Case study: Cyber risks in the energy sector

On 15 August 2012, Saudi Aramco, the state-owned group that runs all of Saudi Arabia's oil production, suffered a virus attack that damaged approximately 30,000 computers by malware infestation and destroyed 85% of the hardware on the company's devices. The virus, called 'Shamoon', did not just target Saudi Aramco as an entity; it attacked the country's entire economy.

Cyber threats to energy utility companies are particularly sensitive because of the devastation they can unleash. The increasing use of the internet as an offensive weapon also places the energy sector first in the firing line for terrorist or other hacker groups aiming to cause maximum damage to a country's infrastructure. In fact, the security of a country's energy systems goes beyond the realms of business into being a matter of national interest.

The growth of automation in energy companies' processes has altered the risk landscape. As automation becomes more widespread and systems communicate with each other, the more complicated it becomes to ensure the security of every entry point. Industrial control systems, which act as the nerve centre of an energy company, have been compromised by hackers before, for example when there was an electricity outage in the Ukraine.

The energy sector needs to prioritise cyber security to catch up with this evolving threat. Companies must identify and eliminate their weak points, train their employees and review their contingency planning. When they've done that, they should start all over again. The energy sector is subject to regulatory requirements, however, companies should not just meet these requirements for the sake of it. They need to look beyond the regulators and understand the nature of their own cyber exposure.

There is also external help available. Energy companies can work with insurers to benefit from their expertise in risk mitigation and experience of cyber loss events. They should also pool knowledge within the industry, in fact this is already mandatory in some countries.

As business interruption in the energy sector is unacceptable in today's world, it tends to be more tightly controlled than other areas. It's interesting to note that, in the US for example, information sharing is obligatory. Regulatory requirements are also prominent. Maybe these practices will spread to other sectors in the future.   

A data breach doesn't mean game over. After a cyber-attack we get you back in business.

Learn more about our Cyber insurance solutions.