cyber breach mitigation - tppa€¦ · -target mitigation of 80% of cyber risk at a reasonable cost...
TRANSCRIPT
1
CYBER BREACH MITIGATION How Do I Start & Where is my Money Best Spent?
Speakers: George Adkins, Wortham Power Gen Insurance Brad Luna, N-Dimensions
TPPA
2
THE FUTURE IS HERE
INCIDENTS WITH PUBLIC POWER ELEMENTS 2010 (Stuxnet) • WORM affects Seimans Software Based PLC • Reprogrammed to Vary Speeds of Rotating Machinery • Hid Speed Variance from Control Room Operator
2015 (PREN) • Power Grid Shutdown Using “Black Energy” Malware • Variation of Same Malware Found on U.S. Utilities in 2014
2016 • Denial of Service attack
– Printers, IP cameras, residential gateways and baby monitors • Overload/Shutdown DNS Provider - Dyn • Mirai Botnet Used • (THINK SMART METERS)
• 2 of 3 Considered STATE SPONSORED
3
THE FUTURE IS HERE
PUBLIC POWER/UTILITY INCIDENTS • 2005 (St. Louis, MO)
– Retention Dam - Hacker caused equipment malfunctions and issues with remote monitoring – Resulted in release of 1 billion gallons of water.
• 2008 (New Orleans) – CIA confirmed cyber attack led to a power outage spanning multiple
towns.
• Nov 2011 (Central Illinois) – SCADA (Water System Management) hacked by computer in Russia –
damaged water plant pumps
• 2013, a Northeast IOU – 1/3 of customers records are taken before blocked
4
THE FUTURE IS HERE
PUBLIC POWER/UTILITY INCIDENTS • 2014, a Southern Utility
– W2s taken from HR, hackers file false tax returns
• 2015 (Rye Brook, NY) – Hacker gained control of Bowman Avenue Dam Through cable modem – Found before any damage done
• 2015 - Rural Electric Cooperative Hacks
– Hacker program IP based phone to to dial a (900) when customer service called � Customer charged for call
– New HVAC System sent outbound communications for to Russian IP address – Communications Provider hit with DNS attack and shutdown
� COOP lost communications with AMI. Substation SCADA, field workers
• 2016 Midwest Utility – Outsourced AMI Server Hacked, Financial and Customer Data at risk – Traced to Chinese IP address
5
THE FUTURE IS HERE
PUBLIC POWER/UTILITY INCIDENTS
• March 2016 (Kemuri Water Utility – Fake Name) – Exploited Web Accessible Payment System – Changed Levels Of Chemicals In Treatment Plant – Manipulated Hundreds Of Plc’s To Change Valve Patterns And Duct Movements – IP Addresses Of Hackers Linked Hacktivist In Syria.
• April 2016 – Lansing, MI BWL – Employee Open Infected E-mail Attachment – Hackers Shutdown Accounting And Email – $2.4m Total Cost, All But $500k Covered By Insurance ($100k Ded Plus System
Upgrades) – $25,000 Bitcoin Ransom
• Late 2016 (Southeast U.S.) – Small Southeast Integrated Water/WW/Elec Utility – Ransonware Payment – Converted To Bitcoin Amount Unknown
• • Many Others Undocumented
6
NERC CIP v5 expands to LOW Impact Assets, Transient Devices • July 1 2016 Requirements
• Most Requirements Apply to HIGH and MEDIUM Impact Assets. • Basic Program Elements Apply to LOW Impact Assets.
• April 1 2017 Requirements
• LOW: Document Policies and Plans For Cybersecurity Awareness, Physical Security, Electronic Access & Incident Response.
• HIGH & MEDIUM: Implement Plans for Transient Cyber Assets and Removable Media.
• September 1 2018 Requirements • LOW: Implement Plans for Physical Security and Electronic Access.
• NERC CIP Compliance Does Not Equal Cybersecurity. There are Intersecting Points, but Represent Two Different Goals and Two Different Scopes.
THE FUTURE IS HERE
7
BakerHostetler 2016 Data Security Incident
HOW ARE THE BREACH'S OCCURRING?
