Add to collection(s) Add to saved
  1. Business
  2. Management

Escalating Threats to Critical Infrastructure

UNDER THE RADAR:
LEGAL RESPONSIBILITIES ARISING FROM
CYBER THREATS AND SEVERE IMPACTS TO THE GRID
by
Roland L. Trope
Trope and Schramm LLP
Stephen J. Humes
Holland & Knight
For
Edison Electrical Institute Spring Legal Conference
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
DISCLAIMER:
VIEWS EXPRESSED ARE SOLELY THOSE OF THE AUTHORS,
AND HAVE NOT BEEN REVIEWED OR APPROVED BY,
AND SHOULD NOT BE ATTRIBUTED TO –
THE U.S. MILITARY ACADEMY,
THE DEPARTMENT OF THE ARMY
THE DEPARTMENT OF DEFENSE, OR
THE U.S. GOVERNMENT.
OVERVIEW
Emerging Responsibilities
• Causes:

Escalating threats to critical infrastructure

Regulatory standards and enforcement

Executive Order (EO) 13636

NERC Task Force guidance (May 2012)
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
3
Questions for
Boards, C-Officers, and Counsel
1.
Are we prepared to receive
DHS cyber intel reports?
2.
Do we need to revise our
response plans for a
coordinated cyber attack?
3.
Do our disaster recovery
plans cover a “Severe
Cyber Impact”?
4.
Are there new legal issues
we need to address?
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
4
ESCALATING THREATS
TO
CRITICAL INFRASTRUCTURE
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
5
TIMELINE – Escalating Threats to Critical Infrastructure
EVENTS IN U.S.
China’s “Comment Group” penetrates
Diablo Canyon nuclear plant
2009
2010
2011
2012
2013
2014
Stuxnet damages Iranian
uranium enrichment centrifuges
EVENTS OVERSEAS
6
Recent Attack Record
Diablo Canyon
• Plant operated by Pacific Gas
& Electric Co.
• Reportedly breached
computer of senior nuclear
planner
• No solid indication of data
stolen
• Attempting “to identify …
security of U.S. nuclear
power generation facilities.”
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
7
TIMELINE – Escalating Threats to Critical Infrastructure
EVENTS IN U.S.
Iranian cyberattacks
on Citigroup, Wells Fargo,
Bank of America, and U.S. Bank
2012
APR
AUG
SEPT
DEC
Iranian cyberattacks
on Aramco, wipe out
hard drives on 55,000 PCs –
¾’s of Aramco’s corporate PCs
EVENTS OVERSEAS
8
9
DHS OIG Report 2013
Security of Industrial Control Systems (ICS)
“A recent survey in the energy sector revealed that a
majority of the companies in the sector had
experienced cyber attacks, and about 55 percent of
these attacks targeted ICS.”
“A successful cyber attack on ICS may result in
physical damage, loss of life, and cascading effects
that could disrupt services.”
10
11
THREAT ASSESSMENT
2013
• Increasing risk to U.S. critical infrastructure
• During next 2 years – remote chance an attack
would result in
“long-term, wide-scale disruption of services, such
as a regional power outage”
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
12
THREAT ASSESSMENT
2013
• But
“isolated state or nonstate actors … could access
some poorly protected US networks that control
core functions, such as power generation …”
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
13
REGULATORY STANDARDS
AND
ENFORCEMENT
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
14
TIMELINE – Regulatory Standards and Enforcement
FERC EVENTS
FERC rejects business judgment rule
as part of CIP standards
FERC Order 706
approves first CIP
Standards
EPAct ‘05 enacted; §1211, became §
215 of FPA; FERC to oversee mandatory
reliability standards bulk power grid
2005
2006
FERC approves
NERC CIP Standards,
Version 3 Version 4
2007
2008
2009
2010
2011
2012
NERC certified as electric
reliability organization
NERC EVENTS
15
CIP Standards Enforcement
• FY2012, FERC staff participated in regional
audits of owners, users, and operators of the
bulk power system per Order No. 706;
• Audited compliance with CIP Reliability
Standards
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
16
CIP Standards Enforcement
•152 violations of CIP Reliability Standards (CIP002 through CIP-009).
•NERC cited 279 other violations of CIP Reliability
Standards – led to $6,490,499 in proposed
penalties;
•Largest single penalty assessed was $400,000.
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
17
TIMELINE – Events Leading Up to EO 13636
EVENTS IN EXECUTIVE
President issues
BRANCH
Executive Order 13636
White House circulates
revised draft EO
White House circulates
draft Executive Order
SEC Staff issues
Cybersecurity
Disclosure Guidance
2011
2012
SEPT
AUG
NOV
2013 FEB
APR
Senate votes down
proposed cybersecurity bill
Senate votes down
proposed cybersecurity bill
EVENTS IN LEGISLATIVE BRANCH
18
EXECUTIVE ORDER 13636
FEB 12, 2013
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
19
EXECUTIVE ORDER 13636
Risk Assessment
“Repeated cyber intrusions into critical
infrastructure demonstrate the need for
improved cybersecurity.”
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
20
EXECUTIVE ORDER 13636
Standards
• Purpose:

