Cyber risk in energy sector

Is digitalisation making energy infrastructure more vulnerable?

Some suggestions for coping with cyber threats

With the proliferation of smart grids, smart meters and digital oil fields, the global energy sector is becoming increasingly interconnected, automated and digitalised.

Technological advances have many benefits, such as improved efficiency, but they also make the energy supply chain more vulnerable to cyber-attacks.

Power plants and power grids are becoming attractive targets for hackers, for the sheer number of people that can be affected and the degree of damage to be inflicted. For example, a cyber-hack of power distribution companies in Ukraine last year cut power to tens of thousands of energy customers for several hours. Large centralised energy infrastructures are particularly at risk due to the domino effect that an attack on a nuclear, coal, or oil plant might have.

Energy companies are having to grow used to the fact that cyber threats are now as much of a risk to large infrastructures as are floods and fires. The nature and changing risk profile of cyber threats, from economic espionage to disruption of production, demands a cross-sector-based risk approach.

Energy infrastructure resilience: cyber risk examined

It is critical to address cyber risk in the energy sector to ensure not only energy supply security but also the resilience of a state or economy, finds a new report, The road to resilience: managing cyber risks.

The report was published by the World Energy Council in collaboration with Swiss Re Corporate Solutions and Marsh & McLennan Companies as a part of series on Financing resilient energy infrastructure. It investigates how cyber risks can be managed and recommends actions to improve responses to the rise in cyber threats. The researchers suggest that by 2018 the oil and gas industries alone could be spending USD 1.87 billion a year on cyber security.

In the words of Willy Stössel, who heads the Cyber, Technology & Construction Team at Swiss Re Corporate Solutions and launched the report at Energy Day in Berlin, "Cyber risk today should not be seen strictly as an IT risk. It should be addressed as an enterprise-wide concern and as a key operational risk that demands effective risk management and strong management involvement at the highest level."

Christoph Frei, Secretary General of the World Energy Council, said: "What makes cyber threats so dangerous is that they can go unnoticed until the full extent of the damage surfaces, from stolen data and power outages to destruction of physical assets and great financial loss. Over the coming years we expect cyber risks to increase further and change the way we think about integrated infrastructure and supply chain management."

How to improve the sector's response to the rising threat

The report illustrates the rapid growth of cyber risks, looks at some recent incidents and explains implications for the energy sector.

Among other things, the report recommends that:

  • energy utilities view cyber as core business risk, increase awareness and build strong technical and human cyber resilience strategies,
  • technology companies play an innovative role, by monitoring the nature of cyber-attacks and embedding security features into the products they develop and deliver,
  • government policymakers stimulate the introduction of standards, regulation and support information sharing. Having a cybersecurity talent pool is vital given that demand for skilled workers outstrips supply at more than twice the growth rate seen in any other IT field.

Cyber insurance market to further innovate and grow

The report makes specific suggestions for the insurance and finance sectors to develop appropriate cyber insurance products and further grow the cyber insurance market. Insurance providers must stay abreast of constantly evolving technological developments and adapt insurance covers to a rapidly changing environment.

Swiss Re Corporate Solutions already follows this path, by partnering with IBM Security to provide advanced cyber risk protection products and services to companies worldwide. Clients benefit from IBM's outstanding knowledge of information technology security combined with cutting-edge underwriting by Swiss Re Corporate Solutions. We not only analyse and assess our clients' cyber risk exposure but also support them in dealing effectively with security breaches.

The road to resilience: managing cyber risks is the third in a series of reports that addresses the need for more investment and system change to increase resilience to emerging risks. Beyond cyber threats, such risks also include extreme weather events and the energy-water-food nexus.


​World Energy Perspectives: The road to resilience: Managing cyber risks