By Danny Palmer
The industrial control systems used by energy and power suppliers are so vulnerable to cyber attacks that it’s only a matter of time before hackers succeed with a major attack.
That’s according to a research paper by Marsh Risk Management titledAdvanced Cyber Attacks on Global Energy Facilities, which suggests the widespread adoption of internet-based control systems – designed to cut costs and improve efficiency – are leaving energy providers vulnerable to cyber attacks.
The research paper suggests that this has resulted in a disproportionate number of cyber attacks made against the energy sector as hackers and cyber criminals attempt to exploit what could be a huge vulnerability.
“Although the global energy sector has yet to experience physical damage to facilities or disruption to supply as a result of a cyber-related event – publicly, at least – the disproportionate rate at which it is targeted for cyber attacks makes it appear only a matter of time before this trend is broken,” reads the report.
Commenting on the launch of the paper, Andrew George, chairman of Marsh’s Global Energy Practice, warned that the resilience of hackers is a risk to security in the sector.
“Open ICS have integrated controls that are linked with other information technology networks, giving hackers the opportunity to gain access through back doors and exploit system weaknesses to their advantage,” he said.
“The resiliency [of the global energy sector] to date is certainly not due to a lack of effort on the part of hackers. Several energy firms have suffered attacks originating from malicious software or viruses, which have disrupted production and destroyed computer hardware,” George continued.
“A successful attack on computer control or emergency shutdown systems, even at a small refinery, petrochemicals or gas plant, could result in estimated maximum loss as a result of fire or explosion worth hundreds of millions of dollars,” he added.
The Marsh Risk Management report recommends greater collaboration between firms in the sector as part of a solution to protect against the threat of cyber attacks.
“It is imperative that energy companies consider the risk of cyber attack as an inevitable one, and focus on preparing scenarios to identify, respond, and contain any attacks accordingly,” the report concludes.