54% of Cyber Attacks in Energy Sector

Brian Wood Blog

Mirror, mirror, on the wall, who’s the juiciest target of them all?

Evidently it’s the energy sector, which faced 54% of all incidents investigated by the DHS Cyber Emergency Response Team in an 8-month period between Oct 2012 and May 2013.

The article below was published in Canadian Underwriter — one of my very favorite online Canadian insurance and risk publications.

Emphasis in red added by me.

Brian Wood, VP Marketing


Cyber risk for U.S. power, utilities companies increasing

Critical infrastructure in the United States, and in the power and utilities sector in particular, is facing an increase in cyber attacks, leading to stronger regulation and the need for insurance coverage, according to a briefing from Marsh.

The energy industry faced more cyber attacks between October 2012 and May 2013 than any other sector, based on data from the Department of Homeland Security’s Cyber Emergency Response Team, according to the report. Of more than 200 incidents investigated during that time, 54% were in the energy sector.

“A power grid interruption as a result of a cyber attack has the potential to cost utilities and other infrastructure facilities millions of dollars in lost revenue, regulatory fines, and additional expenses to restore operations and to improve cyber securities defenses, not to mention reputational damage,” Matt McCabe, a senior advisory specialist within Marsh’s Network Security and Privacy Practice noted in a statement.

“The incidents have also prompted the federal government to propose stronger cyber security practices for utilities and other infrastructure owners and operators.”

Those include a move by the Federal Energy Regulatory Commission (FERC) in April to adopt new standards that address criticism that cyber security oversight relies on both voluntary and compulsory practices, the report suggests.

“In 2011, the Securities and Exchange Commission released guidance for all publicly traded firms – including energy companies – instructing them to disclose material cyber risks to investors in their quarterly and annual financial statements,” the briefing also notes.

Along with seeking out cyber insurance policies, Marsh also recommends that firms emphasize employee training regarding cyber threats.

Organizations should ensure that only proven technology is used to protect their control systems, and should engage in penetration testing – at all levels – of security systems and firewalls,” along with period threat assessment reviews, the briefing adds.

“The volume of cyber attacks on critical infrastructure, along with regulatory and legal scrutiny, is only likely to grow. Utilities and other operators, in consultation with their risk and insurance advisors, will need to remain diligent to manage the complex financial and regulatory risks posed by cyber exposures and to protect vital systems and assets from outside attacks.”