The Future is Here
8
THE FUTURE IS HERE
REALITY CHECK • Utility Cyber Breaches Already Occurring • Mitigating 100% of Cyber Risk is Expensive &
Impossible • FERC Fines & Penalties for Non-Compliance • Most Incidents Caused by Employees
Public Power
Water & Gas Utilities
Rural Co-Ops
9
Mitigating 100% Of Cyber Risk Is A Financial Hardship And Nearly Impossible
THE PLAN - Target Mitigation Of 80% Of Cyber Risk At A Reasonable Cost
- Deploy Cyber Insurance For Balance Sheet Protection From Other 20%.
HYPOTHESIS
10
PUBLIC POWER CYBER RISK EVALUATION SURVEY
• http://worthampowergen.com/cyber-risk-evaluation-tool.html
– 12 Question Survey (Check Boxes)
– Evaluates Cyber-Hygiene
– Controls that Mitigate 80% of Cyber Risks
– Generates Report (Plan of Attack)
Evaluate/Plan of Attack
11
80% Mitigation
CYBER SECURITY EVALUATION REPORT • No-Cost Report
– Developed and Evaluated By Cyber Risk Process Experts – Cybersecurity Maturity Score – Weak Area Discussion/Action List – NERC CIP Overview for Low Impact Asset Deadlines – Survey Responses Are Confidential/ SSL/TLS Encryption
• Uses – Management Reporting – Budget Request Support – “To-Do” List
12
PLAN OF ATTACK
EVALUATION AREAS
– Access and Account Management
– Asset Baselines and Change Management
– Asset Inventory: Hardware and Software
– Boundary Defense: Electronic and Physical Security
– Incident Management and Review
– Information Management and Protection
– Boundary Defense: Electronic and Physical Security
13
• N-Dimension’s N-Sentinel Monitoring – Proactive Continuous Cyber Threat Vigilance – Detection And Alerts – Timely assessment and correlation of alerts to verify threat (source, type, etc.) – Identify and prioritize remediation – In-depth Intelligence About Attacks – Utility Community Insights – Global cyber awareness – utility community insights, flash alerts, etc
**** DOE Grant Supplements 80% of Cost – 1st year ****
• N-Dimension’s N-Sentinel Vulnerability Assessment – On-demand endpoint Vulnerability Assessments (servers, firewalls, PCs, ….) – Identify, Report and prioritize remediation – Actionable insights in vulnerabilities discovered – Timely actions to improve security posture – Correlate Vulnerabilities Assessment findings with Intrusion Alerts
Monitoring
Both with Easy, fast deployment (no costly consulting work needed), hands off management so you can
focus on what you do best.
14
How N-Sentinel Works
Substations Meters
Distribution Devices
Reports
Alerts Secure
Customer Web Portal
Network Operations Center
Community-based Contextual Analysis
N-Dimension Security Analysts
SCADA AMI
OMS
Threat Intelligence
Denotes possible service deployment locations
15
Mitigating 100% Of Cyber Risk Is A Financial Hardship And Nearly Impossible
THE PLAN Target Mitigation Of 80% Of Cyber Risk At A Reasonable Cost
DEPLOY CYBER INSURANCE FOR BALANCE SHEET PROTECTION FROM OTHER 20%.
HYPOTHESIS
16
20% - Balance Sheet Protection
CYBER LIABILITY INSURANCE – THE COVERAGE
Third Party Liability Coverages Coverage Description
Security & Privacy Liability Damages & Expenses Incurred for liability from allegations of security and privacy wrongful acts.
Regulatory Defense and Fines/Penalties
Amount obligated to pay from certain privacy regulatory actions.( i.e. HIPAA, NERC, FERC, NRC, Payment Card Assessments)
Media Liability Liability from allegations of multimedia wrongful acts (libel, slander, invasion of privacy, etc.).
First Party Coverages Coverage Description
Notification Expense/Credit Monitoring
Notification expenses incurred following a privacy event/breach. (Credit monitoring services, call center services, etc.)
