Cyber Threat: Energy

An Electrifying Threat

The energy sector is a top target of cyber attackers. A successful attack is only a matter of “when.”
By: and | April 7, 2014 • 7 min read

Energy and the natural resources industry face especially grim cyber threats.

“If there is a cyber attack, you can’t see or touch that attacker so your ability to quickly respond may or may not be successful,” said Norma Krayem, a senior policy adviser at the Patton Boggs law firm and co-chair of the firm’s homeland security, defense and technology transfer practice group.

Advertisement




“I think the likelihood of such an attack absolutely exists,” she said. “I think the question becomes more about who, when and why.”

According to Symantec, a data security company, the energy sector “has become a major focus for targeted attacks and is now among the top five most targeted sectors worldwide.”

The threats may come from competitive spying, corporate espionage, cyber criminals, hacktivism, disgruntled employees and state-sponsored disruptions, it said.

A bad result doesn’t even necessarily have to begin with bad intent, said Cliff Lancaster, senior risk analyst at Hartford Steam Boiler Inspection and Insurance Co. (HSB).

At the Davis–Besse Nuclear Power Station in Ohio, for example, the network became infected with a worm that shut it down for five hours in 2003 because a software consultant had created a shortcut for his own convenience that bypassed the firewall, he said.

Possible Widespread Devastation

As security measures increase, employees and vendors may be ever more tempted to bypass procedures, just to more easily get their work done.

Between July 2012 and June 2013, 16 percent of all cyber attacks each day targeted companies in the energy sector, according to Symantec. Only the government or public sector had more targeted attacks.

And should the energy delivery system be disrupted, that threatens the country’s finance, transportation, health care, water supply and emergency services systems — all of which depend on reliable energy.

042014_05c_rigs_Krayem“You have this patchwork of systems that are being cobbled together, a lot of them are legacy systems, and they are not necessarily all at the same level of security.”

— Norma Krayem, senior policy adviser, Patton Boggs

Electric grid vulnerabilities that lead to power disruptions are estimated to cost the U.S. economy between $119 billion to $188 billion each year, according to a 2013 report on grid vulnerability by Rep. Edward J. Markey, D-Mass., and Rep. Henry A. Waxman, D-Calif.

“Power disruptions today generally do not lead to insured losses,” said Robert Hartwig, president of the Insurance Information Institute.

“However, it seems only a matter of time before a major cyber attack leads to the type of damage covered by standard property and liability policies,” he said.

“As we look at what hackers have been able to do in terms of infiltrating presumed secure systems — even entities like the Department of Defense — it seems there must be vulnerabilities in the systems associated with major infrastructure in this country, whether it’s electric, water, transportation or communications.”

Complex Risk Management

The degree to which computer technology and networking are integral to the energy sector in an operational sense makes it a particularly complex risk-management challenge, said John Kerns, executive managing director of Beecher Carlson Financial Services.

Advertisement




“There was a question posed to us by a client earlier this year: What if there were a denial-of-service attack or virus that shut down the gas pipelines coming into Chicago in the middle of winter. Homes went cold and people went to the hospital or even died. There was no physical damage, but clearly there was a serious impact, and loss,” he said.

The challenges are not confined to traditional energy markets either, said Charles Long, vice president of renewable energy and green technology at William Gallagher Associates. “Many computers are covered under a basic commercial package, and wind farms have separate coverage. If there is a lightning strike, that is surely covered. If data just failed, that can be covered by E&O, but data corruption or a virus, that kind of thing is very much still under consideration.”

Fred Podolsky, executive vice president, executive risk, Alliant Insurance Services, said that “only a small fraction,” maybe 10 percent of U.S. based utility companies have bought cover, and most of the policies that have been purchased relate to data breach exposures.

Some companies, however, have “woken up and are looking for cover” to help them repair their power-generation network and computer systems should they be damaged, or to protect them from other service interruption or customer liability issues, he said.

But many utilities refuse to provide underwriters with sufficient information to get the coverage they need, he said.

