Catching Up on Cybersecurity

Plenty has already been written about the symbolic — and practical — implications of the cyberattack that incapacitated the Colonial Pipeline this month: Critical energy infrastructure is, well, critical. The outage is a good reminder that energy security is as much about deliverability as it is about supply, and optionality always has value when it comes to getting the right type of product to the right place at the right time. Clearly optionality around delivering refined products to the mid-and southern-Atlantic seaboard is limited — that has long been the case and this outage has resuscitated conversations about things like strategic product reserves, EPA fuel quality waivers, and how, when, and why to grant Jones Act waivers. Amid the reviews of some of these perennial themes that crop of whenever there is an energy supply chain disruption — whatever the cause — there has also been a chorus of calls for "better” cybersecurity measures at energy companies and installations, or even government oversight thereof. But what does that really mean? 

Digitization has already transformed the energy industry in ways that would have been hard to conceptualize a decade or two ago, and it is fair to say that cybersecurity hasn’t always kept pace. Back in 2017 — five year after a significant and well-publicized cyber attack on Saudi Aramco, and before the distraction of the energy price collapse — a Ponemon Institute survey of the US industry indicated that about two-thirds of oil and gas companies had experienced at least one cyber breach and about two-thirds of respondents deemed internal protections or security to be inadequate. Even as the industry’s digitization and data management requirements continued to increase exponentially though, a 2019 survey by Ernst & Young still found that 60% of respondents from global oil and gas companies acknowledged having a significant recent cybersecurity breach and 95% still felt that their “existing cybersecurity function did not meet their organization’s needs”. Since then, the global pandemic has only complicated matters — and likely distracted decision-makers once again from focusing more comprehensively on cybersecurity. 

But cybersecurity is a risk management issue and risk management is something with which oil and gas companies are actually quite experienced. Any type of risk management can be broken down into three key steps: quantify, mitigate, and insure.

Step 1: Quantify the potential costs of cybersecurity breaches compared to the expected benefits of increased digitization. 

There is a wealth of literature detailing how much value digitization has added all along the oil and gas supply chain, from improving drilling performance to optimizing distribution. But the same EY survey cited above found that 97% of respondents indicated that their companies do not evaluate the financial impact of every cybersecurity breach, so it is equally unlikely that they have attempted to fully quantify the yet-unrealized financial and reputational costs from theoretical future breaches. Identifying all of the touch points vulnerable to cyber attack and quantifying the cost of their interruption is part of understanding the value proposition of digitization.

Another step would be to compare the costs and benefits of maintaining redundancies that would prevent or shorten business interruption in the case of a cyber attack. Maintaining segregated backups of critical data is one example. Additionally, parts of the Colonial Pipeline have been in operation since 1964; the pipeline had a long analog life in a pre-digital world. What prevented Colonial from reverting quickly to its old ways? Was it hardware? A lack of qualified personnel?

Generally speaking, are the costs of maintaining redundancies less than the costs of cyberattack(s)? Not necessarily in every case, and that is where there may be a role for government in mandating and/or facilitating contingencies where installations are deemed critical to national security or market stability.

Step 2: Mitigate the risk of both sophisticated and “mundane” cybersecurity breaches by budgeting for adequate resources to establish and enforce effective internal controls; ensure that board level expertise is in place to support these efforts.  

Cybersecurity breaches can range from the sophisticated to the mundane. And the fact is that many are still pretty mundane — the result of a careless or unaware employee falling for something like a phishing email. A more nefarious, though not necessarily more sophisticated version of this would be a deliberately malicious employee or contractor. Most companies have had employee training and internal controls such as firewalls, virus scans and restrictions on external devices in place for some time, though some policies may be more comprehensive and effective than others and in all cases these protocols require frequent reviews and updates. And changes in circumstances — one big example being the shift to remote work in response to the COVID-19 pandemic — require a reassessment of policies and protections.

