Axis Capital group Insurance
Insurers: Energy firm cyber-defense is 'too weak'
According to what BBC has learned, power companies are being refused insurance cover for cyber-attacks because their defenses are perceived as weak.
AXIS Capital is a group of Insurance companies based in Bermuda, London, Dublin, Canada, Australia and Singapore (servicing SE Asian countries as well such as KL Malaysia, Bangkok Thailand, Jakarta Indonesia and many more) who underwrite Energy Insurance has the same concern regarding this incidence.
According to underwriters at Lloyd's of London, they have seen a "huge increase" in demand for cover from energy firms.
However surveyor assessments of the cyber-defenses in place determined that protections were insufficient.
Energy industry veterans said they were "not surprised" the companies were being refused cover.
"In the last year or so we have seen a huge increase in demand from energy and utility companies," said Laila Khudari, an underwriter at the Kiln Syndicate, which offers cover via Lloyd's of London.
The market is one of not many places in the world where businesses can go to insure things like container ships, oil tankers, and large development projects and to safeguard cash that would help them pull through after tragedies.
For years, said Ms Khudari, Kiln and many other syndicates had offered cover for data breaches, to help companies recover if attackers penetrated networks and stole customer information.
Now, she said, the same firms were seeking multi-million pound policies to help them rebuild if their computers and power-generation networks were damaged in a cyber-attack.
"They are all worried about their reliance on computer systems and how they can offset that with insurance," she said.
Every company that uses for cover has to allow experts employed by Kiln and other underwriters examine their systems to realize if they are doing adequate to maintain trespassers out.
Assessors watch the steps firms take to maintain invaders gone, how they guarantee software is preserved current and how they manage networks of hardware that can span regions or whole countries.
Unfortunately, said Ms Khudari, after such checks were carried out, the majority of applicants were turned away because their cyber-defenses were lacking.
"We would not want insurance to be a substitute for security," she said.
What was not clear, she said, was why firms were suddenly seeking cover in large numbers.
Even though many governments had sent warnings about the risk from hackers, attackers and hacktivists to utility firms and other organizations running dangerous infrastructure, no one had instructed them to get cover.
"I think what's behind it is the increase in threats and the fact that a lot of these systems were never previously connected to the outside world," she said.
Mike Assante, who helped develop cyber-security standards for US utilities and now helps to teach IT staff how to defend critical infrastructure including power networks, said it was "unfortunately not surprising" that insurers were turning away energy firms.
Power generators and distributors had struggled with the complexity and size of the networks they managed, he said. In addition they had found it hard to find and recruit staff with the specialist skills to defend these systems, he added.
"There have been a number of incidents that have caused company leadership to re-evaluate their risk and develop strategies to mitigate it," he said in an email to the BBC.
Financial pressures and the ability to manage systems remotely was inadvertently giving attackers a loophole they could slip through, said Nathan McNeill, chief strategy officer at remote management firm Bomgar.
Trying to cut costs by linking up plant and machinery to a control centre so they could be managed remotely meant those systems were effectively exposed to the net, he said.
"If something has basic connectivity then it will become internet connectivity through some channel," he said.
This left critical infrastructure exposed, he said, because typically the control system for such hardware was written long before the web age and had only rudimentary security tools.
Identified as Scada (Supervisory Control and Data Acquisition), this software has come under growing inspection by security researchers who have uncovered many flaws in it.
In addition, added Mr McNeill, it was often very difficult to update the core code in many Scada systems to close loopholes that attackers had slipped through.
Ed Skoudis, who runs "war games" for IT and security staff at many US utilities, said the numbers of attacks on Scada and other control systems was escalating.
Malware was being written just to get at particular vulnerable elements in the infrastructure run by many utilities and manufacturers, he said.
Several invaders were just peculiar but others were supposed to be carrying out investigation in service of some upcoming occurrence.
US power companies had begun sharing information about attacks so everyone knew about all the threats to them, said Mr Skoudis.
"However," he added, "it's surprising no big incident has happened given how weak the infrastructure is. It's very hackable." This can lead to scams.