The main reason? “It’s just a pure confidentiality concern. IT folks are just so fearful to release any information to anyone having to do with their security procedures, though pressure is building from risk management and others in the C-suite to address these exposures,” Podolsky said.

While protecting the actual control systems of energy companies is a high priority that is audited by the federal government, the smart grid — that measures and creates a more efficient distribution of electricity based on use — is  vulnerable, said HSB’s Lancaster.

If false data were injected into that system, it could potentially cause turbine generators to speed up when they shouldn’t. “If you can get it spinning at the wrong speed,” he said, “it can just shake itself to death.”

Once a turbine or transformer is damaged, there is a limited amount of replacement equipment.

And once a turbine or transformer is damaged, there is a limited amount of replacement equipment, he said. “If you are able to damage many pieces of equipment at once, it would take a lot of time to fix it because you have to build and rebuild lots of equipment,” Lancaster said.

Krayem said the connectivity of entities that distribute electric power, for example, means there could be “cascading failures” throughout the country.

Advertisement




“You have this patchwork of systems that are being cobbled together, a lot of them are legacy systems, and they are not necessarily all at the same level of security,” she said.

According to KPMG, which cited data from the U.S. Department of Homeland Security, the “constant barrage of cyber attacks” on water and energy companies “usually take the form of cyber espionage or denial-of-service attacks against industrial-control systems.”

Inadequate Security Controls

The consultancy also noted that a survey by The Centre for Strategic and International Studies in 2010, found that critical infrastructure, including power grids, industrial control networks and oil refineries “are not adequately prepared to defend themselves.”

Video: Dissecting Stuxnet

The most famous of all attacks on an energy system occurred in Iran when unknown forces — believed to be the United States and Israel — created the Stuxnet worm, specially designed to target Iran’s specific industrial control system and reprogram it so that the nuclear centrifuges spun out of control and damaged themselves while the displays indicated normal functioning.

Most notably, Stuxnet spread using a USB drive, infecting networks that were unreachable by the Internet.

Another disturbing attack occurred in 2012, when a cyber attack hit Saudi Aramco, one of the largest oil producers in the world. The disruption, which continued for two weeks, disabled more than 30,000 of the company’s workstations.

The virus, later named “Shamoon,” was the first significant cyber attack on a commercial target to cause real damage. It is also the most destructive attack the private sector has experienced to date, said Malcolm Marshall, global leader for information protection at KPMG, based in London.

Marshall said that “one senior oil-industry executive to whom I spoke shortly after the Shamoon incident told me, ‘Well, there goes our worst-case scenario.’ ”

That same month, Rasgas, in Qatar, was hit by the same virus and forced to bring its entire network off line.

In 2011, hackers were able to install malware and “evidence of a sophisticated threat actor” was found in the U.S. energy sector, according to the U.S. Government Accountability Office.

An Active Market

Marshall noted that, in the aggregate, the global oil and gas industry “is effectively self-insured, but cyber security is an active and growing commercial market, especially in the U.S. It seems likely that will become an economic necessity.”

Kerns at Beecher Carlson said, “We are seeing multiple policies responding to these threats. Those include dedicated cyber policies, D&O coverage, and in the energy sector, even general liability policies are responding.”

Advertisement




That said, he added that “the insurance market is looking aggressively at cyber risk, and is putting on new exemptions, restrictions, and limits. The gray areas are still some GL, bodily injury, and third-party injury. Mostly, we are seeing GL carriers not willing to pick up many risks. That leaves owners and brokers to see what the cyber market is willing to do.
“There is capacity to address business interruption, but we are having to press on bodily injury and property damage as they relate to cyber,” he said.

                                                                                                                    

Complete coverage on the inevitable cyber threat:

Risk managers are waking up to the reality that the cyber risk landscape has changed.

Cyber: The New CAT. It’s not a matter of if, but when. Cyber risk is a foundation-level exposure that must be viewed with the same gravity as a company’s property, liability or workers’ comp risks.

042014_02c_hospital_thumbnailCritical Condition. The proliferation of medical devices creates a host of scary risks for the beleaguered health care industry.

