CYBER BREACH MITIGATION How Do I Start & Where is my Money Best Spent ? Speakers: George Adkins , Wortham Power Gen Insurance Brad Luna , N-Dimensions 1 TPPA
THE FUTURE IS HERE INCIDENTS WITH PUBLIC POWER ELEMENTS 2010 (Stuxnet) • WORM affects Seimans Software Based PLC • Reprogrammed to Vary Speeds of Rotating Machinery • Hid Speed Variance from Control Room Operator 2015 (PREN) • Power Grid Shutdown Using “Black Energy” Malware • Variation of Same Malware Found on U.S. Utilities in 2014 2016 • Denial of Service attack – Printers, IP cameras, residential gateways and baby monitors • Overload/Shutdown DNS Provider - Dyn • Mirai Botnet Used • ( THINK SMART METERS ) • 2 of 3 Considered STATE SPONSORED 2
THE FUTURE IS HERE PUBLIC POWER/UTILITY INCIDENTS • 2005 (St. Louis, MO) – Retention Dam - Hacker caused equipment malfunctions and issues with remote monitoring – Resulted in release of 1 billion gallons of water. • 2008 (New Orleans) – CIA confirmed cyber attack led to a power outage spanning multiple towns. • Nov 2011 (Central Illinois) – SCADA (Water System Management) hacked by computer in Russia – damaged water plant pumps • 2013, a Northeast IOU – 1/3 of customers records are taken before blocked 3
THE FUTURE IS HERE PUBLIC POWER/UTILITY INCIDENTS • 2014, a Southern Utility – W2s taken from HR, hackers file false tax returns • 2015 (Rye Brook, NY) – Hacker gained control of Bowman Avenue Dam Through cable modem – Found before any damage done • 2015 - Rural Electric Cooperative Hacks – Hacker program IP based phone to to dial a (900) when customer service called � Customer charged for call – New HVAC System sent outbound communications for to Russian IP address – Communications Provider hit with DNS attack and shutdown � COOP lost communications with AMI. Substation SCADA, field workers • 2016 Midwest Utility – Outsourced AMI Server Hacked, Financial and Customer Data at risk – Traced to Chinese IP address 4
THE FUTURE IS HERE PUBLIC POWER/UTILITY INCIDENTS • March 2016 (Kemuri Water Utility – Fake Name) – Exploited Web Accessible Payment System – Changed Levels Of Chemicals In Treatment Plant – Manipulated Hundreds Of Plc’s To Change Valve Patterns And Duct Movements – IP Addresses Of Hackers Linked Hacktivist In Syria. • April 2016 – Lansing, MI BWL – Employee Open Infected E-mail Attachment – Hackers Shutdown Accounting And Email – $2.4m Total Cost, All But $500k Covered By Insurance ($100k Ded Plus System Upgrades) – $25,000 Bitcoin Ransom • Late 2016 (Southeast U.S.) – Small Southeast Integrated Water/WW/Elec Utility – Ransonware Payment – Converted To Bitcoin Amount Unknown • • Many Others Undocumented 5
THE FUTURE IS HERE NERC CIP v5 expands to LOW Impact Assets, Transient Devices • July 1 2016 Requirements • Most Requirements Apply to HIGH and MEDIUM Impact Assets. • Basic Program Elements Apply to LOW Impact Assets. • April 1 2017 Requirements • LOW: Document Policies and Plans For Cybersecurity Awareness, Physical Security, Electronic Access & Incident Response. • HIGH & MEDIUM: Implement Plans for Transient Cyber Assets and Removable Media. • September 1 2018 Requirements • LOW: Implement Plans for Physical Security and Electronic Access. • NERC CIP Compliance Does Not Equal Cybersecurity. There are Intersecting Points, but Represent Two Different Goals and Two Different Scopes. 6
The Fu Future is s Here BakerHostetler 2016 Data Security Incident HOW ARE THE BREACH'S OCCURRING? 7
THE FU FUTURE IS HERE REALITY CHECK • Utility Cyber Breaches Already Occurring • Mitigating 100% of Cyber Risk is Expensive & Impossible • FERC Fines & Penalties for Non-Compliance • Most Incidents Caused by Employees Public Rural Water & Gas Power Co-Ops Utilities 8
HYPOTHESIS Mitigating 100% Of Cyber Risk Is A Financial Hardship And Nearly Impossible THE PLAN - Target Mitigation Of 80% Of Cyber Risk At A Reasonable Cost - Deploy Cyber Insurance For Balance Sheet Protection From Other 20%. 9
Evaluate/Plan of Attack PUBLIC POWER CYBER RISK EVALUATION SURVEY • http://worthampowergen.com/cyber-risk- evaluation-tool.html – 12 Question Survey (Check Boxes) – Evaluates Cyber-Hygiene – Controls that Mitigate 80% of Cyber Risks – Generates Report (Plan of Attack) 10
80% Mitigation 80 CYBER SECURITY EVALUATION REPORT • No-Cost Report – Developed and Evaluated By Cyber Risk Process Experts – Cybersecurity Maturity Score – Weak Area Discussion/Action List – NERC CIP Overview for Low Impact Asset Deadlines – Survey Responses Are Confidential/ SSL/TLS Encryption • Uses – Management Reporting – Budget Request Support – “To-Do” List 11
PLAN OF ATTACK EVALUATION AREAS – Access and Account Management – Asset Baselines and Change Management – Asset Inventory: Hardware and Software – Boundary Defense: Electronic and Physical Security – Incident Management and Review – Information Management and Protection – Boundary Defense: Electronic and Physical Security 12
Monitoring • N-Dimension’s N-Sentinel Monitoring – Proactive Continuous Cyber Threat Vigilance – Detection And Alerts – Timely assessment and correlation of alerts to verify threat (source, type, etc.) – Identify and prioritize remediation – In-depth Intelligence About Attacks – Utility Community Insights – Global cyber awareness – utility community insights, flash alerts, etc **** DOE Grant Supplements 80% of Cost – 1 st year **** • N-Dimension’s N-Sentinel Vulnerability Assessment – On-demand endpoint Vulnerability Assessments (servers, firewalls, PCs, ….) – Identify, Report and prioritize remediation – Actionable insights in vulnerabilities discovered – Timely actions to improve security posture – Correlate Vulnerabilities Assessment findings with Intrusion Alerts Both with Easy, fast deployment (no costly consulting work needed), hands off management so you can 13 focus on what you do best.
