Energy firm cyber-defence is 'too weak', insurers say
Power companies are being refused insurance cover for cyber-attacks because their defences are perceived as weak, the BBC has learned.
Underwriters at Lloyd's of London say they have seen a "huge increase" in demand for cover from energy firms.
But surveyor assessments of the cyber-defences in place concluded that protections were inadequate.
Energy industry veterans said they were "not surprised" the companies were being refused cover.
"In the last year or so we have seen a huge increase in demand from energy and utility companies," said Laila Khudari, an underwriter at the Kiln Syndicate, which offers cover via Lloyd's of London.
The market is one of few places in the world where businesses can come to insure such things as container ships, oil tankers, and large development projects and to secure cash that would help them recover after disasters.
For years, said Ms Khudari, Kiln and many other syndicates had offered cover for data breaches, to help companies recover if attackers penetrated networks and stole customer information.
Now, she said, the same firms were seeking multi-million pound policies to help them rebuild if their computers and power-generation networks were damaged in a cyber-attack.
"They are all worried about their reliance on computer systems and how they can offset that with insurance," she said.
Any company that applies for cover has to let experts employed by Kiln and other underwriters look over their systems to see if they are doing enough to keep intruders out.
Assessors look at the steps firms take to keep attackers away, how they ensure software is kept up to date and how they oversee networks of hardware that can span regions or entire countries.
Unfortunately, said Ms Khudari, after such checks were carried out, the majority of applicants were turned away because their cyber-defences were lacking.
"We would not want insurance to be a substitute for security," she said.
What was not clear, she said, was why firms were suddenly seeking cover in large numbers.
Although many governments had sent warnings about the threat from hackers, attackers and hacktivists to utility firms and other organisations running critical infrastructure, none had mandated them to get cover.
"I think what's behind it is the increase in threats and the fact that a lot of these systems were never previously connected to the outside world," she said.
Mike Assante, who helped develop cyber-security standards for US utilities and now helps to teach IT staff how to defend critical infrastructure including power networks, said it was "unfortunately not surprising" that insurers were turning away energy firms.
Power generators and distributors had struggled with the complexity and size of the networks they managed, he said. In addition they had found it hard to find and recruit staff with the specialist skills to defend these systems, he added.
"There have been a number of incidents that have caused company leadership to re-evaluate their risk and develop strategies to mitigate it," he said in an email to the BBC.
Financial pressures and the ability to manage systems remotely was inadvertently giving attackers a loophole they could slip through, said Nathan McNeill, chief strategy officer at remote management firm Bomgar.
Trying to cut costs by linking up plant and machinery to a control centre so they could be managed remotely meant those systems were effectively exposed to the net, he said.
"If something has basic connectivity then it will become internet connectivity through some channel," he said.
This left critical infrastructure exposed, he said, because typically the control systems for such hardware was written long before the web age and had only rudimentary security tools.
Known as Scada (Supervisory Control and Data Acquisition), this software has come under increasing scrutiny by security researchers who have exposed many flaws in it.
In addition, added Mr McNeill, it was often very difficult to update the core code in many Scada systems to close loopholes that attackers had slipped through.
Ed Skoudis, who runs "war games" for IT and security staff at many US utilities, said the numbers of attacks on Scada and other control systems was escalating.
Malware was being written just to get at particular vulnerable elements in the infrastructure run by many utilities and manufacturers, he said.
Some attackers were just curious but others were thought to be carrying out reconnaissance in service of some future event.
US power companies had begun sharing information about attacks so everyone knew about all the threats to them, said Mr Skoudis.
"However," he added, "it's surprising no big incident has happened given how weak the infrastructure is. It's very hackable."