Cyber criminal creativity should put oil and gas sector on the defensive

Cyber risk is a well-known threat for businesses across all sectors, from the troves of personal data housed by financial institutions, to nationally significant infrastructure governed by our public sector. However, the implications for private oil and gas companies are less understood.

“From an insurance market standpoint there are quality cyber insurance products available,” explains Gallagher oil and gas specialist insurance broker Teagan Musgrave. 

“However, generally speaking the cyber insurance market for exploration and production companies is not quite as mature as other markets, considering the very real, evolving cyber threats the sector faces.”

Under the pump 

In 2014, oil and gas companies in Europe came under attack. As reported at the time by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), hackers identified and targeted 50 oil and gas organisations — among others — using sophisticated phishing and Trojan horse attacks designed to exploit their internal vulnerabilities.

That the energy sector would be a direct target should come as no surprise. As Gallagher noted in its recent Market Overview 2017: The Perfect Storm, the US Department of Homeland Security has named the energy sector a primary cyber target. In 2016, the energy sector in the US was the second most prone industry to cyber-attacks, with nearly three-quarters of oil and gas companies experiencing at least one cyber incident.

PwC’s 20th CEO Survey of the oil and gas industry conducted in 2017 revealed 90 per cent of respondents across 39 countries viewed this seriously, and were taking preventative action against IT outages or disruptions, and viewing cyber security, social media risks and breaches of data privacy as more concrete threats than ever before.

However, perception in Australia often lags reality. Local facilities have not traditionally been considered a significant risk by global operators, despite their experience at home. Given the inextricable link between energy security and national security, the local oil and gas sector should be more awake to the threat. After all, it took just one group of politically-motivated hackers to deploy disk-wiping malware Shamoon against Saudi Arabia’s oil and gas industry in 2012, successfully crippling 30,000 computers.

“We need to have continued discussions about cyber security. It is a key emerging risk, and the onus is on boards, CIOs and operational staff to continue to delve into the issue and work together with their risk management team and broker to arrive at solutions that protect their interests,” Musgrave says.

Not just a drill

Criminals actively exploit human and process weakness to gain money, information, cause damage - or wreak havoc.

“That could be people sending emails requesting a change to banking details, which could then lead to people paying out large sums of money to the wrong place,” Musgrave says. “What is required are robust policies and procedures so that doesn’t happen; for example, if someone is updating banking details, verification and sign-off procedures need to be in place to ensure the risks posed by these risks are managed.”

However, the landscape is evolving with the increased connectivity of infrastructure through digitisation and the internet of things. “The question comes down to the level of your exposure. Depending on the type of business a client operates - upstream or downstream - exposures vary. For example, if you have an offshore platform, are you exposed to hacking? Is there a way to mitigate that exposure?”

Managing the machines

The oil and gas sector isn’t alone in having to come to terms with cyber risk. Musgrave says that “the people who mount cyber attacks are very creative and their ability to manipulate or write programs to gain the information they want is quite amazing. They are always finding different ways to access information, so it's a difficult and evolving risk”.

That’s what will put cyber security at the top of the list of emerging risk issues in the oil and gas sector for the foreseeable future. Gallagher has urged the industry to consider preemptive positioning to ensure adequate cover. Currently, interruption insurance is based on barrel price and work activity, with minimal investment in the actual cost of suspended operations. However, although the value of the market is about US$1–1.5 billion, companies are making interruption claims of up to US$6 billion.

“We aim to have open communications with all of our oil and gas clients, and make sure we ask the questions that get the answers they need,” she says. “In the end, this allows us to ensure the risks clients face are met with adequate management and insurance.”

Connect with an expert

Further reading

Cyber insurance

Do I need cyber-liability insurance?