CYBER BREACH MITIGATION How Do I Start & Where is my Money Best - - PowerPoint PPT Presentation

1

CYBER BREACH MITIGATION

How Do I Start & Where is my Money Best Spent?

Speakers: George Adkins, Wortham Power Gen Insurance Brad Luna, N-Dimensions

TPPA

2

THE FUTURE IS HERE INCIDENTS WITH PUBLIC POWER ELEMENTS

2010 (Stuxnet)

• WORM affects Seimans Software Based PLC
• Reprogrammed to Vary Speeds of Rotating Machinery
• Hid Speed Variance from Control Room Operator

2015 (PREN)

• Power Grid Shutdown Using

“Black Energy” Malware

• Variation of Same Malware Found
• n U.S. Utilities in 2014

2016

• Denial of Service attack

– Printers, IP cameras, residential gateways and baby monitors

• Overload/Shutdown DNS Provider - Dyn
• Mirai Botnet Used
• (THINK SMART METERS)
• 2 of 3 Considered STATE SPONSORED

3

THE FUTURE IS HERE

PUBLIC POWER/UTILITY INCIDENTS

• 2005 (St. Louis, MO)

– Retention Dam - Hacker caused equipment malfunctions and issues with remote monitoring – Resulted in release of 1 billion gallons of water.

• 2008 (New Orleans)

– CIA confirmed cyber attack led to a power outage spanning multiple towns.

• Nov 2011 (Central Illinois)

– SCADA (Water System Management) hacked by computer in Russia – damaged water plant pumps

• 2013, a Northeast IOU

– 1/3 of customers records are taken before blocked

4

THE FUTURE IS HERE PUBLIC POWER/UTILITY INCIDENTS

• 2014, a Southern Utility

– W2s taken from HR, hackers file false tax returns

• 2015 (Rye Brook, NY)

– Hacker gained control of Bowman Avenue Dam Through cable modem – Found before any damage done

• 2015 - Rural Electric Cooperative Hacks

– Hacker program IP based phone to to dial a (900) when customer service called

• Customer charged for call

– New HVAC System sent outbound communications for to Russian IP address – Communications Provider hit with DNS attack and shutdown

• COOP lost communications with AMI. Substation SCADA, field workers
• 2016 Midwest Utility

– Outsourced AMI Server Hacked, Financial and Customer Data at risk – Traced to Chinese IP address

5

THE FUTURE IS HERE

PUBLIC POWER/UTILITY INCIDENTS

• March 2016 (Kemuri Water Utility – Fake Name)

– Exploited Web Accessible Payment System – Changed Levels Of Chemicals In Treatment Plant – Manipulated Hundreds Of Plc’s To Change Valve Patterns And Duct Movements – IP Addresses Of Hackers Linked Hacktivist In Syria.

• April 2016 – Lansing, MI BWL

– Employee Open Infected E-mail Attachment – Hackers Shutdown Accounting And Email – $2.4m Total Cost, All But $500k Covered By Insurance ($100k Ded Plus System Upgrades) – $25,000 Bitcoin Ransom

• Late 2016 (Southeast U.S.)

– Small Southeast Integrated Water/WW/Elec Utility – Ransonware Payment – Converted To Bitcoin Amount Unknown

• Many Others Undocumented

6

NERC CIP v5 expands to LOW Impact Assets, Transient Devices

• July 1 2016 Requirements
• Most Requirements Apply to HIGH and MEDIUM Impact Assets.
• Basic Program Elements Apply to LOW Impact Assets.
• April 1 2017 Requirements
• LOW: Document Policies and Plans For Cybersecurity Awareness,

Physical Security, Electronic Access & Incident Response.

• HIGH & MEDIUM: Implement Plans for Transient Cyber Assets and

Removable Media.

• September 1 2018 Requirements
• LOW: Implement Plans for Physical Security and Electronic Access.
• NERC CIP Compliance Does Not Equal Cybersecurity. There are Intersecting

Points, but Represent Two Different Goals and Two Different Scopes.

THE FUTURE IS HERE

7

BakerHostetler 2016 Data Security Incident HOW ARE THE BREACH'S OCCURRING?

