Simon Cooper Consultant
Cyber attack and the energy industry – what will you be holding when the music stops?
The worldwide ransomware attacks of 12 May 2017 have made it clear that any business is vulnerable to a cyber attack. The WannaCry virus was unleashed on everything from hospitals in England to car manufacturers in France and petrol stations in China. Although its further dissemination has been stopped, it is confidently predicted that the attacks will return.
Attacks of this nature are not new and have already impacted the energy industry on a number of occasions. These attacks are said to be growing in frequency and the US NSA estimates that 41% of reported attacks in the US target the energy sector.
Many of the cyber attacks on the industry have been motivated by politics. These include attacks attributed to Iran on both the US and Saudi Arabian energy business, including the 2012 attacks on Saudi Aramco which disabled 35,000 computers in a matter of hours and, most recently, extensive attacks in February of this year targeting a number of Saudi Agencies including Sadara. Other large scale attacks have been reported in Qatar and in Norway in 2014.
The energy sector is vulnerable also to attacks by terrorists and groups such as environmental and political activists. Criminals are another source of interference often seeking to extort money or steal funds and data. Finally, it is suggested that competitors may also initiate attacks in the hope of obtaining valuable intellectual property and/or causing disruption.
The energy industry is vulnerable to these cyber attacks partly due to the importance of oil and gas to national security and infrastructure which means it is a prime target for nation states, terrorists and activists.
In addition, however, the structure of the industry operating systems create particular vulnerabilities which could allow hackers a route into crucial operating technology in everything from drilling sites to pumping units and pipelines. The risks are exacerbated by the fact that in many cases the operational technology in use was designed at a time before cyber security became a central concern.
The advent of the industrial internet of things has undoubtedly improved efficiency levels. The IIOT can allow remote workforces to monitor and control distant operating units. Unless properly managed and protected, however, the IIOT will undoubtedly create further potential vulnerabilities to be exploited by cyber attackers.
It is particularly important, therefore, that parties operating in the oil & gas industry are alert to the danger of assuming even greater cyber risk through their contractual arrangements. There are a number of issues that arise in this context:
· First, contractors are increasingly required to commit to certain set standards of cyber security such as a requirement that systems comply with appropriate security standards.
· Secondly, and perhaps more alarmingly from the contractors’ perspective, are contractual terms which make the contractor liable to the company for any damage to the company’s systems, and any liability to any third party which the company may incur, which result from a virus or other form of malware introduced into those systems by the contractor or its employees or agents.
· Finally, contractors should be wary of contractual terms which release the company from any liability for damage to the contractors’ own systems resulting from malware introduced through the company’s own systems.
While today’s commercial realities may mean that it is not possible for contractors to resist the inclusion of clauses of this nature altogether, an informed and careful approach at the time that contractual terms are drafted can avoid the most severe outcomes and enable the contractor to assess the risks and adopt appropriate counter measures.
Among those possible counter measures is the optimisation of the contractor’s own insurance arrangements to maximise protection in the event of a cyber attack.
Many existing, conventional insurances will provide an element of so called ‘silent cyber insurance’ – that means, cover for cyber related losses is not expressly included but the insuring clause can be construed as providing such cover and there is no express exclusion for it. It is right to say that this is an issue which is causing insurers increasing concern and it seems likely that, market conditions allowing, they will be taking steps to control this kind of cover. For the time being, however, it remains a source of protection.
The alternative is a specialist cyber policy designed specifically to respond to cyber related losses. There is, however, no consistent structure to, or protection offered by, these policies and it will be necessary in each case to consider the wording carefully to ensure it provides the necessary protection. Particular care needs to be given to the insuring clause and any exclusions (many cyber policies for example exclude liability for physical loss and personal injury) as well as to the notification provisions and disclosure requirements. If in any doubt about the policy’s effectiveness, it is advisable to seek expert help.
Finally, there are a number of steps which contractors can take to reduce their exposure. Perhaps the first and most important of these is the education of its workforce on basic cyber security. Research has shown repeatedly that a company’s greatest area of vulnerability is its staff’s lack of awareness of the dangers of cyber attack and the basic safety steps which should be observed, for example, to avoid phishing and spear-phishing attacks.
A further measure which will undoubtedly limit the impact of any cyber attack, reducing both the cost and the reputational damage, is to ensure that there is a proper incident response plan in place. Thought should be given not only to how to bring affected units back into operation but also how to deal with the consequences of any attack, for example through an appropriate media strategy.
Related news & insights
News / Shell agrees pay out to Nigerian community to settle long-running oil spill dispute
17-08-2021 / Energy & Infrastructure
In 1991, the Ejama-Ebubu people began a legal campaign to hold Shell Nigeria (“Shell”) accountable for an oil spill that occurred in 1970. Shell accepted that these oil spills had occurred, but argued that these were caused by “third parties” during the Biafran war, for which Shell should not be held liable. Almost 20 years later, in 2010, a Nigerian Federal court ordered Shell to pay 17 billion naira to the Ejama-Ebubu community. Shell has unsuccessfully attempted to challenge this ruling over several years and, in November 2020, the Nigerian Supreme Court ruled that Shell could no longer appeal the decision.
News / Ince launches integrated specialist sanctions compliance solution with Windward
11-08-2021 / Energy & Infrastructure, Maritime
News / The Bribery Act: ten years on
19-07-2021 / Energy & Infrastructure
News / The rise in climate change litigation: Royal Dutch Shell and beyond
15-07-2021 / Energy & Infrastructure
Climate change litigation is a growing trend, as the legal industry bears witness to a constant rise in claims brought against both governments and private corporations for either failing to prevent, or contributing to, harmful carbon emissions across the world.
Insights / LOGIC General Terms & Conditions Edition 3: Our considerations
30-06-2021 / Energy & Infrastructure
LOGIC has recently published Edition 3 of the LOGIC General Terms & Conditions (Including Guidance Notes) of Contract for Marine Construction (referred to herein as the “Contract”).
News / Hague orders emissions cut: a brave new world for energy and beyond?
27-05-2021 / Energy & Infrastructure, Maritime