Calendar An icon of a desk calendar. Cancel An icon of a circle with a diagonal line across. Caret An icon of a block arrow pointing to the right. Email An icon of a paper envelope. Facebook An icon of the Facebook "f" mark. Google An icon of the Google "G" mark. Linked In An icon of the Linked In "in" mark. Logout An icon representing logout. Profile An icon that resembles human head and shoulders. Telephone An icon of a traditional telephone receiver. Tick An icon of a tick mark. Is Public An icon of a human eye and eyelashes. Is Not Public An icon of a human eye and eyelashes with a diagonal line through it. Pause Icon A two-lined pause icon for stopping interactions. Quote Mark A opening quote mark. Quote Mark A closing quote mark. Arrow An icon of an arrow. Folder An icon of a paper folder. Breaking An icon of an exclamation mark on a circular background. Camera An icon of a digital camera. Caret An icon of a caret arrow. Clock An icon of a clock face. Close An icon of the an X shape. Close Icon An icon used to represent where to interact to collapse or dismiss a component Comment An icon of a speech bubble. Comments An icon of a speech bubble, denoting user comments. Comments An icon of a speech bubble, denoting user comments. Ellipsis An icon of 3 horizontal dots. Envelope An icon of a paper envelope. Facebook An icon of a facebook f logo. Camera An icon of a digital camera. Home An icon of a house. Instagram An icon of the Instagram logo. LinkedIn An icon of the LinkedIn logo. Magnifying Glass An icon of a magnifying glass. Search Icon A magnifying glass icon that is used to represent the function of searching. Menu An icon of 3 horizontal lines. Hamburger Menu Icon An icon used to represent a collapsed menu. Next An icon of an arrow pointing to the right. Notice An explanation mark centred inside a circle. Previous An icon of an arrow pointing to the left. Rating An icon of a star. Tag An icon of a tag. Twitter An icon of the Twitter logo. Video Camera An icon of a video camera shape. Speech Bubble Icon A icon displaying a speech bubble WhatsApp An icon of the WhatsApp logo. Information An icon of an information logo. Plus A mathematical 'plus' symbol. Duration An icon indicating Time. Success Tick An icon of a green tick. Success Tick Timeout An icon of a greyed out success tick. Loading Spinner An icon of a loading spinner. Facebook Messenger An icon of the facebook messenger app logo. Facebook An icon of a facebook f logo. Facebook Messenger An icon of the Twitter app logo. LinkedIn An icon of the LinkedIn logo. WhatsApp Messenger An icon of the Whatsapp messenger app logo. Email An icon of an mail envelope. Copy link A decentered black square over a white square.
Insights / Opinion

Energising cyber security

By Penelope Warne
10/08/2017, 6:00 am
Opinion: Data security
Opinion: Data security

Cyber security and related security breaches are an increasing problem generally. The energy sector, with its complex and critical infrastructure, is however particularly at risk and needs to be extra vigilant both in its defences against an attack and its plans for responding to an incident.

The offshore health and safety and environmental risks add an additional layer of complexity and risk to an already challenging issue.

As recently as June, we saw companies in the oil and gas sector including Maersk and Rosneft reportedly affected by the Petra ransomware attack. The damage from such attacks can take a company offline for hours, sometimes days, as well as leading to damages claims and operational issues. Businesses can also suffer immense reputational damage as the attacks are reported in the press and across social media. If a cyber breach results in the disclosure of, or unauthorised access to, any personal information, there will likely also be liability under data protection legislation (with potential fines under the new EU regulation coming into force in May 2018 increasing to the greater of £20million or 4% of global annual turnover for the preceding financial year).

Some of the most common types of cyber risk include:

• Ransomware attacks like Petra whereby downloaded malware encrypts an enterprise’s files and threatens to either leave the files encrypted or delete such files unless a ransom is paid;

• Trojans (where a user is duped by a seemingly legitimate communication or website into downloading a piece of software that allows a third party access);

• Use of unpatched software (simply the use of software with a known vulnerability that has not been rectified, such as using an outdated version of an operating system);

• Phishing attacks (the receipt of a communication that appears legitimate, say a e-mail purporting to be from Microsoft but actually from a third party, asking for login details via a seemingly legitimate but in fact fraudulent website) – this can happen over the phone as well as e-mail; and

• Viral worms (also known as network-travelling worms) which once into a system from an e-mail attachment or downloaded link can travel quickly and mutate through an organisation’s infrastructure avoiding attempts to easily detect and eradicate the program.

The best form of cure with cyber breaches is most definitely prevention in the form of vigilant cyber security. This starts with having in place a strong cyber security policy, which is rigorously implemented and updated. Enterprises should ensure that they have the latest software patches installed, and do not use software with known and published vulnerabilities.

Businesses should consider restricting executable code in e-mail attachments and as downloads, and placing restrictions on the insertion of unknown USB drives into networked machines. Penetration testing (where a third party tests the system by attempting to compromise it) should be considered on key systems to ensure that no vulnerabilities exist, or that any identified are suitably addressed.

Additionally, the weakest link in most enterprises’ cyber security – the end users – should be routinely trained and kept abreast of any developments (for example if there are known scams, users should be informed and reminded to always check with internal IT).

However, despite the best preparations and defences, cyber attacks are sometimes still successful and in this case it is very important to have on hand a team of legal, IT and PR advisors with an agreed plan who are able to implement that plan in real-time, 24/7 in the case of an attack.

In the first hour of the known cyber attack, the advisors should be briefed including instruction of IT forensics, background briefing and creation of a specific project plan. As the IT forensics team starts to uncover what is occurring, in the 12-24 hours after the attack the organisation should consider the appointment of an outside counsel “breach coach”/cyber crash team: such legal advisers typically perform a co-ordination and project management role, but may also be able to maintain legal privilege in communications. IT forensics will assist with identification of the source/leak/compromise including, crucially, geographical identification of the location of affected servers and data subjects. They will also conduct analysis of the nature of any compromised material.

In the 24-48 hours after the attack, there should be an early stage evaluation with recommendations including when and how to notify any affected data subjects (if appropriate), and if needed an appointment of PR/external communication strategy advisor.

The IT forensics team will continue to identify the source/leak/compromise, provide patches and viable alternatives, and bring back online network critical infrastructure, where feasible. The legal advisors can assist with determining if there is a need to notify data subjects/ regulators, and with such notification (by e-mail if appropriate or by a mail order fulfilment centre).

In this phase of the response, PR communications and key staff briefings should be readied as more details of the attack, its cause and its impact are known. Affected parties may be offered post-breach support, such as: basic advice on security upgrades, improvements, virus patches; web crawling/monitoring; and credit monitoring/identity theft protection.

Finally after the attack is curtailed, and generally in a time period of around 72 hours or more from the start of the attack, the legal advisors will assist with any necessary claims defence and regulatory issues and the IT team will implement longer term defences and fixes.

This can include notification of commercial third parties such as customers; liaison with regulators; defence of third party claims (such as breach of contract for inability to deliver services due to the outage); discussion with insurers regarding loss adjustment and valuation; implementation of IT upgrades/amendments (responsibility for funding/betterment); and identification of longer term risks and consequences.

Given the increase of cyber threats, and the potentially devastating risks to the energy sector in particular, a good defence strategy and a considered response plan should be considered as crucial to businesses as a plan for responding to a pollution incident or other offshore incident.

Penelope Warne is senior partner and head of energy at CMS

Recommended for you