The Fu Future is s Here

8

THE FU FUTURE IS HERE

REALITY CHECK

• Utility Cyber Breaches Already Occurring
• Mitigating 100% of Cyber Risk is Expensive &

Impossible

• FERC Fines & Penalties for Non-Compliance
• Most Incidents Caused by Employees

Public Power Water & Gas Utilities Rural Co-Ops

9

Mitigating 100% Of Cyber Risk Is A Financial Hardship And Nearly Impossible THE PLAN

• Target Mitigation Of 80% Of Cyber Risk At

A Reasonable Cost

• Deploy Cyber Insurance For Balance

Sheet Protection From Other 20%. HYPOTHESIS

10

PUBLIC POWER CYBER RISK EVALUATION SURVEY

• http://worthampowergen.com/cyber-risk-

evaluation-tool.html

– 12 Question Survey (Check Boxes) – Evaluates Cyber-Hygiene – Controls that Mitigate 80% of Cyber Risks – Generates Report (Plan of Attack)

Evaluate/Plan of Attack

11

80 80% Mitigation

CYBER SECURITY EVALUATION REPORT

• No-Cost Report

– Developed and Evaluated By Cyber Risk Process Experts – Cybersecurity Maturity Score – Weak Area Discussion/Action List – NERC CIP Overview for Low Impact Asset Deadlines – Survey Responses Are Confidential/ SSL/TLS Encryption

• Uses

– Management Reporting – Budget Request Support – “To-Do” List

12

PLAN OF ATTACK

EVALUATION AREAS

– Access and Account Management – Asset Baselines and Change Management – Asset Inventory: Hardware and Software – Boundary Defense: Electronic and Physical Security – Incident Management and Review – Information Management and Protection – Boundary Defense: Electronic and Physical Security

13

• N-Dimension’s N-Sentinel Monitoring

– Proactive Continuous Cyber Threat Vigilance – Detection And Alerts – Timely assessment and correlation of alerts to verify threat (source, type, etc.) – Identify and prioritize remediation – In-depth Intelligence About Attacks – Utility Community Insights – Global cyber awareness – utility community insights, flash alerts, etc **** DOE Grant Supplements 80% of Cost – 1st year ****

• N-Dimension’s N-Sentinel Vulnerability Assessment

– On-demand endpoint Vulnerability Assessments (servers, firewalls, PCs, ….) – Identify, Report and prioritize remediation – Actionable insights in vulnerabilities discovered – Timely actions to improve security posture – Correlate Vulnerabilities Assessment findings with Intrusion Alerts

Monitoring

Both with Easy, fast deployment (no costly consulting work needed), hands off management so you can focus on what you do best.

14

How N-Sentinel Works

Substations Meters Distribution Devices Reports Alerts Secure Customer Web Portal Network Operations Center Community-based Contextual Analysis N-Dimension Security Analysts SCADA AMI OMS Threat Intelligence

Denotes possible service deployment locations

15

Mitigating 100% Of Cyber Risk Is A Financial Hardship And Nearly Impossible THE PLAN Target Mitigation Of 80% Of Cyber Risk At A Reasonable Cost DEPLOY CYBER INSURANCE FOR BALANCE SHEET PROTECTION FROM OTHER 20%. HYPOTHESIS

16

20% - Balance Sheet Protection

CY CYBER LI LIABILITY INSURANCE – TH THE CO COVERAGE

Third Party Liability Coverages Coverage Description

Security & Privacy Liability Damages & Expenses Incurred for liability from allegations of security and privacy wrongful acts. Regulatory Defense and Fines/Penalties Amount obligated to pay from certain privacy regulatory actions.( i.e. HIPAA, NERC, FERC, NRC, Payment Card Assessments) Media Liability Liability from allegations of multimedia wrongful acts (libel, slander, invasion of privacy, etc.).

