Cyber Security

Physical Education: Cyber risks in oil & gas

Written by James Bright, Senior Underwriter at Brit Insurance

Cyber threats are not just limited to the digital world but can manifest themselves as direct risks to physical assets.

One side effect of the global spread of COVID-19, has been the rapid rise in the number of cyber-attacks across all sectors, which have risen by a third compared to the same period in 2019. Cybercriminals – ‘bad actors’ – are using the opportunity to exploit vulnerabilities in the IT infrastructure and security of companies.

In addition to COVID-19, these opportunistic bad actors are seeing that the oil and gas sector is also currently distracted by the crash in oil prices. This perfect storm of threats to the industry means that many management teams are stretched more thinly, combatting crises in several parts of their
business.

In the last three years, there has undoubtedly been a huge increase in awareness of how cyber-crime can threaten customer data and interrupt business processes. However, while data breaches are widely reported and see increasingly sophisticated insurance products to cover financial losses, there is a pressing need for greater education of another cyber risk – especially in sectors such as the oil and gas industry.

What is ‘cyber physical’?

All industries, not just the energy sector, have developed an unprecedented reliance on operational technology to gain efficiencies and automate processes and systems. Hacks to oil and gas control systems can result in unauthorised amendments to software and therefore the processes they are controlling, with potentially devastating consequences.

Instead of healthcare data loss, or a distributed denial-of-service (DDOS) attack on a retailer’s website, in this industry, this could manifest as a whole range of financial and physical losses, from property damage and loss of life to business interruption and loss of earnings.

Oil and gas systems and facilities have not been designed with digital security as a priority, but instead for efficiency, longevity and durability. Penetration testing has shown that bad actors could be capable of causing physical damage remotely, ranging from power outages, to major fires and destructive attacks on critical assets.

By disabling safeguards, sensors and warning systems, bad actors could potentially shut down national electricity grids, start electrical fires, cause explosions and loss of life on oil rigs. In the cases of energy and critical national infrastructure, these risks could cross over into cyber terrorism and state sponsored attacks.

How is the industry responding?

The oil and gas industry has grown complacent. The highest profile cyber incidents (and headline grabbing GDPR fines) have largely involved the loss of consumer data, from financial services, retail or healthcare companies. This misleads many oil and gas companies into believing that cyber-attacks
are only a threat to businesses which process or store large volumes of sensitive data.

However, several significant hacks in recent years have demonstrated that that the energy and petroleum sectors are among the most vulnerable – and that assets, much more tangible than just data, are at risk.

What role does the insurance industry play?

The challenge for businesses operating in the energy sector – and the insurance industry itself – is that hacks into operational systems remain severely underreported, with the number of companies affected far greater than currently recognised. If this information were available, through an
industry-wide, health and safety style reporting system, energy companies would better understand their exposure to, and the implications of a cyber-hack. As a result, they would be far better equipped to buy suitable insurance cover and to mitigate the underlying risks.

While there have been some public reports of the impact that a cyber-attack can have on the physical processes in a refinery or offshore rig, awareness and understanding is still limited – meaning many businesses still have exposures not adequately dealt with by their insurance policies.
It is crucial, therefore, that management teams of these businesses engage with the insurance industry to better understand the risks that they face – and that their policies provide cover for.

Insurers such as Brit, are able to provide additional ‘value-add’ services to the industry as well as insurance cover, including extensive risk management training tools and access to global cyber
experts, including IT and forensic specialists, lawyers and crisis PR advice.

What next?

As one of the first providers of cyber-physical insurance in the London market, we have seen a marked increase in interest in, and take-up of cyber cover against physical damage in the last two years. There have also been significant regulatory changes in the US and Europe to encourage
disclosure of technology for example that oil & gas rigs should use a cyber-risk assessor and to demonstrate adequate preparation is in place.

There is still a long way to go before cyber threats to physical assets are properly understood by companies and fully covered by insurers. The losses that bad actors cause are both large and increasing; we hope that it will not take a monumentous loss of capital assets or human life before
the energy sector fully recognises the very real and serious threat of a cyber physical attack.