Physical damage caused by the failure of industrial control systems / vital safety systems, including potential over heating or over pressurising of boilers or compressors, or manipulation of critical valves or blowout preventers, causing pressure vessel failure
- Loss of valuable research data (seismic data, exploratory data, production data etc.)
- Extortion / threat of destruction of data (ransomware)
- Non-damage business interruption caused by disruption to computer systems, controls and data
- Loss of personal information (may be employee’s or retail customer’s data, but could also be royalty payment details – GDPR regulation in Europe effective 25 May imposes large financial penalties for breaches of privacy form loss of data)
- Loss of reputation from adverse reporting in the media of a cyber breach.
INSURANCE SOLUTIONS FOR RESULTANT DAMAGE
As referenced above, for onshore risks Energy companies can generally get sufficient coverage for resultant physical damage as standard in their ‘All-risks’ programmes by virtue of Electronic Data Endorsement NMA 2915. For offshore risks various options are available for resultant physical damage as follows:
- XL Catlin / Berkley Offshore Cyber Attack Buy Back Endorsement (CABBE)
XL Catlin and Berkley Offshore offer a limited buyback to CL 380, which will respond to the full limit of an ‘All-risk’s policy purchased, but only for a ‘targeted attack’ (an attack against the Insured buying the policy only, and if anyone else is targeted by the same attack no coverage applies) and the limit is expunged after the first loss (regardless of its size relative to overall limit). Control of Well can be covered, but only if fire ensures. Loss of Production income can also be covered (if covered by the All-risks policy) but on a direct basis only with no indirect or contingent cover (damage to third party property).
- QBE CL380 Limited buyback
QBE have developed a CL 380 buyback endorsement (working closely with JLT (L&P) that responds to resultant physical damage for a sublimit of up to 50% of the ‘All-risks’ limit purchased. Optional coverage is available for control of well, redrill expenses and pollution and general third party liabilities (but only where physical damage has occurred). Like CABBE, loss of production income can also be covered (if covered by the All-risks policy) but on a direct basis only with no indirect or contingent cover (damage to third party property).
- Brit Cyber Attack Plus
Brit’s Cyber Attack Plus policy can offer up to USD 200mm of coverage for a variety of cyber related events including resultant physical damage, but the resultant physical damage coverage does not fully dovetail with the CL 380 exclusion, and does not specifically provide coverage for control of well, or redrill of wells (but we understand this can be added by endorsement to the standard wording on a case by case basis).
- Munich Re Stream Consortium
Munich Re offers a stand-alone cyber product that provides a full buy back of CL 380 (if the ‘All-risks’ policy would have covered but for absence of CL 380, the buyback applies). Their Stream Consortium (made up of various Lloyd’s syndicates) can offer up to USD 160mm (we understand that they are looking to put together an excess facility that would take available limits up to USD 300mm). Other than not applying to any third party liability section of the underlying ‘All-risks’ policy, there are no further restrictions to the CL 380 buyback, so coverage would apply for control of well, redrill, pollution, and direct or contingent loss of production income (if purchased on the ‘All-risks’ policy and accepted by Munich Re). The policy can also offer a range of non-physical consequences coverage including data breach cover (costs of restoration of data), cyber extortion, reputational risks, network security liability, privacy breach protection, confidentiality breach, non-damage business interruption, and outsourcing coverage.
- Oil Insurance Limited
Oil Insurance Limited (OIL), the Bermuda based Energy industry mutual offer their members up to USD 400mm of coverage for resultant physical damage from a cyber tack without a CL 380 type exclusion.
- Joint Rig Committee’s approach
The London market Joint Rig Committee (JRC) which represents the interests of insurers writing offshore energy risks in London (with member comprising of energy underwriters from the membership of both the Lloyd’s Market Association and the International Underwriting Association) has set up a cyber working committee that is looking at Upstream/Offshore cyber risks. One of the concerns that the JRC has is the possibility of a mammoth systemic loss resulting in physical damage claims that the capital of the offshore energy insurance market cannot possibly cope with. The working committee have commissioned a series of reports on the cyber threat to Upstream/Offshore operations and these will be made available to the market when completed. They are also working on a model wording that would provide coverage for isolated losses whilst capping liability in the event of systemic losses.
RECENT MAJOR CYBER-ATTACK INCIDENTS
In May 2017, the WannaCry ransomware attack affected up to 300,000 computers in 150 countries, making it the largest such attack to date. The cost has been estimated at up to USD 4 billion.
In March 2016, the Petya virus encrypted the hard drive of thousands of computers worldwide and demanded payment in order to decrypt them. NotPetya emerged in June 2017. Initially viewed as a related, but faster-spreading, piece of ransomware, it damaged data beyond repair. It is now widely believed to be a piece of state-sponsored malware designed to disrupt.
Between May and July 2017, Equifax, the US credit monitoring agency, suffered a data breach that involved the theft of personal data relating to 143 million US consumers. A further 400,000 UK residents were also affected. In 2016 Fraudsters used a trick called ‘CEO Fraud’, also known as a Business Email Compromise or Whaling Attack, to steal USD 75mm from a Belgian bank. The attack consisted of a spear-phishing email, which appeared to have come from the account of a CEO or another higher-up manager, ordering a payment or fund transfer to be made to a bank account owned by the perpetrators.
In 2015 a UK telecom firm suffered a serious and sustained data breach, resulting in the loss of personal information of over 156,000 customers. About 10 per cent of those customers also lost their bank account numbers and access codes. The firm also received a cyber extortion demand, threatening to publish the information unless a ransom was paid. The incident cost over USD85mm in lost revenues and response costs.
TOP TEN ENERGY COMPANY CYBER SECURITY VULNERABILITIES
- Lack of cyber security awareness and training among employees
- Remote work during operations and maintenance
- Using standard IT products with known vulnerabilities in the production environment
- A limited cyber security culture among vendors, suppliers and contractor
- Insufficient separation of data networks
- The use of mobile devices and storage units including smartphones
- Data networks between on and offshore facilities
- Insufficient physical security of data rooms, cabinets, etc.
- Vulnerable Software
- Outdated and ageing control systems in facilities
INSURANCE SOLUTIONS FOR CYBER DATA
JLT’s Cyber team can offer a full range of insurance solutions for Cyber Risks. However, there is no one solution to mitigate and manage this risk and companies today require best-of-breed providers across multiple disciplines to solve these challenges. JLT’s cyber risk consortium is a unique collaboration of leading companies across the software, hardware, advisory, consulting, and legal industries that effectively support clients around their strategic, operational, financial, and people issues impacted by cyber risk. The consortium brings together content, best practices, and subject matter experts to collaborate and solve cyber risk.
Download Energy Newsletter
If you require any further information, please contact John Cooper, Managing Director on +44 (0)20 7466 6510 or email firstname.lastname@example.org