Cyberattacks are painful and costly for asset owners and investors. By exploiting security flaws that disrupt the integrity or supply of energy, water, transport, communication and social facilities, attacks on the infrastructure sector can be particularly devastating. Infrastructure attacks are more common than we realise. A denial of service cyberattack on a large US wind and solar platform in 2019 was only made public through a freedom of information request.
Rules stipulating mandatory breach notifications, such as the EU’s General Data Protection Regulation, are focused on personal data and often do not apply to ‘data-less’ infrastructure assets, which can mean the issue is not as high on investors’ consciousness.
Many infrastructure assets are on the frontline when it comes to cybercrime and nation-state backed cyber warfare. In 2015, hackers remotely logged into the Supervisory Control and Data Acquisition network that controlled Ukraine’s power grid, shutting off power for almost a quarter of a million customers. Forensic experts involved in the investigation later said that the attackers had overwritten firmware on the critical devices of 16 substations, leaving them unresponsive to remote management for months after the attack. Here’s the rub: cybersecurity in Ukraine’s power grid was more secure than that in many Western economies at the time.
Security by design and default
Digitisation brings the sector further into alignment with the spectrum of risks, challenges and opportunities faced by traditionally online operating models. However, investors can gain a competitive advantage by using new cyber-enabled strategies that preserve and enhance value across the asset lifecycle:
Cybersecurity can be built into the DNA of a project during the development stage in order to protect the asset through the construction and operational phases. Predictive cyber threat modelling can quantify losses and determine the level of investment in security that is required at each stage. The establishment of good risk governance will enable investors to consciously accept, mitigate or transfer all the current and future cyber risks that are identified.
Professional cyber due diligence will determine whether a business has already been compromised and, if not, the effectiveness of its cybersecurity estate. Assets exposed to regulated personal data, such as through the EU’s GDPR, will require a specialist focus if the investor is to avoid punitive losses. Investors should also establish whether additional cybersecurity investment is required and use the findings in their sale and purchase agreements, warranties and deal strategies. The required cyber remediation should be determined during first the 100 days of ownership.
Board members should ask how many cyber incidents the organisation has had over the previous 12 months. If the answer is ‘none’ or ‘don’t know’, this should be a cause for concern. The organisation should undertake a comprehensive review of the financial impact of cyber threats and of the improvements that can be executed cost-effectively.
Cybersecurity should be a financial conversation, not a technical one. Investors have a strategic role in building safer and more resilient connected infrastructure. Start from the premise that cyberattacks will take place and that they may have occurred already.
Ian McCaw is head of cyber M&A and Charlie Garrood is head of infrastructure, EMEA, at Aon