The City of London-based Willis Group, one of the world’s largest insurance brokers launched its annual Energy Market Review on Tuesday, with a particular focus on cyber security for the market.

While much of the publication deals with the specific challenges facing insurers in the current energy market and in particular the oil and gas sector, there is much of relevance to power generation interests, in terms of potential costs to businesses.

In its foreword, Global Head of Willis Natural Resources, Mr AJC Rivers says, “a new and highly ominous threat has emerged onto the energy industry risk landscape – the risk of a catastrophic loss resulting from a cyber-attack. Alarmingly, this risk is currently excluded from most energy insurance policy forms. Although we can now detect the beginnings of a market for this critical risk, much more needs to be done to bring cyber, political violence and energy underwriting expertise together to forge a product that will truly meet the needs of the industry.”

In what may be seen as having implications for global power generation, the report highlighted the increasing effect cyber-attacks have on the energy industry in general.

“Globally, it is estimated that cyber-attacks against oil and gas infrastructure will cost oil and gas companies $1.87bn by 2018. In the US, 40 per cent of all cyber-attacks on critical infrastructure assets in 2012 occurred against the energy sector and the UK government estimates that oil and gas companies in the UK already lose approximately £400m every year as a result of cyber-attacks.

The report shows that the percentage of European board members who see cyber security as a significant risk has risen from 53 per cent in 2013 to 76 per cent this year, a statistic taken from an annual survey by Zurich on cyber risk management practice in Europe.

An example of one recent attack was the Stuxnet virus, which targeted Iran’s uranium enrichment centrifuge capability, destroying 20 per cent of by infecting the Siemens Step 7 software, which drove the system.

Chris McGloin of Invensys said, “Could it have caused a significant event outside of Iran? Yes it could have caused a major power station to be shut down with significant consequences.”

The Stuxnet virus, which has shown itself to be more than capable of evading the smartest security technologies, and has demonstrated the threat it poses to energy infrastructure anywhere according to the report.

Another virus, known as Shamoon, has particularly affected major energy companies operating in the Middle East. Although no lasting damage was done, one state-owned utility saw 30,000 of its computers infected, ‘with considerable loss of data and productivity.’

The review also features a chapter on the threat of global terrorism and political violence to energy infrastructure, and geographically the particular threat posed by these to the Middle East Africa and Central Asian regions. Iraq comes in for special mention as remaining vulnerable.
“While western employees have yet to be killed, the threat has certainly increased and any exodus of the international energy sector would seriously undermine the Iraqi regime,” the report says and also noting that cyber-attacks were on the rise in the Middle East. “53 per cent of attacks in 2013 were against the energy sector; in some cases resulting in expensive outages… critical energy infrastructure is an attractive target for terrorists seeking physical, economic and environmental damage.”

Finally speakers at the launch acknowledged that the present situation in Russia sees a potential exposure for investment assets, for all sectors including energy. Managing Director of Willis, Justin Blackmore told the audience, “It will be fair to say that from an insurance point of view there are no immediate implications. We will work it out if sanctions come in, and apply relevant sanctions clauses. It is not yet a major issue.”

The increasing awareness of cyber threats comes a week after a US Department of Homeland Security warning that it had discovered a substantial increase in bugs in software used to run oil rigs, refineries and power plants. The announcement has prompted a global push to patch the widely used control system.

The bugs were found by security researchers and, if exploited, could give attackers remote access to control systems for the installations.

For more power generation business news