Ukraine Power Outage Caused by Cyber-Attack Raises Red Flag for Power and Utility Sector

A cyber-attack against a Ukrainian utility in December is the first such event known to have caused a blackout. The incident demonstrates the vulnerability of the power and utility sector to cyber-attacks.

Closer to home, the US, the Department of Homeland Security Industrial Control Systems Cybersecurity Emergency Response Team (ICS-CERT) responded to 295 cyber incidents in its fiscal year 2015, a 20% increase over 2014. The energy sector accounted for 16% of those, behind only critical manufacturing, at 33%.

As a critical infrastructure industry, power and utilities organizations have unique cyber risk exposures and responsibilities. In addition to IT security concerns, you must secure your ICS and supervisory control and data acquisition (SCADA) systems from cyber threats.

The cost of a cyber breach can be steep — and not only in monetary terms. The potential costs of a power grid interruption include reputational damage in addition to lost revenue, expenses to restore operations, and regulatory fines. Along with securing your systems, mitigating financial risk through insurance should be a key part of your defenses.

Consider the following issues:  

1. Operational systems and connections with data systems. Connections to various data systems need to be reviewed. For example, pipelines are often connected directly to the internet and to enterprise IT networks. Consider evaluating cyber insurance policies to ensure that they provide explicit coverage for operational systems.
2. Bodily injury and property damage.  At an energy company, systems that are not running correctly have the potential to cause catastrophic physical damage or bodily injury.  Insureds should seek clarity of coverage regarding physical damage caused by cyber perils.
3. Business interruption. A lengthy outage could cause substantial business income loss and related expenses. While a cyber event has yet to cause a significant insured business interruption loss in the power sector, the potential exists. This is an important consideration when evaluating cyber insurance limits.
4. Network security regulatory investigations. Regulators are likely to investigate any cyber-attack on critical infrastructure. Many cyber insurance policies only cover the costs of regulatory investigations following a privacy event. Consider obtaining coverage for regulatory actions as well as for fines and penalties following a network security breach.
5. Remote access. It’s crucial to limit remote access to your systems. Though most power and utility companies have focused on security and have implemented multifactor protections , ensure yours are sufficient.

Assessing your cybersecurity posture with outside professionals — including a review of your cyber insurance needs and coverage — can help protect your organization and keep the lights on for you and your customers.