Governments the world over have been ramping up their digital agendas in recent months, each seeking to instil the importance of cyber security on citizens and businesses alike. Attempts are being made to raise cyber security awareness, and essentially the message is that organisations must understand their networks, systems and data, and must take a proportionate, risk-based approach to keeping them secure. Resilient networks and systems must be in place.
This is especially important in the energy industry which has become increasingly vulnerable to cyber attacks by 'hacktivists', state-sponsored hackers and other cyber criminals who are all seeking to exploit network and system vulnerabilities. Olivia Harrisson in Field Fisher Waterhouse's IP and Technology, Privacy & Information Law Group explores the implications of this for the energy industry.
The energy industry is an attractive target for cyber criminals who may be looking to steal intellectual property, damage or destroy data used in energy exploration or who may be seeking access to systems that control pipelines and other operations. A successful cyber attack could shut down the flow of natural gas, trigger an explosion at a petrochemical facility, damage an offshore drilling rig leading to oil spills, or cause other damage which will all have huge financial and reputational impacts on businesses. The frequency with which we are seeing these attacks is increasing significantly. A South Korean drilling rig suffered a cyber attack which significantly compromised its operations, the petroleum producer, Saudi Aramco, suffered a malware attack affecting 30,000 computers across its network, and Qatar's RasGas was also the victim of an attack by hackers.
The importance of having robust cybersecurity systems is clearly paramount. However, organisations in the energy industry are also facing increased legal obligations and greater regulatory expectations in terms of cyber and data security as a result of law reform in this area. In February 2013 the European Commission presented a proposal for a Directive on network and information security which places a number of obligations on operators of critical infrastructures (including energy providers) mandating the adoption of appropriate steps to manage security risks, and requirements to report serious cyber security incidents to designated regulators. The changes that these law reforms represent, combined with the ever-increasing threat of cyber attacks, should be high on organisations' agendas.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.