The energy sector faces significant and growing cyber threats. In particular, many businesses in the energy sector operate safety critical machinery that is increasingly connected-and subject to cyber attacks. Whether located on an oil rig, in the electric grid, at a refinery, or on a pipeline, these systems-often referred to as "Operational Technology" or "Industrial Control Systems"-sit at the backbone of countless critical processes in the energy sector. Cyber threats to these systems continue to grow, including from highly sophisticated nation-state actors. Potential attacks against these systems threaten to stop production, impair the integrity of safety-critical systems or even cause physical damage or personal injury. The corresponding legal risks facing the energy sector, whether from litigation or regulatory action, are equally significant and will continue to grow in the coming years.
Practical challenges often complicate energy companies' response to these cyber threats. Industrial systems have significantly different profiles than enterprise information technology systems, including because they are harder to update in light of their up-time requirements, difficult (if not impossible) to replace because of their cost, and because they have far longer lifetimes. Companies also often have far less visibility across their industrial networks and lack many of the tools-including intrusion detection software and robust logging-that are routinely available in the enterprise information technology context. Likewise, internal plans and policies may not be well-suited to address emerging cyber threats to operational technology. Business continuity or disaster recovery plans may not address an appropriately broad range of scenarios, for example, and data breach response plans are likely to focus on data security. Similarly, vulnerability management, penetration testing, or other policies employed in the enterprise cybersecurity context may either be inapposite or inapplicable to a company's operational security risk management.
Businesses in the energy sector nonetheless can take practical steps to mitigate these significant risks-and corporate legal teams have an important role to play. Effective collaboration between legal, security and business teams can significantly reduce risks to businesses in the wake of a cyber incident involving operational technology. Likewise, close coordination between legal, security and business stakeholders before incidents occur-including through internal risk assessments, vulnerability management and tabletop exercises-can reduce future legal risk.
The webinar taking place on 26 January - Managing OT Cyber Risk: Lessons from the Front Lines - will discuss how legal teams can work with other stakeholders in their businesses to manage associated legal risk, including through:
- Managing legal privilege in the context of operational technology cybersecurity;
- Best practices for engagement between operational security teams and other stakeholders;
- Effective preparation for industrial cyber incidents; and
- Opportunities for ongoing collaboration between operational security and legal teams.
For more details about the Webinar, please follow this link.
Visit us at mayerbrown.com
Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe - Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2020. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.