Click to edit...
How has insurance changed to protect oil and gas from cyber-threats?
For many, Covid-19 has meant working from home, and working from home has meant moving out of the safety of the office firewall. Virtual threats have not relented, but they are now working against industries that know their adversaries, and have plans for cyber-attacks.
Matt Farmer discovers more.
Credit: Henning Flusund
For defence and prevention, preparing for cyber-attacks in the time of Covid has involved contracts with software companies and considerations in business planning. For mitigation and eliminating risk, this has come back to the insurance industry.
Insurers have changed their policies to encompass cyber threats, but now BRIT Insurance is offering an individual cyber-insurance policy.
James Bright, senior underwriter for war and terrorism at BRIT Insurance said: “Oil and gas companies deal with massive assets, both above and below the sea, and above and below ground.
“Obviously it’s also an extensive use of manpower across their asset base, and all of the infrastructure is heavily automated. When something goes wrong, it can go wrong extremely quickly and cause catastrophic loss. So risk management procedures need to be rigorous, and education of employees in work practices should be at the top of the agenda.”
Cyber-security for oil and gas faces a triple threat
In particular, oil and gas faces a triple threat. Like other companies, offshore operators hold valuable assets. However, their identities are often intertwined with a sense of national identity, leading to them being attacked by other nation states.
Zeki Turedi, EMEA technology strategist for cybersecurity company CrowdStrike, points to the group REFINED KITTEN as an example of this. He said the group is “likely tied to the objectives of the Islamic Revolutionary Guard Corps of Iran.”
“The adversary has been involved in conducting primarily espionage-oriented operations since at least 2013, and targeting oil and gas businesses is a key part of its way of operating. Victims are likely sent an email that contains a file, which is typically used to display spoofed domains hosting a variety of job-themed content.”
At the same time as this, ‘hacktivism’ has led some private groups to infiltrate oil and gas companies on supposedly altruistic grounds. This can be in support of climate campaigners or for reasons of international politics.
Understanding whether an event happened because of a malicious actor may be challenging
Saudi Aramco found this out the hard way in 2012, when 35,000 computers were compromised and at least partially wiped. A collective called ‘Cutting Sword of Justice’ took responsibility due to the company’s support of the authoritarian Al Saud family.
Bright continued: “Obviously attribution for these types of events is extremely difficult. So understanding whether an event happened because of a malicious actor may be challenging.
“These types of businesses are no different to any other, whereby their exposure to, for example, ransomware, is as marked as in any other industry. In our experience, the events that happen, happen in the same way as they do in any other business. But I would say that I've seen a substantial increase in the way that cyber risk has been handled by the oil and gas industry; it has become an executive-level topic.”
In 2012, Saudi Aramco was exposed to the largest cyber intrusion in history.
Image: Saudi Aramco
“Cybersecurity has become an issue that's at the forefront of most people's minds”
As reliance on computers and automation has grown, general understanding of digital threats has grown with them. In May 2018, the European Union enacted the General Data Protection Regulation, often referred to as GDPR.
This has compelled companies to be cautious with personal data, and set out a system for “data controllers” to manage the information they store. For many, this has meant rewriting privacy policies and taking stock of how much potentially valuable information systems hold.
With the advent of GDPR, cybersecurity has become an issue that's at the forefront of most people's minds
Bright said the reporting of this has caused people to understand threats better: “With the advent of GDPR, cybersecurity has become an issue that's at the forefront of most people's minds. The oil and gas industry is no different. I've seen them spend more money and recruit more staff to cater for what they perceive to be an increased risk.
“I think clients have become better informed in terms of the type of products they can buy. I would also say those clients now understand their policy language to a greater extent. They understand where they have gaps in their policies and their desire to fill them has increased.
“Have there been more people approaching us for a specific product? Definitely, I think it's been a marked increase, not necessarily related to Covid, over the course of this year.”
The EU’s GDPR law has had the side effect of causing companies to tighten their cyber-security.
Image: EU Parliament/Dzoja Gunda Barysaite
New threats: leaving the office means leaving the firewall
Covid-19 has presented a security challenge to companies, and an opportunity for infiltrators to take advantage of new set-ups. Turedi of CrowdStrike outlined the threats: “Teams have looked to new technologies and services to support them - without due-diligence or supervision. Privacy, data protection, and GDPR are still extremely important, even though we have other pressing business matters to manage.
“Businesses need to protect themselves from breaches because adversaries are not ‘sheltering in place’ – and phishing threats using Covid-19 have increasingly targeted enterprises.
"Beyond authentication, the only way to secure users and stop breaches now that employees are off the corporate network is through cloud-delivered security that monitors and defends all devices in real time against known and novel threats.”
Clients are better protected when they have an affirmative policy
Insurance has evolved to cover cyber-threats, and the financial and physical impacts of them. Currently, attacks that result in large losses are often covered by a property or catch-all policy. Bespoke cyber-insurance is a new venture, which Bright feels will offer his clients peace of mind.
He said: “In any property or cyber policy, there can always be gaps or particular exclusions. Our product is designed to sit across both heads of cover and remove any doubts, because it's being underwritten by underwriters that have a suite of expertise across those two markets.
“The view we've always taken is that clients are better protected when they have an affirmative policy. One that details out exactly the cover that they want to purchase, rather than relying on grey policy language that they potentially have in place.”