More sophisticated cybersecurity breaches often have to do with weaknesses built into the software used by companies. All software is built out of many code components, or building blocks — and in almost all software at least some of those building blocks are “open source”. The advantage of open source code is that many developers have worked with it and ostensibly improved it, and as a result other software developers don’t have to repeat every step for use in other applications — open source is a highly efficient shortcut. The downside is that a known or unknown vulnerability can still be embedded.  Endusers — or even vendors — of a given type of software may not be aware of what open source “ingredients” went into the final product, and there may be a vulnerability baked in the cake, so to speak.

These types of cybersecurity breaches have been on the rise (and, like mundane breaches, are by no means unique to the energy industry). In response, one strategy (detailed here in the context of government IT security) is to require that all software come with a “software bill of materials” so that the purchasing entity knows exactly what components their software includes and can more quickly scan that list of components when new bugs are identified.

But for effective protection against either the sophisticated or the mundane, cybersecurity really needs to be adequately resourced and requires C-Suite buy-in as well as board-level oversight.. It could be argued that a company is not actually taking a risk seriously until its board of directors includes someone with substantive knowledge of that risk. And, similar to any other type of risk — particularly a relatively novel and dynamic one — addressing cyber vulnerability is a heavier lift for smaller companies and may require them to tap outside expertise.

Step 3: Insure or hedge against residual risk that either can’t be known or can’t be mitigated.

In late 2020, Jones Walker LLP published another survey — this one specifically of North American Midstream oil & gas companies — that provided fascinating detail of companies’ cyber vulnerability mitigation efforts. Companies have taken many steps to protect themselves but also still have quite a lot more work to do. One of the most interesting findings of that survey, though, was that only about one-quarter of the companies sampled carry cyber insurance.

Like cybersecurity risk, cyber insurance is not unique to any one industry, although there are some aspects that are specifically relevant to the oil and gas world. As cybersecurity attacks become more frequent and more ubiquitous, cyber insurance in general has gotten more expensive and underwriters are requiring the implementation of more stringent mitigation measures before writing policies — underscoring why Step 2 is so important.

Because there is some overlap — but are also some gaps — between what may be covered by cyber insurance and what may be covered by other types of insurance policies that an oil or gas company already carries, it is important to tailor insurance products to the specific risks of the company in question. In this article for the American Oil & Gas Reporter, Hunter & Williams LLP gives an excellent overview of the types of cyber insurance oil and gas companies should consider, and how to plug some of the coverage gaps that may go overlooked. For example, the source of a cyber breach could be a crime committed by an employee, or (if committed by a state actor) considered an act of terrorism. Cyber insurance policies may exclude claims stemming from those types of attacks by default. Cyber insurance is evolving and highly specialized, and requires a specialized design to be effective.

Any type of company would face financial costs from a cyber attack (stemming from, for example, compromised personal or proprietary data, or manipulation of information that would impact the company’s stock price). But, as Hunter Williams observed, the oil and gas industry also relies on a complex, integrated, and increasingly digitized supply chain — one that involves many different parties that are implicitly exposed to (and potentially liable for) the cybersecurity risks of every other party. And many of the functions of the oil and gas industry that are vulnerable to cyber attack have physical implications in addition to purely financial ones, and that is not always the case in other sectors. Property and people can get hurt if something goes badly wrong with an oil or gas installation, and so can the environment. As specialist insurance distributor Amwins explained, traditional cyber insurance typically does not cover physical consequences of a cyber attack.

It is tempting to call the Colonial Pipeline cyber attack a “wake up call” for the industry, but really energy companies have been well aware of cyber vulnerability for years. There has been a lot going on: besides the advent of industrial digitization and electronic trading, there was an industry-altering shale gas and tight-oil supply boom, sharpened focus on climate change as an existential risk, and, most recently, a global pandemic that served as a dress rehearsal for peak long-term oil demand. But now is the time to formalize and systematize what may previously have been reactive or patchwork efforts at some companies to combat cyber vulnerability.