Cyber Risks in Marine and Offshore Energy: Munich Re consultant Markus Wähler warns of growing dangers, By James Brewer
Every ship has a ‘back door’ vulnerable to cyber attacks – its communication lines. A successful attack on a ship is currently of low probability, but the industry must prepare for the type of threat that has played havoc with parts of the offshore energy sector, Markus Wähler, marine consultant with Munich Re – Global Marine Partnership, has warned.
Addressing the challenge in insurance terms called for a case-by-case approach, because cover is often restricted or removed by the London market’s CL 380 cyber attack exclusion clause, he said.
In a presentation to the International Union of Marine Insurance, Mr Wähler offered a chilling overview of the opportunities that automation of operations, navigation, engineering and other systems in marine and offshore energy has lent to hackers.
He listed some of the worst malware attacks of recent years, including the computer worm Stuxnet from 2007- 2010; Night Dragon, a hacker operation against energy companies in 2010; the Shamoon/ Disttrack virus let loose on companies in the Saudi Arabian oil and energy sectors in 2012; the spying and copying work Flame; and the espionage programme Duqu, successor of Stuxnet.
Since his IUMI talk in Hong Kong, the topic has flared up again in the form of a cyber breach in computers at Sony Pictures seemingly in retaliation for a movie mocking North Korean leader Kim Jong-un. This has caused widespread consternation, had the US administration classifying the hack as a national security issue, concluding it was the work of a “sophisticated actor, ” had a financial impact on cinemas, and had experts divided as to whether Pyongyang was to blame.
Mr Wähler emphasised that regulators were paying increasing attention to cyber security. Estimates of the annual economic loss varied widely. According to McAfee it was between $300bn and $1trn; it was $350bn according to the European Crime Centre at Europol, the European law enforcement agency in The Hague; or $114bn according to The Fiscal Times, a US digital news service.
Every second of the minute, there were 18 victims, and the accounts of 10% of Facebook users were compromised every day, said Mr Wähler.
”We are always being told by underwriters: ‘what can happen, will happen, ’” he went on.
According to the Willis Energy Market Review 2014, the estimated cost to the oil and gas industry of cyber crime would by 2018 be $ 1.87bn. Some 40% of all cyber attacks in the US on critical infrastructure assets in 2012 were directed against the energy sector.
Possible scenarios in offshore energy were business Interruption of an offshore unit; manipulation or destruction of storage facilities and stored goods; interruption of the supply chain; manipulation of production; destruction of production; and oil pollution occurring as a result of the attack.
In the liquefied natural gas sector, interruption of the cooling process could allow the liquid to revert to the form of gas, escape through pressure valves and explode from just a little spark.
“The higher the degree of integrated technology, the higher the risk of successful infiltration, ” said Mr Wähler. “The USB stick is the infiltrator of disease.”
With malware known as Night Dragon, since 2009 or even as early as 2005, hackers possibly from southeast Asia infiltrated networks of at least a dozen multinational oil, gas, and petrochemical companies as well as individuals and executives in Kazakhstan, Taiwan, Greece, Saudi Arabia and the US. Five firms confirmed the attacks.
Shamoon, a Trojan virus, had been used against Saudi Aramco, Saudi Arabia’s state-owned oil production company and the world’s largest oil producer. The company had its office systems taken down for 12 days, and 30, 000 computers were damaged. Qatar’s RasGas was also attacked.
While a successful attack on a ship was still of low probability, the “escalation of this threat is already on the horizon, ” said Mr Wähler.
The insurance industry could be impacted across all lines of business.
In non-marine, cover available for private and small commercial lines was limited, and there was no catastrophe cover for industrial business as a standard product.
“And why is it not covered?” he asked. “Typical marine and energy insurers are not cyber experts. The marine and energy insurance markets may have an aggregation issue with cyber risk. Losses resulting from cyber attacks are normally not automatically included in marine and energy reinsurance treaties, but left to tailor-made solutions.
“Hence our preference for the current market approach which is exclusion via Clause 380 Institute Cyber Attack Exclusion Clause.” This was a comprehensive and well-worded exclusion, with limited write-back for war and terrorism covers. It helped to protect unexpected exposures.
With cyber exposure representing a significant risk for the marine and offshore energy markets, cover should only be provided by specialised underwriters and IT experts, said the Munich Re consultant.
Special underwriting and tailor made products were indispensable, particularly for risk assessment, pricing, and accumulation control. “Special attention must be paid to the aggregation issues involoved, for the underwriter to get a risk-adequate premium, ” said Mr Wähler.
Meanwhile, the International Underwriting Association has reported that interest in the first meeting of its new cyber risk group was so great that the event had to be switched from the association’s office to a larger venue.