Cyber attack and the energy industry – what will you be holding when the music stops?

News / / Cyber attack and the energy industry – what will you be holding when the music stops?

The worldwide ransomware attacks of 12 May 2017 have made it clear that any business is vulnerable to a cyber attack. The WannaCry virus was unleashed on everything from hospitals in England to car manufacturers in France and petrol stations in China.  Although its further dissemination has been stopped, it is confidently predicted that the attacks will return.

Attacks of this nature are not new and have already impacted the energy industry on a number of occasions. These attacks are said to be growing in frequency and the US NSA estimates that 41% of reported attacks in the US target the energy sector.

Many of the cyber attacks on the industry have been motivated by politics. These include attacks attributed to Iran on both the US and Saudi Arabian energy business, including the 2012 attacks on Saudi Aramco which disabled 35,000 computers in a matter of hours and, most recently, extensive attacks in February of this year targeting a number of Saudi Agencies including Sadara.  Other large scale attacks have been reported in Qatar and in Norway in 2014.   

The energy sector is vulnerable also to attacks by terrorists and groups such as environmental and political activists. Criminals are another source of interference often seeking to extort money or steal funds and data. Finally, it is suggested that competitors may also initiate attacks in the hope of obtaining valuable intellectual property and/or causing disruption.

Technical vulnerabilities

The energy industry is vulnerable to these cyber attacks partly due to the importance of oil and gas to national security and infrastructure which means it is a prime target for nation states, terrorists and activists. 

In addition, however, the structure of the industry operating systems create particular vulnerabilities which could allow hackers a route into crucial operating technology in everything from drilling sites to pumping units and pipelines. The risks are exacerbated by the fact that in many cases the operational technology in use was designed at a time before cyber security became a central concern.   

The advent of the industrial internet of things has undoubtedly improved efficiency levels. The IIOT can allow remote workforces to monitor and control distant operating units. Unless properly managed and protected, however, the IIOT will undoubtedly create further potential vulnerabilities to be exploited by cyber attackers. 

Contractual vulnerabilities

It is particularly important, therefore, that parties operating in the oil & gas industry are alert to the danger of assuming even greater cyber risk through their contractual arrangements. There are a number of issues that arise in this context:

·  First, contractors are increasingly required to commit to certain set standards of cyber security such as a requirement that systems comply with appropriate security standards.

·  Secondly, and perhaps more alarmingly from the contractors’ perspective, are contractual terms which make the contractor liable to the company for any damage to the company’s systems, and any liability to any third party which the company may incur, which result from a virus or other form of malware introduced into those systems by the contractor or its employees or agents. 

·  Finally, contractors should be wary of contractual terms which release the company from any liability for damage to the contractors’ own systems resulting from malware introduced through the company’s own systems.

While today’s commercial realities may mean that it is not possible for contractors to resist the inclusion of clauses of this nature altogether, an informed and careful approach at the time that contractual terms are drafted can avoid the most severe outcomes and enable the contractor to assess the risks and adopt appropriate counter measures.

Insurance solutions?

Among those possible counter measures is the optimisation of the contractor’s own insurance arrangements to maximise protection in the event of a cyber attack.

Many existing, conventional insurances will provide an element of so called ‘silent cyber insurance’ – that means, cover for cyber related losses is not expressly included but the insuring clause can be construed as providing such cover and there is no express exclusion for it.  It is right to say that this is an issue which is causing insurers increasing concern and it seems likely that, market conditions allowing, they will be taking steps to control this kind of cover. For the time being, however, it remains a source of protection.

The alternative is a specialist cyber policy designed specifically to respond to cyber related losses. There is, however, no consistent structure to, or protection offered by, these policies and it will be necessary in each case to consider the wording carefully to ensure it provides the necessary protection. Particular care needs to be given to the insuring clause and any exclusions (many cyber policies for example exclude liability for physical loss and personal injury) as well as to the notification provisions and disclosure requirements. If in any doubt about the policy’s effectiveness, it is advisable to seek expert help.

