Energy Firms' Cybersecurity Is So Bad They Can't Get Insurance

Malevolent hackers looking to cause havoc couldn’t find a much better target than the energy grid. In our electrified world, power is pretty vital in delivering even the most essential services, and is the backbone of other indispensable sectors to boot. But when it comes to cyberattacks, confidence in energy companies’ abilities to protect their critical systems appears to be lacking.

In a report today, the BBC revealed that UK energy firms are being denied insurance against cyberattacks because their defences are too weak. They spoke to underwriters at Kiln Syndicate, which offers cover via Lloyd's of London.

When companies apply for cover, the insurance firm assesses what measures they have in place to safeguard against attacks—and they said that in the majority of cases, they’ve turned down applicants for not doing enough. As underwriter Laila Khudari told the BBC, “We would not want insurance to be a substitute for security.”

While that’s likely partly to cover the insurers’ backs—they don’t want to be faced with huge payouts if huge damages were actually to occur—it’s also in the public interest. Insurance companies can help systems recover financially after a breach, but it’s not in their remit to prevent attacks happening in the first place. And I know which I’d prefer.

Part of the reason this news is coming out now is probably because more energy companies are actually realising the full danger of cyberattacks and so are seeking insurance in this area for the first time. In some ways, it’s a good thing that they’ve finally recognised the threat. Then again, it’s perhaps more worrying that they didn’t think to insure against such attacks before. Or build adequate defences against them.

While the threat of cyberattacks on the power industry across the world isn’t new, it’s certainly grown over the past few years, and with the increasing pressure the companies involved are no doubt keen to safeguard against “what if?” scenarios.

In a 2013 report, US congressman Edward Markey warned that “the electric grid is the target of numerous and daily cyber-attacks.” President Obama said in a statement this month on the subject of critical infrastructure that “cyber threats pose one the gravest national security dangers that the United States faces.”

In the UK, security expert Chris McIntosh said last year that Britain’s energy infrastructure was at risk of shutdown from cyber attacks, especially after an invitation for Chinese companies to run UK nuclear reactors. “We need to have new regulations that dictate that energy companies introduce security systems that protect operational networks from attack,” he said.

Just this month, we reported on the complex Careto malware, a very sophisticated virus that has apparently been propagating since 2007 and that targets major power brokers—including companies in the energy sector. Cyberattacks on energy firms are a very real threat, and it looks like they might have woken up to that.

Khudari also suggested to the BBC that changes to the energy companies' systems might have made them more vulnerable. “I think what's behind [the increase in applications for insurance] is the increase in threats and the fact that a lot of these systems were never previously connected to the outside world,” she said. While companies might have previously sought insurance for digital crimes like stolen customer information, they’re now seeking huge policies for if their actual computers and power networks are damaged.

Let’s just hope the firms are rushing to improve cyber defences with as much haste as they’re running to insurers.