Hackers, criminal gangs and political activists are specifically targeting energy firms for financial and political reasons using increasingly sophisticated methods.
This is the conclusion of research from Marsh entitled "Advanced Cyber Attacks on Global Energy Facilities" that shows the energy sector is being disproportionately targeted for attack.
According to the US Department of Homeland Security, 53% of the 200 incidents responded to by its Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) between October 2012 and May 2013 were directed toward the energy sector (see figure 1).
To put this into perspective, the second highest industry was manufacturing, which attracted only 17% of attacks although having a significantly larger business base.
The energy sector has adopted widespread use of Internet technologies and industrial control systems (ICS) over the past 15 years.
These systems bring considerable benefits to the sector that help to reduce costs and increase efficiency as part of the development of the complex infrastructure used by companies to manage and distribute energy to customers. However, these systems can be vulnerable to exploitation and attack if not fully secure.
Andrew George, global energy practice chairman, is calling for governments to work more closely with the sector to mitigate the increased levels of cyber risk.
He says, "… The nature and changing risk profile of the cyber threat demands a collaborative, risk-based approach from businesses and governments around the world".
George states "Several energy firms have already suffered attacks originating from malicious software or viruses that has disrupted production and damaged hardware. A successful attack on a computer control or emergency shutdown system even at a small refinery, petrochemicals or gas plant, could result in estimated maximum losses as a result of fire or explosion worth hundreds of millions of dollars"
He acknowledged the value of insurance in mitigating the impact on the bottom line, but also stressed that energy firms should be fully alert to the risk and must consider cyber attack as inevitable. Mr George added "that more needed to be done by the energy sector to develop scenarios to identify respond and contain any attacks".
The Marsh research follows reports from the BBC
that raise concerns over the level of cyber security across the UK energy sector that highlighted concerns over the scope and quality of cyber risk management from some firms in the insurance sector.
The full report can be downloaded from the Marsh website (registration required) by clicking below: