Cyber:

the risk to power & renewable energy companies

Cyber: the risk to power & renewable energy companies

Introduction – effective cyber risk management no longer optional!

Delivering cyber resilience is a core part of effective corporate governance for power and renewable energy companies. Senior management needs to understand the importance of a cyber strategy, and that any failure to properly address this evolving issue can lead to corporate risk management failure and ramifications at board level.We are beginning to see more cyber-attacks in the news, and this is cause for concern. These incidents have been unpredictable and quick to develop, while at the same time growing in sophistication. Physical damage, business interruption (damage and non-damage related) and breaches of data resulting from cyber-attacks are a reality. No matter if you are involved in generation, distribution or retailing – you should be aware of your exposure and have a plan in place to manage it.
A physical risk – “it’ll never happen to me”

The specific evidence for real world physical damage and the resulting business interruption from a cyber incident in the power industry is hotly debated. However the Stuxnet computer virus and the recent attack on a German steel mill showed that physical damage is possible through affecting operational technologies.Even now some view the risk as negligible, that it won’t happen to them, or their controls are too strong. Certainly critical power assets have control islanding that is independent from enterprise systems. But now, as The Industrial Internet of Things (TIIoT) network grows, we are seeing greater interconnectedness at all levels and between organisations. This is being enabled through the growth of Supervisory Control and Data Acquisition/Industrial Control Systems (SCADA/ICS) sensors and operational technology devices which have internet connections or are linked to enterprise networks.

Non-physical risks: a warning from Ukraine

There does not need to be physical damage for significant losses to be incurred from a cyber-attack. In 2015, an attack on Ukraine targeted power stations, grid connections and industrial SCADA systems, resulting in large scale blackouts for over 6 hours. The following year Ukraine was targeted again with malware – this time through infected tax software. This malware spread and migrated out of the country to many different industries and countries around the world, causing monumental disruption and financial loss.93 million people without power?

A Lloyd’s of London study¹ further brought cyber closer to home, albeit in a theoretical sense. The report depicted a cyber scenario whereby hackers shut down parts of the US power grid, causing 93 million people to lose access to power – a doomsday scenario but a possibility. Even this year the FBI and the department of Homeland Security warned of increasing cyber-security risks to the US energy system.What is concerning is that cyber experts expect companies to get attacked and barriers breached. They advise of a need to focus on tracking and stopping attackers when they are in. No matter how good firewalls and security are, controls will at some point fail.
Surely renewables aren’t a target?

A common misconception is that you need to be targeted for cyber risk to materialise. This is not the case; as we saw with malware weapons WannaCry and NotPetya, cyber-attacks are often untargeted.But should we consider renewable energy assets as a primary target by threat actors? Renewable energy companies may take the position that cyber risk is primarily stemming from political issues and hackers wouldn’t have interest in directly targeting their assets; they’d rather go for a conventional power plant. However this year we have seen activist groups physically attacking wind turbines and burning them to the ground. It’s doubtful that many people expected that - what’s to stop them taking the cyber route? Why not take down the entire farm in one go?Researchers have already developed three proof-of-concept attacks (types of malware), demonstrating how hackers could exploit wind farm systems. The question is: once they have control, what can they do? They could over-speed the turbine by adjusting operating parameters, turn off the brakes in a storm, even apply the brakes aggressively to build up heat and start a fire.

Concerns around the supply chain

New suppliers and entrants to the renewable energy market have introduced new access points for cyber risk into the industry. Developers of renewable energy projects are facing the realisation of this risk in their supply chain across both their suppliers and customers. Examples to consider are the outsourcing of O&M services, and reliance on third party substations to export power. There is a need to ensure that these are operating with top quality cyber hygiene. Otherwise an incident could result in unexpected downtime to the asset and subsequent financial loss.In last year’s Power Market Review we stated that cyber risk, at its core, is a people risk. But this is not just a risk with your own workforce; it’s a people problem across your supply chain. As such, companies need to beware direct infiltration via contractors where systems are vulnerable to both malicious and accidental intervention.For example, a disruption and resulting physical damage during the construction of a concentrated solar power plant was the result of a failure in the ICS, allowing a contractor to bypass critical control features. This was blamed on a lack of coordination between the owner and contractor teams.Getting to grips with cyber riskFor power companies, the challenge of cyber risk begins with understanding the different cyber triggers and each step of the ensuing process that could eventually cause physical and/or financial loss. The question then arises of whether they have the plan and insurance programme in place to mitigate this.A further challenge is that companies often don’t know how best to allocate resources to a cyber resilience strategy. In general terms, there needs to be a mix of technical partners to collaborate and deliver solutions, and no one company is equipped to do all of this.
A robust cyber strategy needs an integrated and technical approach, complementing consulting with transfer.

For power companies, the challenge of cyber risk begins with understanding the different cyber triggers and each step of the ensuing process that could eventually cause physical and/or financial loss.

Of course, power companies have different operating business models and the approach needs to be bespoke.
A pure power generating company such as a gas fired power plant or wind farm will be primarily exposed to operational impacts and therefore concerned around the security assets and the ability to supply energy to the grid. A retail energy company with extensive customer operations should be concerned with servicing its customer base, and the personal information which is held on its systems. Diversified power companies are more complex, but the fundamentals are the same.The five key steps

We would suggest that key steps to approaching cyber risk are:

Identification of exposure, vulnerabilities and cyber risk scenarios

PML quantification of main cyber risk scenario consequences

Advice on organizational and technical risk treatment options

Identification of insurable consequences and design of optimal insurance coverage

Advice on best-practices to enhance people risk awareness

Clients in both renewables and conventional power are already engaging with their risk intermediaries to:

identify and understand their cyber risk profile;

identify how a cyber incident may impact them, their partners, and vice-versa;

understand how their current insurance program may respond.

Insurance market cyber cover

In conventional insurance policies, cyber risk is current being excluded through a variety of different clauses, each with a different intent and impact on the cover to a power company. If a renewable energy company is relying on its current insurance policies to react in the event of a major cyber incident, it will be critical that it knows if it has a cyber exclusion and what it would mean for its business in the event of a cyber-attack.

As a result of this stance from the conventional market, cyber is being pushed towards specialist insurers and products. Traditional cyber products are concerned with the data and privacy aspect, while the non-traditional focuses on the physical property damage and non-damage business interruption elements. These products further allow cover for fines and penalties (where insurable by law), the failure to supply and replacement power from the spot market.From a capacity standpoint, the largest cyber structures (utilising specialist markets) have reportedly surpassed the US$600 million level across multiple covers. This may not seem like much, but it is growing quickly at around 10% year on year. However for the right risk, with an optimal structuring, and by utilizing the right combination both cyber and property markets, total achievable capacity could be close to the US$1 billion mark.An enterprise approach to cyber resilienceEffectively addressing the challenge of cyber risk requires an enterprise wide approach. The risk exists across many different parts of the business, and this is part of the challenge - it cannot be looked at in isolation. A risk manager in the power industry needs to:

consider the broader implications of cyber risk on the company;

engage with the right technical partners;

efficiently allocate spending on defence (across both people and technology); and

optimise the insurance strategy for the residual risk.

Myles Milner is an Account Executive in the Renewable Energy division at Willis Towers Watson in London.

¹https://www.lloyds.com/news/national/2015/07/08/374402.htm