The energy sector is a target for cyber-attacks, as can be seen from the attack on Saudi Aramco in 2012 through to the recently discovered “Trisis” malware. The latter, reportedly created by nation state actors, disables safety measures built into industrial control systems and was discovered in a Middle Eastern petrochemical plant. It is believed to be the third publicly known attack on industrial control systems (the first two being the Stuxnet malware affecting nuclear centrifuges in Iran in 2010 and the attacks on the Ukrainian power grid in 2015).
The increasing interconnection of the energy sector creates additional complexity in cyber security management, particularly through the challenges of managing cyber security risk in the supply chain. The digitisation of the sector including the increase in web-connected devices such as smart grids and smart meters, whilst providing exciting innovation opportunities and increasing efficiency, is making it both more challenging and more important than ever to confront cyber security.
Legal, regulatory and operational risks
Businesses are increasingly faced with potential legal liabilities arising from cyber incidents in contract, tort or through regulatory enforcement and energy companies are updating and developing their cyber incident response plans to reflect the increased legal, operational and technical risks they are facing. Where operational security is compromised, there is also a risk of environmental damage, physical damage to property, and personal injury or loss of life.
Regulatory obligations often have a bearing on cyber security, such as the regulatory obligations under the Gas Act 1986 and the conditions imposed in licences granted by Ofgem for the transportation and supply of gas. Gas transporters are required to develop and maintain an efficient and economical pipe-line system and gas shippers, suppliers and interconnector operators are required to share information with gas transporters to ensure the safe, secure and efficient operation of pipe-line systems.
In light of recent cyber incidents, and the significant risks posed to gas infrastructure, in order to discharge these obligations businesses involved in the supply and transportation of gas will need to consider (i) whether their cyber security management systems, including management of cyber security risk in their supply chains, are robust enough to detect, prevent and manage cyber security risk; (ii) the extent to which they are required to share information about those management systems with other market participants; and (iii) whether their actions could have any prejudicial effect on other market participants.
The increasing integration of businesses’ IT and operational systems with other companies in their supply chain increases the attack surface for would-be hackers. Businesses are allocating responsibility for dealing with cyber security, and liability in the event of an incident, by including cyber security terms in contracts with customers and suppliers. However, businesses are recognising that the allocation of liability is not enough – it is far better to engender the right cyber security behaviours in the supply chain in order to avoid incidents in the first place.
New legislation
Governments around the world are legislating new requirements for minimum standards of cyber security. In the EU, May 2018 will see the General Data Protection Regulation (GDPR) and Network and Information Security Directive (NISD) come into force. Whilst energy companies should be aware of the GDPR as it imposes requirements on all companies processing personal data and imposes significant fines for non-compliance (up to 4% of global turnover), NISD is aimed at operators of ‘essential services’, a designation that will capture many energy companies including electricity generators and transmitters and companies involved in oil and gas production and distribution. NISD requires member states to introduce policy and regulation to achieve a high level of security of network and information systems, require reporting in the event of incidents and enforce an ‘effective, proportionate and dissuasive’ sanction regime.
In the UK, draft implementing regulations for NISD are expected to be published shortly; the initial deadline for implementation is 9 May 2018. The NCSC has issued guidance that is expected to be adopted by the sectoral regulators adopting a principles-based approach to cyber risk focusing on four high level objectives, including managing risk, protecting against cyber-attacks, detecting attacks and minimising the impact of incidents.
Businesses with cross-border operations will need to become familiar with individual member states’ implementations of NISD, and other legislation outside of the EU, and be alive to the possibility that non-compliance could lead to liability in multiple jurisdictions.
What does the future hold?
The 2015 cyber-attack on the Ukrainian power grid and the attack on a petrochemical plant have highlighted the significant threat of a cyber-attack on the energy sector. The threat from cyber criminals, state actors and hacktivists is not going away: energy businesses need to keep ahead of the curve.