One of the most reviled analogies in cyber security is the “Cyber Pearl Harbor” or — in its updated form — “Cyber 9/11”. The idea of such a catastrophic cyber terror attack is often raised in conjunction with the power grid; the energy sector’s reliance on technologies like SCADA systems that were shown to be flawed in part by the US’s own cyber operations in Iranian facilities make analysts very nervous. Last year, Ukraine suffered a cyber attack on its electrical grid that cut power to more than 80,000 and the scope of a similar attack in the US would cost hundreds of billions. Insurance for data breaches in the energy sector can run to $700,000 for $10M of coverage that includes protections for physical damage, in part because industry analysts predict that attacks on as few as 50 generators in the Northeast could affect 93M people, a costly service disruption.
The Saudi Aramco incident offers an interesting example of a cyber attack on energy operations; code-named Shamoon, the attack involved the deployment, via a spear-phishing email, of a virus that wiped the hard drives of 30,000 workstations at Aramco in 2012. Restoration of service took a week, during which administrative systems — including payment — reverted to paper records. While oil production was unaffected, the attack involved an expensive recovery, including setting up a new security team. Globally, cyber attacks against oil and gas infrastructure are predicted to cost $1.87B by 2018.
Because the Aramco incident didn’t involve the physical destruction of property, even if it were a terrorist attack (attribution is uncertain, but some have pointed to Iran), it would not be covered by TRIA (see yesterday’s article). The potential scope of damages, though, mean that some believe the cyber insurance market should also have a “backstop” as TRIA serves the terrorism insurance market. DHS already evaluates the cyber security of critical infrastructure, including the energy sector, and it might make sense for the government to share the burden in the event of a massive attack on our energy infrastructure, given its insider knowledge of energy sector networks. Hackers gained top-level access to power networks at least 12 times over the past decade, but the details of those incidents are not all publicly available, making underwriting, or even security recommendations by insurers, more difficult.
Luckily, it seems that hackers have not taken advantage of their access to electrical substations and dams in the US. The dam targeted in 2013, in upstate New York, didn’t release more water than expected; when the intrusion was identified, two other similarly-named dams were suspected as the target before the actual dam involved was identified. Naturally, had there been anomalous operations, this would not have been the case. And the potential for physical harm derived from a cyber attack is an area of great uncertainty for cyber insurers. Prior to the development of Stuxnet, it was unclear how cyber attacks could even cause physical destruction. (Stuxnet caused centrifuges to spin irregularly, and the large equipment could become un-moored, damaging itself and nearby equipment). Nuclear reactors, oil refineries, and chemical plants represent risk to neighboring communities as well as their own machinery; insuring a nuclear power plant in Plymouth MA implicitly means insuring the city of Boston too, as the Fukushima incident demonstrated. (4,500 square miles of land around Fukushima exceeded the allowable exposure rate in the US, including 310 square miles that were abandoned; Plymouth is 30 miles from Boston).
In FY2015, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) responded to 295 cyber incidents affecting critical infrastructure. Of these incidents, 37% were the result of spear phishing, as was the Aramco incident; an estimated 91% of all attacks (across all sectors) begin with phishing. Insurers are undoubtedly aware that the energy sector is being targeted, and hopeful that it will continue to be relatively unscathed.
Join the conversation on Medium