Network Interruption Data Asset Restoration
Costs to restore/replace computer programs, software and electronic data (i.e. Customer consumption and preference data).
Extortion Expenses Money/Expenses paid relating to cyber extortion demands.
Fraud
Loss of funds arising out of fraudulent email wire transfer requests or other direct monetary loss (Computer Fraud/Electronic Fraud/Social Engineering Fraud).
Loss of Profits/Extra Expense
Business Interruption/Extra Expense (Loss of profits) resulting from a Cyber Breach.
Crisis Management/ Reputational Harm
Expenses including forensics, public relations etc.
17
INCIDENT RESPONSE PLAN
• TOLL-FREE NUMBER (24/7) TO REPORT INCIDENT • SERVICE TRIAGES AND DETERMINES PLAN • CLAIMS MANAGEMENT – Process Management Including
Appointing Specialists & Legal Services • COMPUTER FORENSIC SERVICES – “How, When & Breach
Impact” • NOTIFICATION/CALL CENTER SERVICES – Instructions for
Reaction Response, Notification & Call Center. • FRAUD RESOLUTION SERVICES – Credit/ID Theft Monitoring &
Remediation. • PUBLIC RELATIONS AND CRISIS MANAGEMENT SERVICES
POST BREACH INSURANCE RESOURCES
18
-Utility Cyber Risk Trending Towards Ransom and Physical Damage
-Most Breaches Caused by Employee Errors
-Mitigating 100% Of Cyber Risk Is A Financial Hardship And Nearly Impossible
-Target Mitigation Of 80% Of Cyber Risk At A Reasonable Cost -Deploy Cyber Insurance For Balance Sheet Protection From Other 20%.
-Many Cyber Breach Costs not covered in Traditional Insurance (General Liability)
-APPA Insurance Programs Less Expensive and Broader Coverage
-Leverage Group Purchasing Power -Use Savings to Fund Cyber effort
SUMMARY
20
APPENDIX • Program Costs • Public Power Hacking Video • Itegriti & N-Dimensions Overview • N-Sentinel Costs • Evaluation Areas • How N-Sentinel Works
21
PROGRAM COSTS
ANNUAL REV ($m)
(1)
POLICY LIMIT
Deductible Network Monitoring (If bundled with Insurance)(2)
$1m $2m
Premiums
0 - 5 $2,525 $3,775 $2,500
$7,500
*1st Year Cost Reduced to $1,960 for APPA members
through DOE program
5 - 15 $3,275 $4,850 $10,000
15 - 25 $4,650 $6,900 $10,000
25 - 35 $6,925 $10,300 $15,000
35 - 50 $9,200 $13,700 $15,000
50 - 75 $12,250 $19,000 $25,000
75 - 100 $16,750 $25,000 $25,000
Over 100 Refer to Underwriters Higher Limits Available Upon Request
(1) Parent( City) can be included in coverage if revenues are reported (2) Monitoring Cost is Annual Per Network, Assumes 1 Network
HCI Cyber Program (Financial Protection)
22
THE FUTURE IS HERE - PREN
PUBLIC POWER HACKING VIDEO
23
APPA/HOMETOWN CYBER LIABILITY APPLICATION
• Organization and Contact Information
• # of Personally Identifiable Records?
– #meters + #past customers + # employees + #retirees
• Annual Utility Revenues?
• Disaster Recovery Plan in Place?
• Sensitive Data Encrypted or Masked? • Firewalls and Auto Updating Antivirus Software In force?
• Developing a Plan Per NERC CIP Standards?
• Had any Incidents in Last 3 years That Would Have Been a Claim?
