One side effect of the global spread of COVID-19, has been the rapid rise in the number of cyber-attacks on all industries - up 33% from 2019.
Cybercriminals - and hackers known as ‘bad actors’ - seek to exploit vulnerabilities in the IT infrastructure and security of companies. In addition to the COVID-19 upheaval, these opportunists are seeing that the oil and gas sector is also currently distracted by the crash in oil prices. This perfect storm of threats to the industry means that many management teams focussed on crisis management in other areas of their business.
Of more concern, is that many companies in the sector simply don’t have the ability to provide an effective response to a cyber crisis at the current time. With many countries still in lockdown, executing cyber-attack response plans and establishing crisis teams to work on the ground to restore critical systems and services is still not currently possible.
The industry has never been more dependent on technology to gain efficiencies and automate processes and systems. Hacks to oil and gas control systems can result in unauthorised amendments to software and therefore the processes they are controlling, with potentially devastating consequences.
The most common modes of cyber-attack facing oil and gas companies are via malware, ransomware and phishing. These attacks are often performed with social engineering campaigns leveraging malicious emails that force victims to install malware that steals financial data, personal information and can act as a back door into the systems of a company.
Unfortunately, complacency has set in. The highest-profile cyber incidents have largely involved the loss of consumer data, from financial services, retail or healthcare companies. This misleads many oil and gas companies into believing that cyber-attacks are only a threat to businesses which process or store large volumes of sensitive data. However, several significant hacks in recent years have demonstrated that the energy and petroleum sectors are among the most vulnerable – and that much more tangible assets than just data are at stake.
Oil and gas systems and facilities have not been designed with digital security as a priority, but instead for efficiency, longevity and durability. Testing has shown that bad actors could be capable of causing physical damage remotely, ranging from power outages to major fires and destructive attacks on critical assets. This type of attack by bad actors could also extend to disabling national electricity grids, starting electrical fires, disabling safeguards and warning systems, causing explosions and loss of life on oil rigs. Such events could result in a whole range of losses, including capital asset damage, long-lasting business interruption and loss of earnings. In the cases of energy and critical national infrastructure, this risk could enter the realm of cyber terrorism and state-sponsored attacks.
While there have been some public reports of the impact that a cyber-attack can have on the physical processes in a plant or offshore rig, awareness is still limited – meaning many businesses still have exposures not adequately dealt with by their insurance policies. It is crucial, therefore, that management teams of these businesses engage with the insurance industry to better understand the risk they face – and that their policies provide cover for. Many insurers provide companies with additional ‘value-add’ services to the industry including extensive risk management training tools and access to global cyber experts, including IT and forensic specialists, lawyers and crisis PR.
This article was contributed by James Bright, Senior Underwriter at Brit Insurance
For more information on energy digital topics - please take a look at the latest edition of Energy Digital Magazine.