January 20, 2021

Operational Technology Cyber Risk in the Energy Sector

Share

cybersecurity imageOn January 26, 2021, members of the Mayer Brown cybersecurity and data privacy practice will be joined by members of Dragos—a leading industrial security firm—to describe practical steps that members of the energy sector—and other relevant businesses—can take to mitigate cyber risks to operational technology. The webinar – Managing OT Cyber Risk: Lessons from the Front Lines – will discuss how legal teams can work with other stakeholders in their businesses to manage associated legal risk.

The energy sector faces significant and growing cyber threats. In particular, many businesses in the energy sector operate safety critical machinery that is increasingly connected—and subject to cyber attacks. Whether located on an oil rig, in the electric grid, at a refinery, or on a pipeline, these systems—often referred to as “Operational Technology” or “Industrial Control Systems”—sit at the backbone of countless critical processes in the energy sector. Cyber threats to these systems continue to grow, including from highly sophisticated nation-state actors. Potential attacks against these systems threaten to stop production, impair the integrity of safety-critical systems or even cause physical damage or personal injury. The corresponding legal risks facing the energy sector, whether from litigation or regulatory action, are equally significant and will continue to grow in the coming years.

Practical challenges often complicate energy companies’ response to these cyber threats. Industrial systems have significantly different profiles than enterprise information technology systems, including because they are harder to update in light of their up-time requirements, difficult (if not impossible) to replace because of their cost, and because they have far longer lifetimes. Companies also often have far less visibility across their industrial networks and lack many of the tools—including intrusion detection software and robust logging—that are routinely available in the enterprise information technology context. Likewise, internal plans and policies may not be well-suited to address emerging cyber threats to operational technology. Business continuity or disaster recovery plans may not address an appropriately broad range of scenarios, for example, and data breach response plans are likely to focus on data security. Similarly, vulnerability management, penetration testing, or other policies employed in the enterprise cybersecurity context may either be inapposite or inapplicable to a company’s operational security risk management.

Businesses in the energy sector nonetheless can take practical steps to mitigate these significant risks—and corporate legal teams have an important role to play. Effective collaboration between legal, security and business teams can significantly reduce risks to businesses in the wake of a cyber incident involving operational technology. Likewise, close coordination between legal, security and business stakeholders before incidents occur—including through internal risk assessments, vulnerability management and tabletop exercises—can reduce future legal risk.

The webinar taking place on January 26 – Managing OT Cyber Risk: Lessons from the Front Lines – will discuss how legal teams can work with other stakeholders in their businesses to manage associated legal risk, including through:

  • Managing legal privilege in the context of operational technology cybersecurity;
  • Best practices for engagement between operational security teams and other stakeholders;
  • Effective preparation for industrial cyber incidents; and
  • Opportunities for ongoing collaboration between operational security and legal teams.

For more details about the Webinar, please follow this link.

Related Services & Industries

Industries

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.
Subscribe