Self help

Finally, there are a number of steps which contractors can take to reduce their exposure. Perhaps the first and most important of these is the education of its workforce on basic cyber security. Research has shown repeatedly that a company’s greatest area of vulnerability is its staff’s lack of awareness of the dangers of cyber attack and the basic safety steps which should be observed, for example, to avoid phishing and spear-phishing attacks. 

A further measure which will undoubtedly limit the impact of any cyber attack, reducing both the cost and the reputational damage, is to ensure that there is a proper incident response plan in place. Thought should be given not only to how to bring affected units back into operation but also how to deal with the consequences of any attack, for example through an appropriate media strategy. 

Simon Cooper

Simon Cooper Consultant

Related sectors:

Related services:

Related news & insights

Insights / Climate Change Litigation Continueth – The Scottish Case: Greenpeace v. BEIS and the OGA (and BP too)

15-10-2021 / Energy & Infrastructure

The Scottish Court of Session has declared that dealing with the global environmental impact of the consumption of oil is a political matter for the UK Government, not a legal issue for the UK Courts in considering the validity of approval to drill new oil wells in a single field.

Climate Change Litigation Continueth – The Scottish Case: Greenpeace v. BEIS and the OGA (and BP too)

News / AfCFTA and Energy & Infrastructure

11-10-2021 / Energy & Infrastructure, Maritime

This article is the third in a series of articles looking at the impact of the African Continental Free Trade Area (the “AfCFTA”) on various practice areas and industry sectors that our clients operate in. This article focuses on Energy and Infrastructure and addresses some of the key questions our clients have asked us.

AfCFTA and Energy & Infrastructure

Insights / Supreme Court clarifies lawful act of duress

21-09-2021 / Energy & Infrastructure

In Times Travel (UK) Ltd v Pakistan International Airlines Corporation (Rev 2) [2019] EWCA Civ 828, the Supreme Court confirmed the existence of the doctrine of ‘lawful act duress’ under English law and its limited scope in commercial transactions.

Supreme Court clarifies lawful act of duress

News / Shell agrees pay out to Nigerian community to settle long-running oil spill dispute

17-08-2021 / Energy & Infrastructure

In 1991, the Ejama-Ebubu people began a legal campaign to hold Shell Nigeria (“Shell”) accountable for an oil spill that occurred in 1970. Shell accepted that these oil spills had occurred, but argued that these were caused by “third parties” during the Biafran war, for which Shell should not be held liable. Almost 20 years later, in 2010, a Nigerian Federal court ordered Shell to pay 17 billion naira to the Ejama-Ebubu community. Shell has unsuccessfully attempted to challenge this ruling over several years and, in November 2020, the Nigerian Supreme Court ruled that Shell could no longer appeal the decision.

Shell agrees pay out to Nigerian community to settle long-running oil spill dispute

News / The Bribery Act: ten years on

19-07-2021 / Energy & Infrastructure

The Bribery Act: ten years on

Quick links

The Legal 500 2021

“Very available and responsive to company developments in real time. Frank, clear advice – not just the ‘easy’ answer.”

The Legal 500 2022

“The solicitors who have handled our employment related issues are of the highest quality in terms of their specialist area of expertise, their professionalism and their approach to us as clients and as people. Special mention has to be made of Laura Livingstone. Laura became a key member of our team and felt more like a colleague than an external adviser – a colleague you could rely upon. Laura’s attention to detail, professionalism and responsiveness was second to none. Laura has come to know and understand us as individuals and this has enabled her to personalise her advice and even sometimes to preempt our future requirements. We have a very special and extremely valuable relationship with her and the firm.”

- The Legal 500

The Legal 500 2022

“Ince are an excellent “fit” with our specific needs. The firm has consistently provided a broad range of personnel-related advice and in our experience that advice has been consistently of the very highest professional standard: it has been timely, comprehensive, accurate and at a cost which is commensurate with the budget of an organisation of our size.”

- The Legal 500

The Legal 500 2022

“The firm has an unusually high degree of insight into the practices and policies required by the Gambling Commission as regards compliance with its own requirements and conditions – particularly Andrew Tait, derived from his previous in-house experience.”

- The Legal 500