First Party Coverages Coverage Description

Notification Expense/Credit Monitoring Notification expenses incurred following a privacy event/breach. (Credit monitoring services, call center services, etc.) Network Interruption Data Asset Restoration Costs to restore/replace computer programs, software and electronic data (i.e. Customer consumption and preference data). Extortion Expenses Money/Expenses paid relating to cyber extortion demands. Fraud Loss of funds arising out of fraudulent email wire transfer requests or other direct monetary loss (Computer Fraud/Electronic Fraud/Social Engineering Fraud). Loss of Profits/Extra Expense Business Interruption/Extra Expense (Loss of profits) resulting from a Cyber Breach. Crisis Management/ Reputational Harm Expenses including forensics, public relations etc.

17

INCIDENT RESPONSE PLAN

• TOLL-FREE NUMBER (24/7) TO REPORT INCIDENT
• SERVICE TRIAGES AND DETERMINES PLAN
• CLAIMS MANAGEMENT – Process Management Including

Appointing Specialists & Legal Services

• COMPUTER FORENSIC SERVICES – “How, When & Breach

Impact”

• NOTIFICATION/CALL CENTER SERVICES – Instructions for

Reaction Response, Notification & Call Center.

• FRAUD RESOLUTION SERVICES – Credit/ID Theft Monitoring &

Remediation.

• PUBLIC RELATIONS AND CRISIS MANAGEMENT SERVICES

POST BREACH INSURANCE RESOURCES

18

• Utility Cyber Risk Trending Towards Ransom and Physical

Damage

• Most Breaches Caused by Employee Errors
• Mitigating 100% Of Cyber Risk Is A Financial Hardship And

Nearly Impossible

• Target Mitigation Of 80% Of Cyber Risk At A Reasonable

Cost

• Deploy Cyber Insurance For Balance Sheet Protection From

Other 20%.

• Many Cyber Breach Costs not covered in Traditional

Insurance (General Liability)

• APPA Insurance Programs Less Expensive and Broader

Coverage

• Leverage Group Purchasing Power
• Use Savings to Fund Cyber effort

SUMMARY

19

THE FU FUTURE IS HE HERE

• Norse Attack Map

20

APPENDIX

• Program Costs
• Public Power Hacking Video
• Itegriti & N-Dimensions Overview
• N-Sentinel Costs
• Evaluation Areas
• How N-Sentinel Works

21

PROGRAM COSTS

ANNUAL REV ($m) (1) POLICY LIMIT Deductible

Network Monitoring (If bundled with Insurance)(2)

$1m $2m Premiums 0 - 5 $2,525 $3,775 $2,500

$7,500

*1st Year Cost Reduced to $1,960 for APPA members through DOE program 5 - 15 $3,275 $4,850 $10,000 15 - 25 $4,650 $6,900 $10,000 25 - 35 $6,925 $10,300 $15,000 35 - 50 $9,200 $13,700 $15,000 50 - 75 $12,250 $19,000 $25,000 75 - 100 $16,750 $25,000 $25,000 Over 100 Refer to Underwriters Higher Limits Available Upon Request

(1) Parent( City) can be included in coverage if revenues are reported (2) Monitoring Cost is Annual Per Network, Assumes 1 Network

HCI Cyber Program (Financial Protection)

22

THE FU FUTURE IS HE HERE - PR PREN

PUBLIC POWER HACKING VIDEO

23

AP APPA/HOMETOWN CYBER LIABILITY AP APPLICATION

• Organization and Contact Information
• # of Personally Identifiable Records?

– #meters + #past customers + # employees + #retirees

• Annual Utility Revenues?
• Disaster Recovery Plan in Place?
• Sensitive Data Encrypted or Masked?
• Firewalls and Auto Updating Antivirus Software In force?
• Developing a Plan Per NERC CIP Standards?
• Had any Incidents in Last 3 years That Would Have Been a Claim?