042014_03c_cars_thumbnailDisabled Autos. It’s alarmingly easy for a hacker to take control of a driverless vehicle, tampering with braking systems or scrambling the GPS.

Alaska Plane CrashUnmanned Risk. The dark side of remote-controlled drones, which have already been hacked — by students.

The late Anne Freedman is former managing editor of Risk & Insurance. Comments or questions about this article can be addressed to [email protected]

More from Risk & Insurance

More from Risk & Insurance

Exclusive | Hank Greenberg on China Trade, Starr’s Rapid Growth and 100th, Spitzer, Schneiderman and More

In a robust and frank conversation, the insurance legend provides unique insights into global trade, his past battles and what the future holds for the industry and his company.
By: | October 12, 2018 • 12 min read

In 1960, Maurice “Hank” Greenberg was hired as a vice president of C.V. Starr & Co. At age 35, he had already accomplished a great deal.

He served his country as part of the Allied Forces that stormed the beaches at Normandy and liberated the Nazi death camps. He fought again during the Korean War, earning a Bronze Star. He held a law degree from New York Law School.

Advertisement




Now he was ready to make his mark on the business world.

Even C.V. Starr himself — who hired Mr. Greenberg and later hand-picked him as the successor to the company he founded in Shanghai in 1919 — could not have imagined what a mark it would be.

Mr. Greenberg began to build AIG as a Starr subsidiary, then in 1969, he took it public. The company would, at its peak, achieve a market cap of some $180 billion and cement its place as the largest insurance and financial services company in history.

This month, Mr. Greenberg travels to China to celebrate the 100th anniversary of C.V. Starr & Co. That visit occurs at a prickly time in U.S.-Sino relations, as the Trump administration levies tariffs on hundreds of billions of dollars in Chinese goods and China retaliates.

In September, Risk & Insurance® sat down with Mr. Greenberg in his Park Avenue office to hear his thoughts on the centennial of C.V. Starr, the dynamics of U.S. trade relationships with China and the future of the U.S. insurance industry as it faces the challenges of technology development and talent recruitment and retention, among many others. What follows is an edited transcript of that discussion.


R&I: One hundred years is quite an impressive milestone for any company. Celebrating the anniversary in China signifies the importance and longevity of that relationship. Can you tell us more about C.V. Starr’s history with China?

Hank Greenberg: We have a long history in China. I first went there in 1975. There was little there, but I had business throughout Asia, and I stopped there all the time. I’d stop there a couple of times a year and build relationships.

When I first started visiting China, there was only one state-owned insurance company there, PICC (the People’s Insurance Company of China); it was tiny at the time. We helped them to grow.

I also received the first foreign life insurance license in China, for AIA (The American International Assurance Co.). To date, there has been no other foreign life insurance company in China. It took me 20 years of hard work to get that license.

We also introduced an agency system in China. They had none. Their life company employees would get a salary whether they sold something or not. With the agency system of course you get paid a commission if you sell something. Once that agency system was installed, it went on to create more than a million jobs.

R&I: So Starr’s success has meant success for the Chinese insurance industry as well.

Hank Greenberg: That’s partly why we’re going to be celebrating that anniversary there next month. That celebration will occur alongside that of IBLAC (International Business Leaders’ Advisory Council), an international business advisory group that was put together when Zhu Rongji was the mayor of Shanghai [Zhu is since retired from public life]. He asked me to start that to attract foreign companies to invest in Shanghai.

“It turns out that it is harder [for China] to change, because they have one leader. My guess is that we’ll work it out sooner or later. Trump and Xi have to meet. That will result in some agreement that will get to them and they will have to finish the rest of the negotiations. I believe that will happen.” — Maurice “Hank” Greenberg, chairman and CEO, C.V. Starr & Co. Inc.

Shanghai and China in general were just coming out of the doldrums then; there was a lack of foreign investment. Zhu asked me to chair IBLAC and to help get it started, which I did. I served as chairman of that group for a couple of terms. I am still a part of that board, and it will be celebrating its 30th anniversary along with our 100th anniversary.

