U.S. utilities are looking hard at their cyber vulnerabilities and whether they can get insurance to cover what could be a multi-billion dollar loss after hackers cut electric power to more than 80,000 Ukrainians last month.
The Dec. 23 incident in Ukraine was the first cyber attack to cause a power outage, and is one of just a handful of incidents in which computer hacking has caused physical effects on infrastructure rather than the loss or theft of electronic data.
A similar attack in the United States could cripple utilities and leave millions of people in the dark, costing the economy more than $200 billion, an insurance study estimated last year.
Security experts, insurance brokers, insurers and attorneys representing utilities told Reuters that the Ukraine attack has exposed long-standing ambiguity over which costs would be covered by insurance in various cyber attack scenarios.
"People in the insurance industry never did a great job clarifying the scope of coverage," said Paul Ferrillo, an attorney with Weil, Gotshal & Manges who advises utilities.
Cyber insurance typically covers the cost of attacks involving stolen personal data. Some general property and liability policies may cover physical damage from cyber attacks, but insurers do not always provide clear answers about coverage for industrial firms, said Ben Beeson, a partner with broker Lockton Companies.
That has led to some unease among U.S. utilities.
"When you get these kind of headline-grabbing cyber incidents, there is obviously a flurry of interest," said Dawn Simmons, an executive with Associated Energy and Gas Insurance Services, or AEGIS, a U.S. mutual insurer that provides coverage to its 300 or so members.
Getting a policy that includes cyber property damage is not cheap.
Sciemus Cyber Ltd, a specialty insurer at the Lloyd's of London insurance market, charges energy utilities roughly $100,000 for $10 million in data breach insurance. The price balloons to as much as seven times that rate to add coverage for attacks that cause physical damage, said Sciemus Chief Executive Rick Welsh.
Security experts have warned for several years that a cyber attack could cause power outages due to the growing reliance on computer technology in plants that is accessible from the Internet.
In the Ukraine attack, hackers likely gained control of systems remotely, then switched breakers to cut power, according to an analysis by the Washington-based SANS Institute. Ukraine's state security service blamed Russia for the attack, while U.S. cyber firm iSight Partners linked it to a Russian hacking group known as Sandworm Team.
Utilities are now trying to determine if they have insurance to cover these kinds of attacks, and if not, whether they need it, said Patrick Miller, founder of the Energy Sector Security Consortium, an industry group that shares information on cyber threats.
American Electric Power Company Inc (AEP.N), Duke Energy Corp (DUK.N), Nextera Energy Inc (NEE.N) and PG&E Corp (PCG.N) are among publicly-traded utility companies that have warned of their exposure to cyber risks in their most recent annual reports to securities regulators, and that their insurance coverage might not cover all expenses related to an attack.
Representatives with AEP, Duke and PG&E declined to disclose the limits of their insurance. Officials with Nextera could not be reached for comment.
The potential costs of an attack in the United States are huge. Last year Lloyd's and the University of Cambridge released a 65-page study estimating that simultaneous malware attacks on 50 generators in the Northeastern United States could cut power to as many as 93 million people, resulting in at least $243 billion in economic damage and $21 billion to $71 billion in insurance claims.
The study called such a scenario improbable but "technologically possible."
There are precedents, including the 2010 'Stuxnet' attack that damaged centrifuges at an Iranian uranium enrichment facility and the 2012 'Shamoon' campaign that crippled business operations at Saudi Aramco and RasGas by wiping drives on tens of thousands of PCs.
In late 2014, the German government reported that hackers had damaged an unnamed steel mill, the first attack that damaged industrial equipment. Details remain a mystery.
AMBIGUITY OVER COVERAGE
"It's getting a little competitive just to get a carrier quoting your policy," said Lynda Bennett, an attorney with Lowenstein Sandler, who helps businesses negotiate insurance. Some insurers have cut back on cyber coverage in response to the increase in the number and types of breaches, she added.
American International Group Inc (AIG.N), for example, will only write cyber policies over $5 million for a power utility after an in-depth review of its technology, including the supervisory control and data acquisition (SCADA) systems that remotely control grid operations.
"There are companies that we have walked away from providing coverage to because we had concerns about their controls," said AIG executive Tracie Grella.
AIG and AEGIS declined to discuss pricing of policies. It seems likely they will find coverage more in demand after the Ukraine attack.
"A lot more companies will be asked by their stakeholders internally: Do we have coverage for this type of thing?" said Robert Wice, an executive with Beazley Plc, which offers cyber insurance. "Whether they actually start to buy more or not will depend on pricing."
(Reporting by Jim Finkle; Additional reporting by Rory Carroll; Editing by Bill Rigby)