24

Data Bre Breach Cost

• st Est

Estimates

NUMBER OF RECORDS (PCI) 5,000 20,000 100,000 Forensics $14,700 $16,800 $28,000 Security Remediation $70,700 $72,700 $84,000 Breach Coach/Legal Advice $38,000 $38,000 $38,000 INVESTIGATION COST TOTAL $123,400 $127,500 $150,000 Fines & Penalties $26,000 $26,000 $25,000 Fraud Assessment $62,500 $250,000 $1,250,000 Card Re-Issuances $10,000 $40,000 $200,000 PCI TOTAL COST $98,500 $316,000 $1,475,000 Customer Notification $5,000 $20,000 $100,000 Call Center $375 $1,500 $7,500 Credit/ID Monitoring $4,500 $18,000 $72,500 Public Relations $21,000 $21,000 $21,000 CUSTOMER NOTIFICATION/CRISIS MANAGEMENT COST $30,875 $60,500 $201,000 State AG $6,650 $18,300 $58,300 HHS $0 $0 $0 Other $0 $0 $0 REGULTORY FINES/PENALTIES $6,650 $18,300 $58,300 Defense $283,000 $283,000 $283,000 E Discovery $73,600 $73,500 $140,000 Settlements/Damages $150,000 $150,000 $150,000 CLASS ACTION LAWSUIT COSTS $506,600 $506,500 $573,000 TOTAL COST $766,025 $1,028,800 $2,457,300 COST per RECORD $153 $51 $25 NOTES: FIRST BREACH FOR COMPANY, DATA STORED IN CENTRALIZED SYSTEM

25

Ve Verizon 2016 Data Br Breach Investigations Report CYBER INSURANCE PAYOUTS PER TYPE OF COST

26

Cy Cyber Brea eaches s – Th The Risks Ho How Ins nsurance nce Responds?

27

• Exposure: 1st Party Physical Damage

– Risk

Damage to Owned Physical Assets as a result of a Cyber attack.

– Insurance Response

Cyber Insurance - Available from limited Underwriters, Expensive. All Risk Property Insurance – Historically, “Resultant Damage” Covered.

HOW INSURANCE RESPONDS TO A A CYB YBER AT ATTACK

28

• Exposure: Business Interruption

– Risk

Business Interruption here is loosely defined as “Loss of Profits + Continuing Expenses”.

• Historically, Business Interruption has not been offered to Public Power due

to its ability to recover the financial loss in a subsequent rate case. However, utilizing the argument that “buying Business Interruption is a more responsible use of the Rate Payer funds”, there are some Public Power entities that are now pursuing Business Interruption Insurance.

– Insurance Response

Cyber Insurance - Available through Select Markets, Including the HCI/APPA Program. All Risk Property Insurance – Covered as a result of Physical Damage caused by a Cyber attack.

HOW INSURANCE RESPONDS TO A A CYB YBER AT ATTACK

29

• Exposure: Extra Expense

– Risk

Extra Expense is cost associated with minimizing the loss of profits. (i.e. renting a temporary transformer while original being repaired)

– Insurance Response

Cyber Insurance - Available through Select Markets, Including the HCI/APPA Program. All Risk Property Insurance - Covered as a result of Physical Damage caused by a Cyber attack.

• Extra Expense, in an All Risk Property Insurance Policy, generally does not

include costs associated with buying Replacement Power. Replacement Power coverage has developed a separate insurance market.

HOW INSURANCE RESPONDS TO A A CYB YBER AT ATTACK

30

• Exposure: Customer Physical Damage/Loss of Profits from

“Failure to Supply Power”

– Risk

3rd Party Lawsuit as a Result of a Failure to Supply Power

Most Public Power entities enjoy some 3rd party liability tort protection from “Failure to Supply” power. This is generally outlined in the “Transmission Tariff” document and liability is usually limited to “Gross Negligence or Intentional Wrongdoing” and/or a monetary cap.

– Insurance Response

Cyber Insurance - Generally Excluded, but can be purchased for expensive rates. General Liability – Generally Excluded if an Exposure Exists Excess Liability Insurance – Coverage Available

HOW INSURANCE RESPONDS TO A A CYB YBER AT ATTACK

31

El Electric Utility Cyber Liability Insurance Benchmarking

32

CYBER INSURANCE PREMIUM DISTRIBUTION FOR ELECTRIC UTILITIES

BE BENCHMARKING

33

CYBER INSURANCE POLICY LIMIT DISTRIBUTION FOR ELECTRIC UTILITIES

BE BENCHMARKING

34

CYBER INSURANCE DEDUCTIBLE DISTRIBUTION FOR ELECTRIC UTILITIES

BE BENCHMARKING