Advertisement




We have a good relationship with China, and we’re candid as you can tell from the op-ed I published in the Wall Street Journal. I’m told that my op-ed was received quite well in China, by both Chinese companies and foreign companies doing business there.

On August 29, Mr. Greenberg published an opinion piece in the WSJ reminding Chinese leaders of the productive history of U.S.-Sino relations and suggesting that Chinese leaders take pragmatic steps to ease trade tensions with the U.S.

R&I: What’s your outlook on current trade relations between the U.S. and China?

Hank Greenberg: As to the current environment, when you are in negotiations, every leader negotiates differently.

President Trump is negotiating based on his well-known approach. What’s different now is that President Xi (Jinping, General Secretary of the Communist Party of China) made himself the emperor. All the past presidents in China before the revolution had two terms. He’s there for life, which makes things much more difficult.

R&I: Sure does. You’ve got a one- or two-term president talking to somebody who can wait it out. It’s definitely unique.

Hank Greenberg: So, clearly a lot of change is going on in China. Some of it is good. But as I said in the op-ed, China needs to be treated like the second largest economy in the world, which it is. And it will be the number one economy in the world in not too many years. That means that you can’t use the same terms of trade that you did 25 or 30 years ago.

They want to have access to our market and other markets. Fine, but you have to have reciprocity, and they have not been very good at that.

R&I: What stands in the way of that happening?

Hank Greenberg: I think there are several substantial challenges. One, their structure makes it very difficult. They have a senior official, a regulator, who runs a division within the government for insurance. He keeps that job as long as he does what leadership wants him to do. He may not be sure what they want him to do.

For example, the president made a speech many months ago saying they are going to open up banking, insurance and a couple of additional sectors to foreign investment; nothing happened.

The reason was that the head of that division got changed. A new administrator came in who was not sure what the president wanted so he did nothing. Time went on and the international community said, “Wait a minute, you promised that you were going to do that and you didn’t do that.”

So the structure is such that it is very difficult. China can’t react as fast as it should. That will change, but it is going to take time.

R&I: That’s interesting, because during the financial crisis in 2008 there was talk that China, given their more centralized authority, could react more quickly, not less quickly.

Hank Greenberg: It turns out that it is harder to change, because they have one leader. My guess is that we’ll work it out sooner or later. Trump and Xi have to meet. That will result in some agreement that will get to them and they will have to finish the rest of the negotiations. I believe that will happen.

R&I: Obviously, you have a very unique perspective and experience in China. For American companies coming to China, what are some of the current challenges?

Advertisement




Hank Greenberg: Well, they very much want to do business in China. That’s due to the sheer size of the country, at 1.4 billion people. It’s a very big market and not just for insurance companies. It’s a whole range of companies that would like to have access to China as easily as Chinese companies have access to the United States. As I said previously, that has to be resolved.

It’s not going to be easy, because China has a history of not being treated well by other countries. The U.S. has been pretty good in that way. We haven’t taken advantage of China.

R&I: Your op-ed was very enlightening on that topic.

Hank Greenberg: President Xi wants to rebuild the “middle kingdom,” to what China was, a great country. Part of that was his takeover of the South China Sea rock islands during the Obama Administration; we did nothing. It’s a little late now to try and do something. They promised they would never militarize those islands. Then they did. That’s a real problem in Southern Asia. The other countries in that region are not happy about that.

R&I: One thing that has differentiated your company is that it is not a public company, and it is not a mutual company. We think you’re the only large insurance company with that structure at that scale. What advantages does that give you?

Hank Greenberg: Two things. First of all, we’re more than an insurance company. We have the traditional investment unit with the insurance company. Then we have a separate investment unit that we started, which is very successful. So we have a source of income that is diverse. We don’t have to underwrite business that is going to lose a lot of money. Not knowingly anyway.

R&I: And that’s because you are a private company?

Hank Greenberg: Yes. We attract a different type of person in a private company.

R&I: Do you think that enables you to react more quickly?

Hank Greenberg: Absolutely. When we left AIG there were three of us. Myself, Howie Smith and Ed Matthews. Howie used to run the internal financials and Ed Matthews was the investment guy coming out of Morgan Stanley when I was putting AIG together. We started with three people and now we have 3,500 and growing.

