Power companies are reportedly being refused insurance for cyber attacks, despite a rise in demand.
Andy Philpott, SVP Sales, EMEA, Websense, says: “This is a wake-up call for utility firms seeking out insurance against cyber attacks and increasingly being refused. There needs to be a mental shift refocusing from insuring against the aftermath of an attack to preventing it entering the network in the first place. Recent research we’ve conducted shows that over 70 per cent of security professionals don’t trust their current security program.
“So many companies are still using security technology that is not fit for purpose in today’s threat landscape. Not all security solutions are equal and I would urge companies to do their due diligence. Security defences need to be effective across all stages of an attack, using layered defences to cut across the threat kill chain. It’s an inevitability that a determined and targeted attack will eventually be successful, but it’s how you deal with it once it’s inside your network. Many evasion techniques are used to easily bypass traditional security defences. The best insurance would be to test, test and test your security; understand where the weakness lie and have real-time security able to analyse malware on the fly. Most importantly, put data leak prevention at the core of your business so that even if an attacker gets in, they will not be able to steal any data. Security can never be ‘set and forget’ and needs to be at the forefront of a company’s mind at all times for any chance of ensuring security effectiveness.”
power companies are being refused insurance for cyber attacks, despite a huge increase in demand. One insurance expert told the BBC
Ross Brewer, vice president and managing director for international markets at LogRhythm
“Everyone is well aware of the increasing cyber threat and it is therefore no surprise that more and more organisations are requesting insurance for the eventuality that they will be target. What is a concern, however, is the fact that so many businesses are seeing this as a substitute and are clearly failing to adequately protect themselves as a first port of call – particularly those that manage our national infrastructure. While a bank might be left red-faced and a little out of pocket following a cyber attack, a hack on SCADA systems could result in catastrophic failures.
“It is clear that there is a miscommunication somewhere. The government and other organisations have been very vocal about the rising cyber threat, yet companies are still not doing enough to protect their systems. It is now essential that every business up and down the country has the mechanisms in place to proactively identify threats, respond and expedite forensic analysis in real-time.
“Simply focussing on securing the perimeter is now as effective as securing your house with a moat. If someone wants to get in, they will. The only way to batten down the hatches is through monitoring all IT systems and data continuously and, from there, creating a baseline of ‘normal’ activity so any anomalous behaviour is immediately identifiable. While insuring against cyber attacks may now be a sensible route to take, it should simply be viewed as a precaution, not an alternative to boosting traditional cyber defences.”
And Tony Burton, critical infrastructure protection business lead, Thales UK, says: “It is clear that there is growing concern in the energy industry around the security of their infrastructure and its robustness against the modern day cyber attacks. Legacy systems, often built before the internet existed, were simply not designed with the levels of interconnection and security threat we see today. Even systems that have remained isolated from the internet and business IT systems are vulnerable to threats and can ‘leap the air-gap’ via process, people and physical (USB Stick) vectors. Energy firms and other areas of CNI are beginning to face up to this challenge and are increasingly recognising that good security is good business. The insurance issue and contingency holdings are prime examples of how good security can have a positive effect on the bottom line results of these companies. However, the security of these operations is not a simple challenge and this is what the insurers are beginning to recognise.
“The options to simply change software to a more up to date version, implement patching or install firewalls/gateways and intrusion detection systems are not always available due to the potential introduction of instability or inherent integration problems. Specialist domain expertise is therefore needed to fully secure these legacy and new systems through a combination of Physical, Process, People and Cyber security measures that will adequately protect against cyber and physical intrusions. Energy firms need to commit to investing the time and money in this holistic approach to the security of their operations in our interconnected day-and-age and only then will they restore confidence from prospective insurers.”
