Cyber criminal interest in electrical utilities on the rise

Electrical and utility firms in North America continue to be a target for cyber criminals, the head of a cyber loss modelling provider suggests.

Over the past few months, there has been an “uptick in threat actor activity around energy and utility companies in North America,” Pascal Millaire, CEO of CyberCube Analytics Inc., told Canadian Underwriter this past Thursday.

Millaire was commenting on how he thinks cyber risk has changed since CyberCube emerged from “stealth mode” this past March.

Risk managers have been concerned for years about the vulnerability of specialized computers – such as supervisory control and data acquisition systems – to malware. SCADA is a system of software and hardware elements that encompasses a wide variety of specialized computers, including those that control industrial processes, building systems and electrical power grids.

Just because a device has computing power and is connected to a network does not necessarily mean that a hacker in his parents’ basement can get control of it. This is because some computing devices are not connected to the public Internet.

“Often electricity systems are ‘air-gapped,’ which means key pieces of infrastructure are not connected to the Internet,” Millaire said Thursday in an interview. “But unfortunately, that is not always the case and unfortunately there have been successful cyber attacks [on electrical systems].”

A 2010 cyber attack, dubbed Stuxnet, raised alarm bells among computer security and risk professionals about the vulnerability of SCADA systems to cyber attack. The target of Stuxnet was Iran’s uranium enrichment program.

The hackers “introduced some code in the hardware controllers” that run the centrifuges, Jose Fernandez, a professor at Montreal’s Ecole Polytechnique, said of Stuxnet in early 2016 at the Canadian Catastrophe Conference. Centrifuges are the machines that separate Uranium-235 (which can be used to make nuclear weapons) from Uranium-238. The centrifuges would spin at 14,000 revolutions per minute most of the time, but the Stuxnet malware would slow those centrifuges down slightly for about a minute every hour, Fernandez noted.

“Unless you were standing right next to it, you wouldn’t notice it,” Fernandez said during the 2016 Canadian Catastrophe Conference, produced by MSA Research’s CatIQ unit. “This change of speed was enough to remix the gases and they managed to essentially halt [Iran’s] uranium production for about a year and a half, according to intelligence estimates.”

An attack on an electrical power system poses an “aggregation risk” for insurers because multiple clients, all using the same insurer, could be affected by one incident, Millaire said in an interview.

CyberCube’s software is intended to model such aggregation risks. This could include attacks such as NotPetya and WannaCry, Millaire noted Thursday.

CyberCube announced July 11 it has partnered Jardine Lloyd Thompson Group plc’s reinsurance brokerage unit. Using CyberCube’s technology, JLT Re will provide loss models for 23 different classes of scenarios where a cyber attack could impact multiple users.

Insurers, reinsurers and reinsurance brokers are “struggling to understand” how to underwrite and price cyber risk, Millaire said, adding that cyber risk is “one of the top risks on the minds of enterprises.”

CyberCube was spun off earlier this year from Symantec Corp., the Mountain View, Calif.-based manufacturer of Norton Anti Virus.