How N-Sentinel Works N-Dimension Security Analysts Network Operations Center Community-based Contextual Analysis SCADA OMS AMI Alerts Secure Distribution Customer Web Devices Portal Substations Meters Reports Threat Intelligence Denotes possible service deployment locations 14
HYPOTHESIS Mitigating 100% Of Cyber Risk Is A Financial Hardship And Nearly Impossible THE PLAN Target Mitigation Of 80% Of Cyber Risk At A Reasonable Cost DEPLOY CYBER INSURANCE FOR BALANCE SHEET PROTECTION FROM OTHER 20%. 15
20% - Balance Sheet Protection CY CYBER LI LIABILITY INSURANCE – TH THE CO COVERAGE Third Party Liability Coverage Descrip ti on First Party Coverages Coverage Descrip ti on Coverages No ti fica ti on expenses incurred Damages & Expenses Incurred for No ti fica ti on following a privacy event/breach. liability from allega ti ons of security Security & Privacy Liability (Credit monitoring services, call Expense/Credit Monitoring and privacy wrongful acts. center services, etc.) Amount obligated to pay from Costs to restore/replace computer programs, so ft ware certain privacy regulatory ac ti ons.( Network Interrup ti on Regulatory Defense and and electronic data (i.e. i.e. HIPAA, NERC, FERC, NRC, Data Asset Restora ti on Fines/Penal ti es Customer consump ti on and Payment Card Assessments) preference data). Money/Expenses paid rela ti ng to Liability from allega ti ons of cyber extor ti on demands. Extor ti on Expenses mul ti media wrongful acts (libel, Media Liability slander, invasion of privacy, etc.). Loss of funds arising out of fraudulent email wire transfer requests or other direct monetary Fraud loss (Computer Fraud/Electronic Fraud/Social Engineering Fraud). Business Interrup ti on/Extra Expense Loss of Profits/Extra (Loss of profits) resul ti ng from a Expense Cyber Breach. Crisis Management/ Expenses including forensics, Reputa ti onal Harm public rela ti ons etc. 16
POST BREACH INSURANCE RESOURCES INCIDENT RESPONSE PLAN • TOLL-FREE NUMBER (24/7) TO REPORT INCIDENT • SERVICE TRIAGES AND DETERMINES PLAN • CLAIMS MANAGEMENT – Process Management Including Appointing Specialists & Legal Services • COMPUTER FORENSIC SERVICES – “How, When & Breach Impact” • NOTIFICATION/CALL CENTER SERVICES – Instructions for Reaction Response, Notification & Call Center. • FRAUD RESOLUTION SERVICES – Credit/ID Theft Monitoring & Remediation. • PUBLIC RELATIONS AND CRISIS MANAGEMENT SERVICES 17
SUMMARY -Utility Cyber Risk Trending Towards Ransom and Physical Damage -Most Breaches Caused by Employee Errors -Mitigating 100% Of Cyber Risk Is A Financial Hardship And Nearly Impossible -Target Mitigation Of 80% Of Cyber Risk At A Reasonable Cost -Deploy Cyber Insurance For Balance Sheet Protection From Other 20%. -Many Cyber Breach Costs not covered in Traditional Insurance (General Liability) -APPA Insurance Programs Less Expensive and Broader Coverage -Leverage Group Purchasing Power -Use Savings to Fund Cyber effort 18
HERE THE FU FUTURE IS HE • Norse Attack Map 19
APPENDIX • Program Costs • Public Power Hacking Video • Itegriti & N-Dimensions Overview • N-Sentinel Costs • Evaluation Areas • How N-Sentinel Works 20
Recommend
More recommend
