SCADA system vulnerabilities so common, insurers won’t insure


SCADA system vulnerabilities are becoming so common in energy firms that insurers and underwriters are refusing to insure them. It has regularly been reported that industrial control and SCADA system vulnerabilities are common and that little care has been taken to implement security controls to protect these systems. Now insurers are beginning to turn away multi million pound contracts because of the lack of security controls in SCADA systems, leaving energy firms in dismay.

This week Lloyd’s of London reported that they had seen a large increase in insurance requests from the energy sector. However, due to failing security tests and poor results from security risk assessors, these companies are forced to turn down business until security controls are implemented. Lloyd’s went on to state that it is evident that energy companies are aware of the risks posed by their systems and are attempting to offset that with insurance policies, with little joy.

Lloyd’s go on to state that insurance should not be used as a substitute for security and that these companies should assess their security controls before considering taking out insurance contracts. Although Lloyd’s are renowned for offering insurance policies for anything from small businesses through to data breaches, they are cautious not to offer insurance policies for such vulnerable systems that have such a huge reliance for the country.

SCADA system vulnerabilities stem from legacy systems and interconnections with corporate networks and the Internet

SCADA system vulnerabilities stem from legacy systems and interconnections with corporate networks and the Internet

SCADA system vulnerabilities have had extensive press coverage over the past few months, and specialist insurance companies have experience with the type of impact that these breaches can have. Insurance giant Beazley’s cater for some of the worlds largest oil and gas companies and last December announced that they had assisted clients with recovering from a total of over 1,000 security breaches in recent years. This statistic is not uncommon due to the high number of publicised SCADA system vulnerabilities that are out there.

SCADA systems are relied on by industrial power plants and energy sectors to control and monitor critical systems. Many SCADA system vulnerabilities are inherent due to the age of the system and inability to update or patch due to the need for constant availability. As security researchers discover more and more vulnerabilities in SCADA systems, companies are becoming keen to connect more systems together, including those critical SCADA systems.

As well as being inherently vulnerable, SCADA systems are becoming more interconnected – providing more attack paths for cyber criminals. In addition to this, as vulnerabilities are being discovered more and more automated tools are becoming available for cyber attackers to automate the process. This reduces the sophistication required for attackers of these systems – opening SCADA system vulnerabilities up to a wider number of threats. Add to this the fact that SCADA systems are critical for the safety of the UK and it is a certain recipe for disaster.

With all this in mind, it is no surprise insurance companies are unwilling to draft insurance policies for such vulnerable systems. The fact that our critical national infrastructure system owners are so keen to get high cost insurance policies really hits home as to how vulnerable these systems actually are. As vulnerability discovery increases, interconnection of networks increases and the levle of sophistication of attackers reduces, SCADA systems become a highly vulnerable target.

Insuring systems like these may be seen as simply a plaster to repair any damage, however, it is evident that SCADA system vulnerabilities need to be addressed through appropriate technical and non-technical controls, based on identified risks and attack paths. As SCADA system owners become more aware of how their systems operate, it is up to qualified cyber security staff to analyse the threat and apply controls as appropriate. This may include appropriate segregation between corporate and control networks, encryption as standard and strong authentication mechanisms.

About Lee Hazell

Lee Hazell is a cyber security consultant with a keen interest in anything tech or security related. Follow Lee on .

Recommended for you

Leave a Reply

Your email address will not be published. Required fields are marked *