Simon Cooper Consultant
Cyber attack and the energy industry – what will you be holding when the music stops?
The worldwide ransomware attacks of 12 May 2017 have made it clear that any business is vulnerable to a cyber attack. The WannaCry virus was unleashed on everything from hospitals in England to car manufacturers in France and petrol stations in China. Although its further dissemination has been stopped, it is confidently predicted that the attacks will return.
Attacks of this nature are not new and have already impacted the energy industry on a number of occasions. These attacks are said to be growing in frequency and the US NSA estimates that 41% of reported attacks in the US target the energy sector.
Many of the cyber attacks on the industry have been motivated by politics. These include attacks attributed to Iran on both the US and Saudi Arabian energy business, including the 2012 attacks on Saudi Aramco which disabled 35,000 computers in a matter of hours and, most recently, extensive attacks in February of this year targeting a number of Saudi Agencies including Sadara. Other large scale attacks have been reported in Qatar and in Norway in 2014.
The energy sector is vulnerable also to attacks by terrorists and groups such as environmental and political activists. Criminals are another source of interference often seeking to extort money or steal funds and data. Finally, it is suggested that competitors may also initiate attacks in the hope of obtaining valuable intellectual property and/or causing disruption.
The energy industry is vulnerable to these cyber attacks partly due to the importance of oil and gas to national security and infrastructure which means it is a prime target for nation states, terrorists and activists.
In addition, however, the structure of the industry operating systems create particular vulnerabilities which could allow hackers a route into crucial operating technology in everything from drilling sites to pumping units and pipelines. The risks are exacerbated by the fact that in many cases the operational technology in use was designed at a time before cyber security became a central concern.
The advent of the industrial internet of things has undoubtedly improved efficiency levels. The IIOT can allow remote workforces to monitor and control distant operating units. Unless properly managed and protected, however, the IIOT will undoubtedly create further potential vulnerabilities to be exploited by cyber attackers.
It is particularly important, therefore, that parties operating in the oil & gas industry are alert to the danger of assuming even greater cyber risk through their contractual arrangements. There are a number of issues that arise in this context:
· First, contractors are increasingly required to commit to certain set standards of cyber security such as a requirement that systems comply with appropriate security standards.
· Secondly, and perhaps more alarmingly from the contractors’ perspective, are contractual terms which make the contractor liable to the company for any damage to the company’s systems, and any liability to any third party which the company may incur, which result from a virus or other form of malware introduced into those systems by the contractor or its employees or agents.
· Finally, contractors should be wary of contractual terms which release the company from any liability for damage to the contractors’ own systems resulting from malware introduced through the company’s own systems.
While today’s commercial realities may mean that it is not possible for contractors to resist the inclusion of clauses of this nature altogether, an informed and careful approach at the time that contractual terms are drafted can avoid the most severe outcomes and enable the contractor to assess the risks and adopt appropriate counter measures.
Among those possible counter measures is the optimisation of the contractor’s own insurance arrangements to maximise protection in the event of a cyber attack.
Many existing, conventional insurances will provide an element of so called ‘silent cyber insurance’ – that means, cover for cyber related losses is not expressly included but the insuring clause can be construed as providing such cover and there is no express exclusion for it. It is right to say that this is an issue which is causing insurers increasing concern and it seems likely that, market conditions allowing, they will be taking steps to control this kind of cover. For the time being, however, it remains a source of protection.
The alternative is a specialist cyber policy designed specifically to respond to cyber related losses. There is, however, no consistent structure to, or protection offered by, these policies and it will be necessary in each case to consider the wording carefully to ensure it provides the necessary protection. Particular care needs to be given to the insuring clause and any exclusions (many cyber policies for example exclude liability for physical loss and personal injury) as well as to the notification provisions and disclosure requirements. If in any doubt about the policy’s effectiveness, it is advisable to seek expert help.
Finally, there are a number of steps which contractors can take to reduce their exposure. Perhaps the first and most important of these is the education of its workforce on basic cyber security. Research has shown repeatedly that a company’s greatest area of vulnerability is its staff’s lack of awareness of the dangers of cyber attack and the basic safety steps which should be observed, for example, to avoid phishing and spear-phishing attacks.
A further measure which will undoubtedly limit the impact of any cyber attack, reducing both the cost and the reputational damage, is to ensure that there is a proper incident response plan in place. Thought should be given not only to how to bring affected units back into operation but also how to deal with the consequences of any attack, for example through an appropriate media strategy.
Related news & insights
News / Climate change litigation update: Derivative claim dismissed
06-07-2022 / Energy & Infrastructure
McGaughey & Anor v Universities Superannuation Scheme Ltd & Anor  EWHC 1233 (Ch) On 24 May 2022, the High Court refused a claim brought against the directors of the Universities Superannuation Scheme (the “USS”), the largest private pension scheme in the UK, for inaction around climate change commitments.
News / Refund guarantees – avoiding drafting pitfalls
12-05-2022 / Energy & Infrastructure
Refund guarantees are often described as the cornerstones to shipbuilding projects and the buyer’s main security. Although they do not strictly form part of the shipbuilding contract, a shipbuilding project is unlikely to go ahead at all without one. It is therefore important to understand the different types of guarantee instruments, and the impact each has in practice on the guarantor’s obligations to pay and the buyer’s entitlement to recovery. A well-drafted guarantee provides certainty to the parties and strikes a balance between their respective entitlements and obligations.
News / You will be estopped if you cross the line
04-04-2022 / Energy & Infrastructure
Estoppel is a useful tool in litigation, which is usually used to bind one party to a statement or a promise that it has previously expressed causing another to accept or adopt it for the purpose of their legal relations. The Court’s recent ruling in Geoquip Marine Operations AG v (1) Tower Resources Cameroon SA (2) Tower Resources PLC addresses estoppel by convention and recognises the requirement for the common assumption created between the parties to be clear and unequivocal. In this article, we focus on the specifics of the Court decision.
News / Court of Appeal overturns second Unaoil bribery conviction
29-03-2022 / Energy & Infrastructure
On 24 March 2022, the Court of Appeal overturned the conviction of a second man, Paul Bond, prosecuted by the Serious Fraud Office (SFO) in relation to alleged wrongdoing by Unaoil.
News / The Court grapples with impact of Covid-19 on European rugby
08-03-2022 / Energy & Infrastructure
As we approach the second anniversary of Covid-19 being declared a pandemic by the World Health Organisation on 11 March 2020, a number of judgments are coming out of the English Courts which are providing useful guidance on how the English Courts are treating claims concerning Covid-19, especially in a force majeure context.
News / Climate change litigation: Courts decide the law, not political policies
02-03-2022 / Energy & Infrastructure
R (Finch) v Surrey County Council CA (Civ Div)  EWCA Civ 187 “The task of the court in a claim such as this is only to decide the issues of law. Those issues cannot extend into the realm of political judgment – which is the responsibility of the executive, not the courts …”