Help owners and operators “identify, assess
and manage cyber risks”
• Direction:

NIST to coordinate development of
“Cybersecurity Framework”
• Results:

A set of “voluntary consensus-based standards
and industry best practices”
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
21
EXECUTIVE ORDER 13636
Standards
• Caution:

Participation is “voluntary”

But EO envisions Framework as a metric for
judging a company’s cybersecurity

Sec. 7(b): It “shall include guidance for
measuring the performance of an entity in
implementing” the Framework
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
22
Andy Ozment
White House Senior Director for Cybersecurity
FEB 28, 2013
• Strategy of “Framework”:

“[S]ome regulators need to
improve, and we will ask
them to consider the
Framework and issue new
regulations”
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
23
EXECUTIVE ORDER 13636
Information Sharing
• Kinds of Federal Cyber Intel:
1.
Classified – shared thru participation in
Enhanced Cybersecurity Services
2.
Unclassified – Imminent Target Notices
3.
Confidential – Catastrophic Target Notices
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
24
IMMINENT TARGET NOTICES

“unclassified reports of cyber threats to U.S.
homeland that identifies a specific targeted
entity”

Deliver to targeted entity
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
25
CATASTROPHIC TARGET NOTICES

Identify “where a cybersecurity incident could
reasonably result in catastrophic regional or
national effects”

Confidentially notify owners & operators

Provide them with basis for determination
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
26
Questions for
Boards, C-Officers, and Counsel
1.
Are we prepared to receive
DHS cyber intel reports?
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
27
BEFORE YOU RECEIVE
IMMINENT TARGET NOTICES
• Basic Questions re Receipt, Review, & Action
Who receives it?
 Who reviews it?

Who decides what actions we should take?
 Who will document what we do with it?

© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
28
BEFORE YOU RECEIVE
IMMINENT TARGET NOTICES
• Questions re Content and Timing

What information will Notice provide?

What will it withhold?

How far ahead of attack will it arrive?
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
29
Andy Ozment
White House Senior Director for Cybersecurity
FEB 28, 2013
• “When you get the
information, you will see
that much of it is
fragmentary and vague.”
• “We may say your sector
faces an unknown type of
attack, at an unknown
time, and of unknown
intensity, and we can’t tell
you more than that or
how to use it.”
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
30
BEFORE YOU RECEIVE
IMMINENT TARGET NOTICES
• Basic Questions re Protecting and Sharing Intel

How will we safeguard the intel?

What stakeholders should we notify?






NERC and State Regulators
Customers and Suppliers
Banks and Insurers
Investors – SEC filing
Who will speak to media and social media?
How will we prevent “leaks” to media and social media?
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
31
Focus Preparedness on
Severe Event Impact
Cyber Attack Task Force
Final Report
Board of Trustees Accepted: May 9, 2012
3353 Peachtree Road NE
Suite 600, North Tower
Atlanta, GA 30326
404-446-2560 | www.nerc.com
32
Cyber Attack Task Force
Final Report
NERC GUIDE ON
WARNINGS
Board of Trustees Accepted: May 9, 2012
3353 Peachtree Road NE
Suite 600, North Tower
Atlanta, GA 30326
404-446-2560 | www.nerc.com
NERC TASK FORCE GUIDANCE FOR RECEIPT OF THREAT WARNINGS
“If there is warning of a possible attack …, operating entities
may want to consider staffing each of the sites where it has
some operating capability.
In the event that anyone or multiple sites are damaged the
remaining facility may be able to take control, if only
partially.”
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
33
Cyber Attack Task Force
Final Report
NERC GUIDE
ON WARNINGS
Board of Trustees Accepted: May 9, 2012
3353 Peachtree Road NE
Suite 600, North Tower
Atlanta, GA 30326
404-446-2560 | www.nerc.com
NERC TASK FORCE GUIDANCE FOR RECEIPT OF THREAT WARNINGS
“In an environment of heightened cyber threat, operating
entities may consider not keeping [primary and backup
control centers] … synchronized and using different sets of
cyber controls and hardware to ensure that both centers do
not have common vulnerabilities to potential cyber threats.”
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
34
WHAT SHOULD WE DO WITH THE INTEL?
• Consider what’s changed
• View it post-attack
• Can’t say “attack wasn’t foreseeable”


You received federal cyber intel
DHS Notice “put you on notice”
• Can’t say “we didn’t anticipate damage to others”


Inaction – inexcusable
Lack of preparedness – indefensible
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
35
WHAT SHOULD WE DO WITH THE INTEL?
• “Hurricane Sandy” test

Can’t be blamed for coordinated
cyber attack

Will be judged chiefly on –
Resilience to disruption
 Preparedness for recovery
 Speed and extent of restored operations

© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
36
Questions for
Boards, C-Officers, and Counsel
2.
Do we need to revise our
response plans for a
coordinated cyber attack?
3.
Do our disaster recovery
plans cover a “Severe
Cyber Impact”?
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
37
Severe Impact
• An emergency situation so
catastrophic that complete
restoration of electric service
is not possible.
• Preparedness aims at graceful
degradation
• The BPS is operated at
reduced state of reliability and
supply for months or possibly
years through New Normal
period.
38
SEVERE INCIDENT RESPONSE
Challenges
• Do your plans cover “worst case” of a Severe Incident?

Analogy: Events of Nature become much worse when the ocean is
involved

Examples: Hurricane Sandy’s “tidal surge”; Tōhoku earthquake’s
“tsunami”

Like the ocean, “Advanced Persistent Attacks” add magnitude,
complexity, and severity

Other critical infrastructure – like cellular service – will probably be
overwhelmed (as in Boston after bombing) – plan to use text messages
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
39
Cyber Attack Task Force
Final Report
SEVERE INCIDENT RESPONSE
Challenges
Board of Trustees Accepted: May 9, 2012
3353 Peachtree Road NE
Suite 600, North Tower
Atlanta, GA 30326
404-446-2560 | www.nerc.com
• Do your plans:

Require scenario-based – and stress-tested – drills
• Model on USN’s “damage control” drills

Test resourcefulness by removing key people and resources

“[p]repare staff on the potential confusion and hesitation which
is inherent in an ongoing security incident”
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
40
Cyber Attack Task Force
Final Report
SEVERE INCIDENT RESPONSE
“Graceful Degradation”
Board of Trustees Accepted: May 9, 2012
3353 Peachtree Road NE
Suite 600, North Tower
Atlanta, GA 30326
404-446-2560 | www.nerc.com
• Do your plans cover Isolation, Islands, and Survivability:

Provide for “trying to maintain reliable operations in a
reduced state for as long as possible”
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
41
SEVERE INCIDENT RESPONSE
“Graceful Degradation”
Cyber Attack Task Force
Final Report
Board of Trustees Accepted: May 9, 2012
3353 Peachtree Road NE
Suite 600, North Tower
Atlanta, GA 30326
404-446-2560 | www.nerc.com
• Do your plans cover Islanding:
Provide strategies for –





Reduced monitoring
Reduced situational awareness
Loss of Internet
Re-charging of cell phones, tablets and other devices
Options to communicate with customers – Twitter, Facebook
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
42
SEVERE INCIDENT RESPONSE
Use of Twitter
(Assumes Internet is Operational)
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
43
SEVERE INCIDENT RESPONSE
Use of Twitter
(Assumes Internet is Operational)
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
44
Cyber Attack Task Force
Final Report
SEVERE INCIDENT RESPONSE
Investigation and Forensics
Board of Trustees Accepted: May 9, 2012
3353 Peachtree Road NE
Suite 600, North Tower
Atlanta, GA 30326
404-446-2560 | www.nerc.com
•
Key element – preserve forensic data
•
Keep detailed records – more information generally
better than less
•
Verify that all system clocks are synchronized
•
Seek Board approval for internal investigation by outside
counsel – obtains maximum coverage of privilege
45
Recovery during
“New Normal”
Cyber Attack Task Force
Final Report
Board of Trustees Accepted: May 9, 2012
3353 Peachtree Road NE
Suite 600, North Tower
Atlanta, GA 30326
404-446-2560 | www.nerc.com
• Do your plans:
Define “critical” and “priority” loads for system restoration
and managing load shedding
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
46
Cyber Attack Task Force
Final Report
Recovery during
“New Normal”
Board of Trustees Accepted: May 9, 2012
3353 Peachtree Road NE
Suite 600, North Tower
Atlanta, GA 30326
404-446-2560 | www.nerc.com
• Do your plans cover:
Loss of primary and backup control centers?
Operating at a remote and physically secure alternate site?
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
47
Questions for
Boards, C-Officers, and Counsel
4.
Are there new legal issues
we need to address?
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
48
SEVEN PRIORITY CONCERNS
APR 2013 – APR 2014
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
49
SEVEN PRIORITY CONCERNS
1. Responsibilities for response and recovery will
increase.

When DHS starts issuing


IMMINENT TARGET NOTICES
CATASTROPHIC TARGET NOTICES

When DHS reviews Cybersecurity Framework

When threat assessments and incidents intensify
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
50
SEVEN PRIORITY CONCERNS
2. Information sharing agreements will need to be
drafted and/or updated

For threat warnings

For Severe Impacts

For third-party access to company sensitive data

To address necessary disclosures despite NDA’s
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
51
SEVEN PRIORITY CONCERNS
3. Incident response plans will need new
sections

For ensuring orderly “graceful degradations” of operations

For seeking Federal assistance against cyberattack

To report NERC CIP-Standards violations – seek waivers?

For insurance notifications and coverage
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
52
SEVEN PRIORITY CONCERNS
4.
Recovery plans will need new sections

For months/years of New Normal “degraded operations”

Disclosures to:




SEC
State regulators
Customers and suppliers
Update mutual assistance agreements
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
53
SEVEN PRIORITY CONCERNS
5. To what extent will you adopt NIST’S Cybersecurity
Framework standards?

Will the “Framework” include some standards that exceed
NERC CIP Standards?

“Best practices” always surpass minimum standards

Reputational damage if avoid or delay adoption
e.g., what if postpone until after a Severe Impact?
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
54
SEVEN PRIORITY CONCERNS
6.
How will you position your company to defend
against alleged violations of:

Multiple applicable versions of NERC CIP standards

NERC compliance and enforcement audits

Lawsuits – stakeholders alleging damages under New
Normal


E.g., Customers not receiving restored power on priority basis
Rate recovery of cybersecurity investment and recovery
costs
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
55
SEVEN PRIORITY CONCERNS
7. Company legal strategies will need to be updated to
reflect changing attitudes by courts and regulators
Patco Construction Co. v. People’s United Bank (1st
Cir, 2012)

Over 7 days, Bank authorized fraudulent transfers of
$588,851, ignored red flags of timing, value, and location

Bank’s security held not “commercially reasonable”

If you’re in best position to provide security, must do so
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
56
SEVEN PRIORITY CONCERNS
FTC v. HTC America (settlement), FEB 2013

HTC America failed to employ reasonable and
appropriate security practices in design of
software for mobile devices

Failed to test software to identify vulnerabilities

Security assessments every other yr. for 20 yrs.

Software vendors may become liable for
vulnerabilities
© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.
57
QUESTIONS
58
REPORTING REQUIREMENTS
• EOP-004: Event Reporting standard – within
24 hrs.
• CIP-001-2a: Sabotage Report – to
Interconnection parties, and FBI or RCMP
• CIP-008: Cyber Security – all reportable
Cyber Security Incidents reported to ES-ISAC
59
Related documents
Song of Roland
Song of Roland
Mythic and Trope Analysis
Mythic and Trope Analysis
The Song of Roland
The Song of Roland
Audit Poster - BSG Colonoscopy Audit
Audit Poster - BSG Colonoscopy Audit
The Emotional Rhythms of College Learning
The Emotional Rhythms of College Learning
Conflicts in A Portrait of the Artist as a Young Man
Conflicts in A Portrait of the Artist as a Young Man
apdf nov 4 - 0910 sakada
apdf nov 4 - 0910 sakada
Joining the Cybersecurity Revolution: What it means, where the jobs
Joining the Cybersecurity Revolution: What it means, where the jobs
Veterans Outreach in Washington State
Veterans Outreach in Washington State
Download