Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
Editor's Blog and Industry Comments

Insurance companies denying energy firms cyber-insurance

03 March, 2014
Industry analysts have commented on the recent news that energy companies in the UK will be refused insurance due to having weak cyber defences.

According to underwriters at Lloyd’s of London, there has been a significant increase in the demand for insurance by energy companies to mitigate against cyber threats. However, inadequate defences in the industry are being cited by insurance companies as a reason for denying cover.

Privileged account security

Due to the potential for attacks being able to bring chaos to critical infrastructure being a very real issue and not just hypothetical, the refusals to offer come as no surprise to Matt Middleton-Leal of CyberArk. High profile attacks in recent years including Stuxnet and Shamoon should be raising the profile of the threat and the need for security, particularly privileged access management, according to Matt.

He told us: “Attackers looking to infiltrate any organisation’s networks almost always look to take control of the most powerful accounts and access points – privileged user accounts.  In the case of critical infrastructure, hackers are aided by SCADA and other Industrial Control Systems (ICS).  Flaws in these systems, such as the existence of unmanaged, poorly secured or shared privileges and other administrative accounts, further compounds the security risks.  These access points provide the opportunity for attackers to gain widespread access to vulnerable networks.


“With this in mind, energy and utility companies must ensure that they are safeguarding their critical assets and mitigating the risk of attack, by taking a layered approach to data security.  This means securing traditional IT systems, SCADA, ICSs and their process controllers with a centralised system capable of controlling, managing, monitoring and reporting on all remote and privileged account access.  While cyber insurance is undoubtedly a good idea, given the catastrophic financial implications of an attack, the worry is that it will become another fall-back position, allowing companies to remain dangerously complacent regarding the threat to their business.”

Protection through continuous monitoring

Ross Brewer of LogRhythm was similarly unsurprised by the reaction of the insurance industry. Ross reflected the concern expressed by insurers that cover is being seen as a substitute for adequate protection. Such protection is of particular importance in critical infrastructure facilities such as energy and utilities companies.

Ross commented, “It is clear that there is a miscommunication somewhere.  The government and other organisations have been very vocal about the rising cyber threat, yet companies are still not doing enough to protect their systems.  It is now essential that every business up and down the country has the mechanisms in place to proactively identify threats, respond and expedite forensic analysis in real-time.

“Simply focussing on securing the perimeter is now as effective as securing your house with a moat.  If someone wants to get in, they will.  The only way to batten down the hatches is through monitoring all IT systems and data continuously and, from there, creating a baseline of ‘normal’ activity so any anomalous behaviour is immediately identifiable.   While insuring against cyber attacks may now be a sensible route to take, it should simply be viewed as a precaution, not an alternative to boosting traditional cyber defences.”

Layered defences

Preventing attacks is certainly better than insuring against the consequences but this may be that security systems are not being deployed with adequate care. More than 7 out of 10 security professionals don't trust their security programme, according to Websense. The only way to overcome this, according to Andy Philpott of Websense, is to ensure defences are fit for purpose by creating a layered approach to cut across the threat kill chain and to be effective at all stages of an attack.

Andy commented, "It’s an inevitability that a determined and targeted attack will eventually be successful, but it’s how you deal with it once it’s inside your network. Many evasion techniques are used to easily bypass traditional security defences. The best insurance would be to test, test and test your security; understand where the weakness lie and have real-time security able to analyse malware on the fly. Most importantly, put data leak prevention at the core of your business so that even if an attacker gets in, they will not be able to steal any data. Security can never be ‘set and forget’ and needs to be at the forefront of a company’s mind at all times for any chance of ensuring security effectiveness".

A holistic approach to security operations

Developing a fully comprehensive system of protective security in utility companies will certainly not be an easy process as many are based on legacy systems, according to Tony Burton, the business lead for critical infrastructure protection at Thales UK.

"Legacy systems which were often built before the internet existed", he told us, "were simply not designed with the levels of interconnection and security threat we see today. Even systems that have remained isolated from the internet and business IT systems are vulnerable to threats a can ‘leap the air-gap’ via process, people and physical (USB Stick) vectors. Energy firms and other areas of CNI are beginning to face up to this challenge and are increasingly recognising that good security is good business.  The insurance issue and contingency holdings prime examples of how good security can have a positive effect on the bottom line results of these companies.  However, the security of these operations is not a simple challenge and this is what the insurers are beginning to recognise.

The options to simply change software to a more up to date version, implement patching or install firewalls/gateways and intrusion detection systems are not always available due to the potential introduction of instability or inherent integration problems. Specialist domain expertise is therefore needed to fully secure these legacy and new systems through a combination of Physical, Process, People and Cyber security measures that will adequately protect against cyber and physical intrusions. Energy firms need to commit to investing the time and money in this holistic approach to the security of their operations in our interconnected day-and-age and only then will they restore confidence from prospective insurers.”

Jonathan Newell is a broadcast and technical journalist specialising in security systems and transport safety. He contributes to a range of titles in the technical press. He shares his time between the UK and Kazakhstan


Bookmark and Share