Saturday, March 1, 2014

Energy Companies Turned Down for Cyber Insurance as Poor Risks

Energy and other physical infrastructure companies have a difficult job to do. The SCADA (Supervisory Control and Data Acquisition) components are difficult to maintain or secure. They are isolated, frequently have inadequate support, are frequently highly customized for a particular installation, and may be so old that no reasonable support or patches are available for them.

Unfortunately, some energy companies appear to view insurance as a replacement for (rather than a supplement to) robust information security. Insurance companies who offer cyber security policies are increasingly turning down these potentially lucrative contracts due to the risk of a loss.

The "Olympic Games" hack involving Stuxnet showed the danger hackers pose to critical infrastructure. Even though Stuxnet was originally targeted at Iran's secretive nuclear program, the virus escaped into the wild and has been found in unrelated and surprising places.

Hopefully the refusal of cyber insurance will be a wake up call to energy and other infrastructure companies. Updates need to be applied, security needs to be designed in, and critical components may need to be separated from the network by an air gap.

No comments: