Presentation is loading. Please wait.

Presentation is loading. Please wait.

U NDER THE R ADAR : L EGAL R ESPONSIBILITIES A RISING FROM C YBER T HREATS AND S EVERE I MPACTS TO THE G RID by Stephen J. Humes Holland & Knight Roland.

Similar presentations


Presentation on theme: "U NDER THE R ADAR : L EGAL R ESPONSIBILITIES A RISING FROM C YBER T HREATS AND S EVERE I MPACTS TO THE G RID by Stephen J. Humes Holland & Knight Roland."— Presentation transcript:

1 U NDER THE R ADAR : L EGAL R ESPONSIBILITIES A RISING FROM C YBER T HREATS AND S EVERE I MPACTS TO THE G RID by Stephen J. Humes Holland & Knight Roland L. Trope Trope and Schramm LLP © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved. For Edison Electrical Institute Spring Legal Conference

2 DISCLAIMER: VIEWS EXPRESSED ARE SOLELY THOSE OF THE AUTHORS, AND HAVE NOT BEEN REVIEWED OR APPROVED BY, AND SHOULD NOT BE ATTRIBUTED TO – THE U.S. MILITARY ACADEMY, THE DEPARTMENT OF THE ARMY THE DEPARTMENT OF DEFENSE, OR THE U.S. GOVERNMENT. 2

3 OVERVIEW Emerging Responsibilities Causes:  Escalating threats to critical infrastructure  Regulatory standards and enforcement  Executive Order (EO) 13636  NERC Task Force guidance (May 2012) © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved. 3

4 Questions for Boards, C-Officers, and Counsel 1.Are we prepared to receive DHS cyber intel reports? 2.Do we need to revise our response plans for a coordinated cyber attack? 3.Do our disaster recovery plans cover a “Severe Cyber Impact”? 4.Are there new legal issues we need to address? © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved. 4

5 ESCALATING THREATS TO CRITICAL INFRASTRUCTURE © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved. 5

6 TIMELINE – Escalating Threats to Critical Infrastructure 2009 EVENTS IN U.S. EVENTS OVERSEAS 2011 6 2010 2012 2013 2014 China’s “Comment Group” penetrates Diablo Canyon nuclear plant Stuxnet damages Iranian uranium enrichment centrifuges

7 Recent Attack Record Diablo Canyon Plant operated by Pacific Gas & Electric Co. Reportedly breached computer of senior nuclear planner No solid indication of data stolen Attempting “to identify … security of U.S. nuclear power generation facilities.” © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved. 7

8 TIMELINE – Escalating Threats to Critical Infrastructure 2012 EVENTS IN U.S. EVENTS OVERSEAS AUG Iranian cyberattacks on Citigroup, Wells Fargo, Bank of America, and U.S. Bank APR DEC SEPT Iranian cyberattacks on Aramco, wipe out hard drives on 55,000 PCs – ¾’s of Aramco’s corporate PCs 8

9 9

10 DHS OIG Report 2013 Security of Industrial Control Systems (ICS) “A recent survey in the energy sector revealed that a majority of the companies in the sector had experienced cyber attacks, and about 55 percent of these attacks targeted ICS.” “A successful cyber attack on ICS may result in physical damage, loss of life, and cascading effects that could disrupt services.” 10

11 11

12 THREAT ASSESSMENT 2013 Increasing risk to U.S. critical infrastructure During next 2 years – remote chance an attack would result in “long-term, wide-scale disruption of services, such as a regional power outage” © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved. 12

13 THREAT ASSESSMENT 2013 But “isolated state or nonstate actors … could access some poorly protected US networks that control core functions, such as power generation …” © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved. 13

14 REGULATORY STANDARDS AND ENFORCEMENT © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved. 14

15 TIMELINE – Regulatory Standards and Enforcement 2005 FERC EVENTS NERC EVENTS 15 EPAct ‘05 enacted; §1211, became § 215 of FPA; FERC to oversee mandatory reliability standards bulk power grid NERC certified as electric reliability organization 2006 2007 2008 FERC Order 706 approves first CIP Standards 2009 FERC rejects business judgment rule as part of CIP standards 2010 2011 2012 FERC approves NERC CIP Standards, Version 3 Version 4

16 CIP Standards Enforcement © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved. 16 FY2012, FERC staff participated in regional audits of owners, users, and operators of the bulk power system per Order No. 706; Audited compliance with CIP Reliability Standards

17 CIP Standards Enforcement © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved. 17 152 violations of CIP Reliability Standards (CIP- 002 through CIP-009). NERC cited 279 other violations of CIP Reliability Standards – led to $6,490,499 in proposed penalties; Largest single penalty assessed was $400,000.

18 TIMELINE – Events Leading Up to EO 13636 2012 EVENTS IN EXECUTIVE BRANCH EVENTS IN LEGISLATIVE BRANCH 18 2011 SEC Staff issues Cybersecurity Disclosure Guidance Senate votes down proposed cybersecurity bill AUG White House circulates draft Executive Order SEPT NOV Senate votes down proposed cybersecurity bill White House circulates revised draft EO FEB 2013 APR President issues Executive Order 13636

19 EXECUTIVE ORDER 13636 FEB 12, 2013 © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved. 19

20 EXECUTIVE ORDER 13636 Risk Assessment “Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity.” © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved. 20

21 EXECUTIVE ORDER 13636 Standards Purpose:  Help owners and operators “identify, assess and manage cyber risks” Direction:  NIST to coordinate development of “Cybersecurity Framework” Results:  A set of “voluntary consensus-based standards and industry best practices” © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved. 21

22 EXECUTIVE ORDER 13636 Standards Caution:  Participation is “voluntary”  But EO envisions Framework as a metric for judging a company’s cybersecurity  Sec. 7(b): It “shall include guidance for measuring the performance of an entity in implementing” the Framework © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved. 22

23 Andy Ozment White House Senior Director for Cybersecurity FEB 28, 2013 Strategy of “Framework”:  “[S]ome regulators need to improve, and we will ask them to consider the Framework and issue new regulations” 23 © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

24 EXECUTIVE ORDER 13636 Information Sharing Kinds of Federal Cyber Intel: 1. Classified – shared thru participation in Enhanced Cybersecurity Services 2. Unclassified – Imminent Target Notices 3. Confidential – Catastrophic Target Notices © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved. 24

25 IMMINENT TARGET NOTICES © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved. 25  “unclassified reports of cyber threats to U.S. homeland that identifies a specific targeted entity”  Deliver to targeted entity

26 CATASTROPHIC TARGET NOTICES © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved. 26  Identify “where a cybersecurity incident could reasonably result in catastrophic regional or national effects”  Confidentially notify owners & operators  Provide them with basis for determination

27 Questions for Boards, C-Officers, and Counsel 1.Are we prepared to receive DHS cyber intel reports? © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved. 27

28 BEFORE YOU RECEIVE IMMINENT TARGET NOTICES Basic Questions re Receipt, Review, & Action  Who receives it?  Who reviews it?  Who decides what actions we should take?  Who will document what we do with it? 28 © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

29 BEFORE YOU RECEIVE IMMINENT TARGET NOTICES Questions re Content and Timing  What information will Notice provide?  What will it withhold?  How far ahead of attack will it arrive? 29 © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

30 Andy Ozment White House Senior Director for Cybersecurity FEB 28, 2013 “When you get the information, you will see that much of it is fragmentary and vague.” “We may say your sector faces an unknown type of attack, at an unknown time, and of unknown intensity, and we can’t tell you more than that or how to use it.” 30 © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

31 BEFORE YOU RECEIVE IMMINENT TARGET NOTICES Basic Questions re Protecting and Sharing Intel  How will we safeguard the intel?  What stakeholders should we notify? NERC and State Regulators Customers and Suppliers Banks and Insurers Investors – SEC filing  Who will speak to media and social media?  How will we prevent “leaks” to media and social media? 31 © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

32 Focus Preparedness on Severe Event Impact 32

33 NERC GUIDE ON WARNINGS NERC TASK FORCE GUIDANCE FOR RECEIPT OF THREAT WARNINGS “If there is warning of a possible attack …, operating entities may want to consider staffing each of the sites where it has some operating capability. In the event that anyone or multiple sites are damaged the remaining facility may be able to take control, if only partially.” 33 © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

34 NERC GUIDE ON WARNINGS NERC TASK FORCE GUIDANCE FOR RECEIPT OF THREAT WARNINGS “In an environment of heightened cyber threat, operating entities may consider not keeping [primary and backup control centers] … synchronized and using different sets of cyber controls and hardware to ensure that both centers do not have common vulnerabilities to potential cyber threats.” 34 © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

35 WHAT SHOULD WE DO WITH THE INTEL? Consider what’s changed View it post-attack Can’t say “attack wasn’t foreseeable”  You received federal cyber intel  DHS Notice “put you on notice” Can’t say “we didn’t anticipate damage to others”  Inaction – inexcusable  Lack of preparedness – indefensible 35 © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

36 WHAT SHOULD WE DO WITH THE INTEL? “Hurricane Sandy” test  Can’t be blamed for coordinated cyber attack  Will be judged chiefly on – Resilience to disruption Preparedness for recovery Speed and extent of restored operations 36 © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

37 Questions for Boards, C-Officers, and Counsel 2.Do we need to revise our response plans for a coordinated cyber attack? 3.Do our disaster recovery plans cover a “Severe Cyber Impact”? © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved. 37

38 Severe Impact 38 An emergency situation so catastrophic that complete restoration of electric service is not possible. Preparedness aims at graceful degradation The BPS is operated at reduced state of reliability and supply for months or possibly years through New Normal period.

39 SEVERE INCIDENT RESPONSE Challenges 39 Do your plans cover “worst case” of a Severe Incident?  Analogy: Events of Nature become much worse when the ocean is involved  Examples: Hurricane Sandy’s “tidal surge”; Tōhoku earthquake’s “tsunami”  Like the ocean, “Advanced Persistent Attacks” add magnitude, complexity, and severity  Other critical infrastructure – like cellular service – will probably be overwhelmed (as in Boston after bombing) – plan to use text messages © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

40 SEVERE INCIDENT RESPONSE Challenges 40 Do your plans: Require scenario-based – and stress-tested – drills Model on USN’s “damage control” drills Test resourcefulness by removing key people and resources “[p]repare staff on the potential confusion and hesitation which is inherent in an ongoing security incident” © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

41 SEVERE INCIDENT RESPONSE “Graceful Degradation” 41 Do your plans cover Isolation, Islands, and Survivability:  Provide for “trying to maintain reliable operations in a reduced state for as long as possible” © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

42 SEVERE INCIDENT RESPONSE “Graceful Degradation” 42 Do your plans cover Islanding: Provide strategies for – Reduced monitoring Reduced situational awareness Loss of Internet Re-charging of cell phones, tablets and other devices Options to communicate with customers – Twitter, Facebook © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

43 SEVERE INCIDENT RESPONSE Use of Twitter (Assumes Internet is Operational) 43 © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

44 SEVERE INCIDENT RESPONSE Use of Twitter (Assumes Internet is Operational) 44 © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

45 SEVERE INCIDENT RESPONSE Investigation and Forensics Key element – preserve forensic data Keep detailed records – more information generally better than less Verify that all system clocks are synchronized Seek Board approval for internal investigation by outside counsel – obtains maximum coverage of privilege 45

46 Recovery during “New Normal” Do your plans: Define “critical” and “priority” loads for system restoration and managing load shedding 46 © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

47 Recovery during “New Normal” Do your plans cover: Loss of primary and backup control centers? Operating at a remote and physically secure alternate site? 47 © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

48 Questions for Boards, C-Officers, and Counsel 4.Are there new legal issues we need to address? © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved. 48

49 SEVEN PRIORITY CONCERNS APR 2013 – APR 2014 © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved. 49

50 SEVEN PRIORITY CONCERNS 1.Responsibilities for response and recovery will increase.  When DHS starts issuing IMMINENT TARGET NOTICES CATASTROPHIC TARGET NOTICES  When DHS reviews Cybersecurity Framework  When threat assessments and incidents intensify 50 © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

51 SEVEN PRIORITY CONCERNS 2.Information sharing agreements will need to be drafted and/or updated  For threat warnings  For Severe Impacts  For third-party access to company sensitive data  To address necessary disclosures despite NDA’s 51 © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

52 SEVEN PRIORITY CONCERNS 3.Incident response plans will need new sections  For ensuring orderly “graceful degradations” of operations  For seeking Federal assistance against cyberattack  To report NERC CIP-Standards violations – seek waivers?  For insurance notifications and coverage 52 © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

53 SEVEN PRIORITY CONCERNS 4.Recovery plans will need new sections  For months/years of New Normal “degraded operations”  Disclosures to: SEC State regulators Customers and suppliers  Update mutual assistance agreements 53 © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

54 SEVEN PRIORITY CONCERNS 5.To what extent will you adopt NIST’S Cybersecurity Framework standards?  Will the “Framework” include some standards that exceed NERC CIP Standards?  “Best practices” always surpass minimum standards  Reputational damage if avoid or delay adoption e.g., what if postpone until after a Severe Impact? 54 © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

55 SEVEN PRIORITY CONCERNS 6.How will you position your company to defend against alleged violations of:  Multiple applicable versions of NERC CIP standards  NERC compliance and enforcement audits  Lawsuits – stakeholders alleging damages under New Normal E.g., Customers not receiving restored power on priority basis  Rate recovery of cybersecurity investment and recovery costs 55 © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

56 SEVEN PRIORITY CONCERNS 7.Company legal strategies will need to be updated to reflect changing attitudes by courts and regulators Patco Construction Co. v. People’s United Bank (1 st Cir, 2012) Over 7 days, Bank authorized fraudulent transfers of $588,851, ignored red flags of timing, value, and location Bank’s security held not “commercially reasonable” If you’re in best position to provide security, must do so 56 © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

57 SEVEN PRIORITY CONCERNS FTC v. HTC America (settlement), FEB 2013 HTC America failed to employ reasonable and appropriate security practices in design of software for mobile devices Failed to test software to identify vulnerabilities Security assessments every other yr. for 20 yrs. Software vendors may become liable for vulnerabilities 57 © Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

58 58 QUESTIONS

59 59 EOP-004: Event Reporting standard – within 24 hrs. CIP-001-2a: Sabotage Report – to Interconnection parties, and FBI or RCMP CIP-008: Cyber Security – all reportable Cyber Security Incidents reported to ES-ISAC REPORTING REQUIREMENTS


Download ppt "U NDER THE R ADAR : L EGAL R ESPONSIBILITIES A RISING FROM C YBER T HREATS AND S EVERE I MPACTS TO THE G RID by Stephen J. Humes Holland & Knight Roland."

Similar presentations


Ads by Google