“I think technology can play a role in reducing operating expenses. In the last 70 years, you have seen the expense ratio of the industry rise, and I’m not sure the industry can afford a 35 percent expense ratio. But while technology can help, some additional fundamental changes will also be required.” — Maurice “Hank” Greenberg, chairman and CEO, C.V. Starr & Co. Inc.

R&I:  You being forced to leave AIG in 2005 really was an injustice, by the way. AIG wouldn’t have been in the position it was in 2008 if you had still been there.

Advertisement




Hank Greenberg: Absolutely not. We had all the right things in place. We met with the financial services division once a day every day to make sure they stuck to what they were supposed to do. Even Hank Paulson, the Secretary of Treasury, sat on the stand during my trial and said that if I’d been at the company, it would not have imploded the way it did.

R&I: And that fateful decision the AIG board made really affected the course of the country.

Hank Greenberg: So many people lost all of their net worth. The new management was taking on billions of dollars’ worth of risk with no collateral. They had decimated the internal risk management controls. And the government takeover of the company when the financial crisis blew up was grossly unfair.

From the time it went public, AIG’s value had increased from $300 million to $180 billion. Thanks to Eliot Spitzer, it’s now worth a fraction of that. His was a gross misuse of the Martin Act. It gives the Attorney General the power to investigate without probable cause and bring fraud charges without having to prove intent. Only in New York does the law grant the AG that much power.

R&I: It’s especially frustrating when you consider the quality of his own character, and the scandal he was involved in.

In early 2008, Spitzer was caught on a federal wiretap arranging a meeting with a prostitute at a Washington Hotel and resigned shortly thereafter.

Hank Greenberg: Yes. And it’s been successive. Look at Eric Schneiderman. He resigned earlier this year when it came out that he had abused several women. And this was after he came out so strongly against other men accused of the same thing. To me it demonstrates hypocrisy and abuse of power.

Schneiderman followed in Spitzer’s footsteps in leveraging the Martin Act against numerous corporations to generate multi-billion dollar settlements.

R&I: Starr, however, continues to thrive. You said you’re at 3,500 people and still growing. As you continue to expand, how do you deal with the challenge of attracting talent?

Hank Greenberg: We did something last week.

On September 16th, St. John’s University announced the largest gift in its 148-year history. The Starr Foundation donated $15 million to the school, establishing the Maurice R. Greenberg Leadership Initiative at St. John’s School of Risk Management, Insurance and Actuarial Science.

Hank Greenberg: We have recruited from St. John’s for many, many years. These are young people who want to be in the insurance industry. They don’t get into it by accident. They study to become proficient in this and we have recruited some very qualified individuals from that school. But we also recruit from many other universities. On the investment side, outside of the insurance industry, we also recruit from Wall Street.

R&I: We’re very interested in how you and other leaders in this industry view technology and how they’re going to use it.

Hank Greenberg: I think technology can play a role in reducing operating expenses. In the last 70 years, you have seen the expense ratio of the industry rise, and I’m not sure the industry can afford a 35 percent expense ratio. But while technology can help, some additional fundamental changes will also be required.

R&I: So as the pre-eminent leader of the insurance industry, what do you see in terms of where insurance is now and where it’s going?

Hank Greenberg: The country and the world will always need insurance. That doesn’t mean that what we have today is what we’re going to have 25 years from now.

How quickly the change comes and how far it will go will depend on individual companies and individual countries. Some will be more brave than others. But change will take place, there is no doubt about it.

Advertisement




More will go on in space, there is no question about that. We’re involved in it right now as an insurance company, and it will get broader.

One of the things you have to worry about is it’s now a nuclear world. It’s a more dangerous world. And again, we have to find some way to deal with that.

So, change is inevitable. You need people who can deal with change.

R&I:  Is there anything else, Mr. Greenberg, you want to comment on?

Hank Greenberg: I think I’ve covered it. &

The R&I Editorial Team can be reached at [email protected]