UK energy companies refused insurance due to inadequate cyber defences

The cyber defence systems of UK energy firms are so weak that insurance companies are actually refusing to offer them coverage, according to the latest reports.

Underwriters for Lloyd's of London have said that a "huge increase" in demand for insurance of energy companies' security systems has been met with blank stares. That's because surveyors for the insurance giants have deemed the protection inadequate.

Laila Khudari, an underwriter at the Kiln Syndicate, told reporters that many syndicates had provided cover for data breaches for years, offering to help companies recover if attackers penetrated networks and stole customer information.

But it's only in the last few months, she said, that the same firms who turned those policies down are seeking multi-million pound policies to help them rebuild if their computers and power-generation networks are damaged in cyber-attacks.

"They are all worried about their reliance on computer systems and how they can offset that with insurance," she said.

However, the majority of applicants have been turned away because their cyber-defences were lacking.

This is especially worrying news as energy firms are increasingly looked to as some of the main targets for cyber attacks, especially in the hypothetical scenario of nation-on-nation cyber war.

US energy companies came under attack early last year, with the US government blaming Iranian state-sponsored hackers. US oil and gas operations also came under strain in June of 2013 as cyber attacks against their networks sought to bring their functions to a standstill.

One of Israel's major infrastructure hubs was also shut down by a cyber-attack in September. Haifa's Carmel Tunnels were targeted by a Trojan that nearly shut down the city, and brought home the reality of the potential of cyber warfare to the world.

It's not even like the UK government isn't taking the threat seriously: the Ministry of Defence recently announced the formation of a Join Cyber Reserve, an elite unit staffed by reservists, with the aim of protecting the UK's critical infrastructure and even conducting strikes against hostile agents in cyberspace.

But with the latest revelations surrounding the weakness of our energy companies' defences, will this be enough to secure the nation's critical infrastructure when cyber warfare is used against the UK for the first time?

Chris McIntosh, CEO of ViaSat UK, told ITProPortal that "Energy firms seeking insurance against cyber-attacks shows the vulnerability of our critical infrastructure is finally hitting home."

"However, insurance is only a plaster over these underlying weaknesses," he said. "Organisations need to act now to protect the network and address the unique nature of interconnected real-time control systems. Encryption of data in transit and rigorous authentication protocols, for example, should become de rigeur. Unless energy companies demonstrate they are taking the necessary precautions, insurers will keep them at arm's length; public trust will fall; and the resilience of the country's critical national infrastructure will inevitably suffer as a result."

In January, scientists at the University of Michigan published a paper in which they have defined an algorithm capable of predicting cyber attacks by nation states, and sought to outline the basic principals underlying tactics in the cyber realm of warfare.

Image: Flickr (steve p2008)