Underwriters are reportedly refusing to insure energy firms because poor security controls are leaving them wide open to attacks by hackers and malware infestations.
Lloyd's of London told the BBC they had seen a surge in requests for insurance from energy sector firms but poor test scores from security risk assessors means that insurers are turning down potential multi-million pound contracts.
"In the last year or so we have seen a huge increase in demand from energy and utility companies," said Laila Khudari, an underwriter at the Kiln Syndicate, which offers cover via Lloyd's of London, told the Beeb. "They are all worried about their reliance on computer systems and how they can offset that with insurance."
Infosec experts called in to review energy sector systems come back with negative reviews. And that means offering "safety net" insurance against breaches is not viable as a business proposition.
"We would not want insurance to be a substitute for security," Khudari explained.
Lloyd's operates a world renowned marketplace that offers a means to obtain commercial insurance for anything from container ships to large development projects. Insurance firms have been offering data breach insurance since at least 2009, if not earlier.
Specialist insurance firm Beazley’s client roster includes 30 per cent of the world’s top 200 oil and gas companies, as well as major banking and financial institutions. Last December the firm announced it had helped its clients recover from a combined total of 1,000 security breaches over the years. Most of Beazley’s services focus on incident response.
Separately, Allianz Global Corporate & Specialty recently unveiled a suite of products to protect businesses against issues that can arise from a serious cyber attack or data breach.
Industrial control plants at power utilities and other energy sector firms, as elsewhere, rely on SCADA (Supervisory Control and Data Acquisition) technology. These legacy systems are increasingly being connected to the internet, essentially to make them easier to manage remotely. At the same time, more and more security problems are being discovered by security researchers investigating industrial plant security in the wake of the infamous Stuxnet worm, which has made research into the formerly overlooked topic "sexy".
More and more problems are being discovered in crucial systems that are rarely patched and this creates a recipe for disaster.
Jonathan Roach, principal security consultant at Context Information Security, told El Reg: "SCADA systems have not been patched in years for various reasons: isolation of SCADA networks making the process of patching awkward; lack of motivation to perform what is sometimes seen as a risky process to a critical plant component; terms of software support contracts".
With all this in mind, it's no great surprise to find underwriters turning down lucrative energy sector insurance contracts.
Chris McIntosh, chief exec of ViaSat UK, which provides security and secure communications for clients including US energy companies, said problems obtaining insurance are a symptom of a wider malaise.
"Energy firms seeking insurance against cyber-attacks shows the vulnerability of our critical infrastructure is finally hitting home," McIntosh said. "According to a recent Zpryme Research study, half of infrastructure providers in the US believed electrical networks were insecure. While previously, attacking national energy or resource infrastructure would have involved compromising dedicated communication networks, the modernisation of these networks has made them part of the internet and so more vulnerable than ever.
"However, insurance is only a plaster over these underlying weaknesses. Organisations need to act now to protect their networks and address the unique nature of interconnected real-time control systems. Encryption of data in transit and rigorous authentication protocols, for example, should become de rigueur,” said McIntosh.
“Unless energy companies demonstrate they are taking the necessary precautions, insurers will keep them at arm’s length, public trust will fall, and the resilience of the country’s critical national infrastructure will inevitably suffer as a result," he added.
Thales UK maintains the control systems for British Energy plants in the UK and is also involved in the building of the Hinkley Point B nuclear power station.
Tony Burton, critical national infrastructure protection business lead at Thales UK said ageing legacy systems at power plants need to be secured one way another. He suggested the insurance firms' stance has the potential to serve as a much needed wake-up call.
"Legacy systems, often built before the internet existed, were simply not designed with the levels of interconnection and security threat we see today," Burton said. "Even systems that have remained isolated from the internet and business IT systems are vulnerable to threats that can ‘leap the air-gap’ via process, people and physical (eg, USB stick) vectors.
"Energy firms and other areas of critical national infrastructure are beginning to face up to this challenge and are increasingly recognising that good security is good business.”
“The insurance issue and contingency holdings are prime examples of how good security can have a positive effect on the bottom line results of these companies,” continued Burton. “However, the security of these operations is not a simple challenge and this is what the insurers are beginning to recognise." ®