24
Data Breach Cost Estimates NUMBER OF RECORDS (PCI) 5,000 20,000 100,000 Forensics $14,700 $16,800 $28,000 Security Remediation $70,700 $72,700 $84,000 Breach Coach/Legal Advice $38,000 $38,000 $38,000
INVESTIGATION COST TOTAL $123,400 $127,500 $150,000 Fines & Penalties $26,000 $26,000 $25,000 Fraud Assessment $62,500 $250,000 $1,250,000 Card Re-Issuances $10,000 $40,000 $200,000
PCI TOTAL COST $98,500 $316,000 $1,475,000 Customer Notification $5,000 $20,000 $100,000 Call Center $375 $1,500 $7,500 Credit/ID Monitoring $4,500 $18,000 $72,500 Public Relations $21,000 $21,000 $21,000
CUSTOMER NOTIFICATION/CRISIS MANAGEMENT COST $30,875 $60,500 $201,000
State AG $6,650 $18,300 $58,300 HHS $0 $0 $0 Other $0 $0 $0 REGULTORY FINES/PENALTIES $6,650 $18,300 $58,300 Defense $283,000 $283,000 $283,000 E Discovery $73,600 $73,500 $140,000 Settlements/Damages $150,000 $150,000 $150,000
CLASS ACTION LAWSUIT COSTS $506,600 $506,500 $573,000
TOTAL COST $766,025 $1,028,800 $2,457,300
COST per RECORD $153 $51 $25
NOTES: FIRST BREACH FOR COMPANY, DATA STORED IN CENTRALIZED SYSTEM
25
Verizon 2016 Data Breach Investigations Report
CYBER INSURANCE PAYOUTS PER TYPE OF COST
26
Cyber Breaches – The Risks How Insurance Responds?
27
• Exposure: 1st Party Physical Damage – Risk
� Damage to Owned Physical Assets as a result of a Cyber attack.
– Insurance Response
� Cyber Insurance - Available from limited Underwriters, Expensive. � All Risk Property Insurance – Historically, “Resultant Damage”
Covered.
HOW INSURANCE RESPONDS TO A CYBER ATTACK
28
• Exposure: Business Interruption
– Risk � Business Interruption here is loosely defined as “Loss of Profits +
Continuing Expenses”. o Historically, Business Interruption has not been offered to Public Power due
to its ability to recover the financial loss in a subsequent rate case. However,
utilizing the argument that “buying Business Interruption is a more
responsible use of the Rate Payer funds”, there are some Public Power
entities that are now pursuing Business Interruption Insurance.
– Insurance Response
� Cyber Insurance - Available through Select Markets, Including the HCI/APPA Program.
� All Risk Property Insurance – Covered as a result of Physical Damage caused by a Cyber attack.
HOW INSURANCE RESPONDS TO A CYBER ATTACK
29
• Exposure: Extra Expense – Risk
� Extra Expense is cost associated with minimizing the loss of profits. (i.e. renting a temporary transformer while original being repaired)
– Insurance Response � Cyber Insurance - Available through Select Markets, Including the
HCI/APPA Program. � All Risk Property Insurance - Covered as a result of Physical Damage
caused by a Cyber attack. o Extra Expense, in an All Risk Property Insurance Policy, generally does not
include costs associated with buying Replacement Power. Replacement
Power coverage has developed a separate insurance market.
HOW INSURANCE RESPONDS TO A CYBER ATTACK
30
• Exposure: Customer Physical Damage/Loss of Profits from
“Failure to Supply Power” – Risk
� 3rd Party Lawsuit as a Result of a Failure to Supply Power � Most Public Power entities enjoy some 3rd party liability tort protection from
“Failure to Supply” power. This is generally outlined in the “Transmission
Tariff” document and liability is usually limited to “Gross Negligence or
Intentional Wrongdoing” and/or a monetary cap.
– Insurance Response
� Cyber Insurance - Generally Excluded, but can be purchased for expensive rates.
� General Liability – Generally Excluded if an Exposure Exists � Excess Liability Insurance – Coverage Available
HOW INSURANCE RESPONDS TO A CYBER ATTACK
31
Electric Utility Cyber Liability Insurance Benchmarking
32
CYBER INSURANCE PREMIUM DISTRIBUTION FOR ELECTRIC UTILITIES
BENCHMARKING
33
CYBER INSURANCE POLICY LIMIT DISTRIBUTION FOR ELECTRIC UTILITIES
BENCHMARKING
34
CYBER INSURANCE DEDUCTIBLE DISTRIBUTION FOR ELECTRIC UTILITIES
BENCHMARKING