Cyber Security SeminarSeptember 14, 2019

Presentations from:

Sean McMillan, P.E. of Jones|Carter

Kim Courte, CPCU of Arthur J. Gallagher & Co.

Agenda

American Water Infrastructure Act

Texas HB 3834

How do I stay informed?

Latest Threat Landscape - Ransomware

• Multiple cities and other governmental agencies have been attacked this year.

• Cities attacked include Baltimore, Albany, Laredo, Amarillo, Atlanta, and many more.

• Lake City, Florida had insurance which paid a ransom of $460,000 in Bitcoin. Riviera Beach Florida paid $600,000.

• Atlanta refused to pay $51,000 ransom. It is estimated the recovery will cost $17 million.

• Baltimore refused to pay $75,000. It is estimated the recovery will cost $18 million.

• Cities and municipalities are having problems hiring cybersecurity staff and paying for necessary resources and equipment.

• Paying ransoms may be the least expensive way to solve the problem, but encourages more attacks and provides funds to enable more attacks.

Latest Threat Landscape - Ransomware

• On the morning of August 16, 2019, a coordinated attack of 22 Texas cities was conducted. It is the largest coordinated ransomware attack so far.

• A single threat actor is behind the attack. It is believed to be Ryuk, which is the same virus used in the Florida attack.

• Governor Abbott ordered a Level 2 Escalated Response and has deployed cybersecurity experts to help assess damage and bring the affected entities back online.

• AWIA was passed by Congress on October 23,2018.

• It requires all utilities that serve a population of more than 3,300 people to develop risk assessments and emergency response plans.

AWIA – American Water Infrastructure Act

• Each community water system serving a population of greater than 3,300 persons shall assess the risks to, and resilience of, its system. Such an assessment shall include:– the risk to the system from malevolent acts and natural hazards;

– the resilience of the pipes and constructed conveyances, physical barriers, source water, water collection and intake, pretreatment, treatment, storage and distribution facilities, electronic, computer, or other automated systems (including the security of such systems) which are utilized by the system;

– the monitoring practices of the system;

– the financial infrastructure of the system;

– the use, storage, or handling of various chemicals by the system; and

– the operation and maintenance of the system.

Requirements of the AWIA

• Assault on Utility – Physical• Contamination of Finished Water – Accidental*• Contamination of Finished Water – Intentional• Theft or Diversion – Physical• Cyber Attack on Business Enterprise Systems• Cyber Attack on Process Control Systems• Sabotage – Physical• Contamination of Source Water – Accidental*• Contamination of Source Water – Intentional

AWIA – Baseline Threat Information

• Cyber Attack on Business Enterprise Systems

– Social Media?

– Notification Systems?

– Social Engineering Attacks?

• Cyber Attack on Process Control Systems

– SCADA

– Alarm Dialers

AWIA – Baseline Threat Information

• Requires a risk and resiliency assessment and emergency response plan.

• Requires utilities to submit certification that they have completed the plans. Do not submit the plan itself.

• There are tools for performing a self assessment from EPA. There are also professionals who can help.

• Because most utilities will have to do it, resources will be strained. Don’t wait.

AWIA – Cyber Attacks

Texas HB 3834

• The State of Texas (HB3834) is now requiring government employees and elected officials to take a cybersecurity awareness training program.

• Exemption if the entity employees a ‘dedicated information resources cybersecurity officer.

• Texas department of Information Resources is currently reviewing training plans.

• Annual training must be completed by June 14, 2020 by the following employees:• State Agencies: Employees who use a computer to complete at least 25 percent

of the employee’s required duties, and elected or appointed officers of the agency.

• Local Government Entities: Employees who have access to a local government computer system or database, and elected officials.

• Contractors of state agencies who have access to a state computer system or database must complete training during the term of the contract and during any renewal period.

How do I stay informed?

• Monitor sources such as:– https://www.us-cert.gov/

– https://csrc.nist.gov/

– https://www.sans.org/security-resources/blogs

– https://www.cybrary.it/

– https://krebsonsecurity.com/

– https://www.schneier.com/

– EPA

– AWWA

– Water ISAC

– The news

District Cyber

PresentationKim Courte, CPCU

W.I.N. Program Director

Gallagher

14

TOPICS

Causes

Cyber & Privacy Liability

Data Breach & Response

Protection

15

CAUSES Hackers use-Internet & Email

Malware

Ransomware, Extortion, Terrorism

Phishing/Spear Phishing

Paper, Computer Systems & Employees (direct & vendors) Negligence

Websites

Security Failures

Lost Mobile Devices

Improper Disposal

Malicious

Equipment Controls Connected to Internet

16

CYBER & PRIVACY LIABILITYArises From and Cost Associated: Failure of computer security resulting in transmission of

malicious code, denial of services etc.

Data Breach: Unauthorized release of information when

legally required to keep private

Defense cost in State or Regulatory proceedings that

involve violations of privacy

Expert resources and monetary reimbursement of

related out of pocket expense

17

DATA BREACH 2004-2017 BY THE NUMBERS

18

Handling the Long-Term

Consequences

Managing the Short-Term

Crisis

Evaluation of the Data Breach

Discovery of a Data Breach

Theft, loss, or Unauthorized Disclosure of

Personally Identifiable Non-Public Information

Forensic Investigation

and Legal Review

Notification and Credit Monitoring

Class-Action Lawsuits

Regulatory Fines, Penalties, and

Consumer Redress

Public Relations

Reputational Damage

Income Loss

SIMPLIFIED VIEW OF A DATA BREACH

19

BROAD FORM CYBER INSURANCE PROVIDES

24 Hour Immediate Engagement of Cyber Specialist

Crisis Management & Public Relations

Assistance with Forensic Investigation

Notification Cost

Credit Monitoring Expenses (Required and Voluntary)

Defense Cost

State Regulatory

Liability

Cost of Settlements or Judgements

20

CONCLUSION

Cyber Attack: It is not a question of “if”, it is “when”

PrepareIdentify and Mitigate Risk

Written Information Security Policy

Incident Response Plan

Manage Vendors

Protect Your Entity and your customers with Cyber Liability Insurance