Utilities

/Utilities
Utilities2018-07-18T17:03:34+00:00

According to a Unisys survey released in partnership with the Ponemon Institute:

Information security professionals all know the cyber risks to oil and gas, utilities, alternative energy, and manufacturing industries, and when it comes to strategic priorities, one would think that security remained a key priority across these sectors. Unfortunately, for the majority of providers, it’s not. Nearly 70 percent of companies surveyed that are responsible for the world’s power, water, and other critical functions have reported at least one security breach that led to the loss of confidential information or disruption of operations in the past 12 months.

External threats, malware and insider exploits are the three largest threat vectors to the Utilities sector
Driving critical infrastructure often means that utilities are seen as actors of their respective states, even if privately owned. This means that they are prime targets for widespread attacks
Three-quarters of energy companies and utilities have experienced at least one data breach in the past 12 months, resulting in average clean-up costs of $156,000 per breach
Power companies and other utilities use SCADA networks to control their processes. The reality is that SCADA networks are designed to drive function, not necessarily security, putting the supervisory controls at these companies at risk from interruption due to a cyber event
Heavily reliant on a supply chain to drive sales, manage bulk contracts, and often maintenance and other sub-suppler responsibilities
In such a competitive industry, system disruption or downtime at a utility company due to a cyber event can have serious reputational implications and cause financial harm
With such extensive employee networks, it is difficult to manage human error and limit data breaches and ensure network integrity
Given the breadth of their consumer base, the clients of utility companies are often targeted in phishing attacks aimed at fooling victims to trust email URLs from their utility company. The attacks drive clients to click on malicious links or open infected documents
Reliant on revenue from supplying their consumer base, utilities must ensure customers can process billings 24/7
Screenshot 2016-05-04 11.24.12

Malicious Cyber Events are often the hardest to predict and can cause the most reputational harm. The intent of a malicious attack is often to disrupt operations, access data and to seek financial gain. These events can materialise in a number of ways:

  • Cyber extortion
  • Privacy breaches or network security events
  • Data or system degradation

E-Cyber is designed to protect utilities companies against these malicious cyber attacks providing comprehensive coverage for crisis management in identifying and resolving the cause of the cyber or extortion event, as well as offering the financial protection for any fallout, such as:

  • the increased cost of working or direct loss of net income due to the covered event
  • defence costs and any subsequent damages or fines which may be incurred as a result of the event
Screenshot 2016-05-04 11.26.26

Data manipulation, ransom, and breaches are a concern for Utilities.

Whether the data is corrupted, exposed, or held ransom, E-Cyber is designed with an understanding of the inherent exposure utility companies encounter. The policy is designed to cover the cost to the company of managing through a breach, or a ransom event, as well as data restoration in the event of a cyber event. The policy further extends to consider the legal and regulatory implications of data breaches and covers any fines and penalties with regard to a regulatory investigation.

Screenshot 2016-05-04 11.27.45

A system failure by human error, programming error or computer malfunction can cause disruption to customers and extensive financial losses to the company. Any outage can erode a company’s competitive edge, affecting their reputation and customer base. The cost of getting systems back online can be huge and an immediate response is necessary.

Much like data management, maintaining network integrity presents a serious challenge, as inadvertent System Failures can be just as disruptive as malicious cyber attacks. Whether the failure is caused by negligence or a mistake in managing the company’s system, a programming error, or a malfunction or failure of the company’s system, the operational outage will undoubtedly cause financial loss.

Many of these system exposures are intended to be covered within the E-Cyber policy as the triggers for business interruption and the liability sections extend beyond malicious acts and to the practicalities of managing a system failure. As a result, we handle many of these system interruptions as if they were malicious and would look to provide coverage for event management to identify and resolve the system failure, the increased cost of working or direct loss of net income due to the covered event, or any defence costs and any subsequent damages or fines which may be incurred as a result of the event.

CASE STUDIES

April 2016 – a US water and light utility were the victim of a ransomware attack which knocked their internal computer systems offline and encrypted their data. The utility decided to shut down its network and suspended some services in order to prevent further damage. A hefty ransom was demanded.

December 2015 – Over 225,000 people lost power when hackers gained access to three regional electric power distribution companies. Attackers demonstrated planning, coordination, and the ability to use malware and possible direct remote access to blind system dispatchers, cause undesirable state changes to the distribution electricity infrastructure. The hackers also attempted to delay the restoration by wiping SCADA servers after they caused the outage.

August 2012 – One of the world’s largest oil companies suffered a malicious attack resulting in 35,000 computers being partially wiped or destroyed. This denial of service attack (DDoS) put at risk 10% of the world’s oil supply. Although core oil and gas productions were not ultimately affected, the network was down for over 10 days resulting in substantial losses.

March 2016 – A US water utility was the subject of a cyber attack carried out by a group with ties to Syria. Hackers gained access to the SCADA control system and adjusted the chemical levels being used to treat tap water. The hack also resulted in the exposure of the personal information of 2.5 million customers.

January 2012 – Two large US utility companies experienced data security incidents affecting 1.8 million customers data. The exposed data included customers dates of birth, security numbers and financial accounts.

February 2011 – The Night Dragon hacking attacks targeted some of the world’s largest petrochemical companies. The attacks were to gain access to sensitive data to include operation details, exploration research and financial data. Sophisticated hacking techniques were used and included SQL injection, password hacking and remote access Trojans. The Night Dragon attacks origin had been tracked back to China.

August 2003 – An electricity company sustained a massive blackout due to a software bug in the alarm system at the operator’s control room. As the alarm did not activate, the operator was not aware of the overload and failed to redistribute the power supply, causing the transmission lines to sag, and make contact with the treeline below. As a result a 3,500 megawatt power surge and a race condition in the control software turned what could have been a manageable localised blackout, into a situation where over 50 million people were without power.