Energy is the Lifeblood of Critical Infrastructure
Every U.S. industry relies on the nation’s infrastructure to function, whether it’s through direct operational dependencies or third-party supply chains. According to the Cybersecurity & Infrastructure Agency (CISA), “there are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States, that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” The 16 critical infrastructure sectors are diverse, ranging from Manufacturing and Agriculture to Financial and Public Health—affecting all aspects of modern life. But, of note, the Energy sector is special.
Energy is the lifeblood of the other critical infrastructure sectors. In recent months, the Energy sector is getting renewed attention due to the Colonial Pipeline ransomware incident. The notion that a digital cyber-attack can cease physical operations is not new as demonstrated previously by Stuxnet and Not Petya intrusions, but the consequences on daily life, our economic system, and national security are escalating and palpable.
In the Energy sector, the Electricity sub-sector is particularly vulnerable. In January 2021, Presidential Executive Order 13920 was issued following the discovery of hardware backdoors in Chinese-made electric transformers. While this vulnerability affected hardware and control systems, new vulnerabilities involving ransomware, which can render these systems inoperable and their data unavailable, are emerging as an area of focus.
After the Colonial Pipeline incident, the Biden Administration announced an infrastructure plan encouraging collaboration between the Federal Government and the critical infrastructure community. In particular, the voluntary effort emphasizes the need for open discussion regarding cybersecurity risks and protections for the Electricity sub-sector. To achieve that objective, on July 7th and 8th, 2021 Axio hosted a two-day Energy Cybersecurity Insurance Forum to discuss areas of improvement for the Energy sector and recommend specific actions for risk reduction. Participants in the forum included government representatives, service providers, and cybersecurity agencies. The first day of the forum consisted of keynote presentations framing the event and establishing the problem space. A summary of these presentations is provided here.
The insurance industry plays a vital role in encouraging critical infrastructure owners and operators to improve cybersecurity risk management practices and outcomes. As such, on day two, Axio hosted three panel sessions on various ways the insurance industry can contribute to the challenges faced by critical infrastructure. Panel session 1 explored the need for a government reinsurance program to incentivize insurance products for the Energy sector. Key takeaways included:
- Commitment of the insurance industry to the Electricity sub-sector to manage and transfer cyber risk
- Unanimous consensus on the need for a government reinsurance program
- Acknowledgement that threats to the Electricity sub-sector exceed the resources of any one company
- Understanding that cyber risk is inclusive of not only data and privacy risks, but also increasing dependence on technology
A Government Insurance Policy…For Insurance Policies
During the panel’s discussion, there was unanimous consensus regarding a government reinsurance program through the expansion or evolution of the Terrorism Risk Insurance Act (TRIA). Originally, TRIA was created as a temporary three-year federal program to share with insurers commercial property and casualty monetary losses due to a terrorist attack. The act has been renewed numerous times but is slated to expire on December 31, 2027. Recently however, cyber-attacks have been elevated to acts of war and terrorism, with nation state actors and their related advanced persistent threat groups (APTs) actively engaged in sophisticated attacks towards other nations.
The concept of expanding TRIA effectively distributes the damage done by a cyber-attack to the government, as opposed to private entities. This should cause some relief for insurers. But the insurance industry has been hesitant to create fully expansive insurance programs because damage claims can escalate quickly. At the same time, existing insurance programs are rapidly becoming more expensive with terms and conditions that favor and protect insurance providers. A government reinsurance program would support the insurance industry to provide far enhanced coverage to the Energy sector—which arguably is foundational to all of the other sectors—without fears of overwhelming losses.
The Commitment Versus the Resources Available
The insurance industry has made a commitment to protecting the Electricity sub-sector through the management and transfer of cyber risk, and this sentiment was echoed by all industry representatives during the forum. However, the cyber challenges for the sub-sector exceed the resources of any single member organization, which impedes the ability to implement universal policy directives across the sector. With that in mind, panelists spoke to the importance of the government’s role in supporting the sector by taking more offensive actions to protect critical infrastructure and enhance consequences for adversaries that attack the sector. To be sure, this underscores the need to reaffirm and commit to effective sector collaboration via information sharing between public and private organizations so that a more comprehensive view of risk can be established and risk exposure more efficiently measured.
The Different Types of Risk: Data Privacy vs Technology Dependence
A final point made by panelists was that cyber risk can be viewed in two buckets: data and privacy risk vs. technology dependence. Data and privacy risk has taken center stage as a key target of ransomware attacks. But, technology dependence is an emerging concern that has not been as topical in the cyber risk discussion. In essence, organizations are becoming more dependent on new technology and automation every day, a place where operational and infrastructure risk naturally converges because, at the end of the day, control systems are about sustaining normal operations, even if the IT network has been compromised. This evolution is creating inconsistencies and gaps in existing insurance programs, thereby increasing the call for more comprehensive threat visibility, indicators, detections, and warnings. Recognizing this issue, panelists concurred that government can indeed play an important role in supporting sector organizations and the insurance industry as dependence on technology increases.
At Axio, we’re committed to working with leaders insurance, industry, and government on the cybersecurity challenges facing critical infrastructure. In the next blog post, we summarize discussions around the role of cyber statistics in cyber risk management, insurance products, and government policymaking.
If you’d like to learn more about the Axio360 platform, you can register for our free tool to improve your cybersecurity posture.