Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
© Copyright 2017 Saul Ewing Arnstein & Lehr LLP
Cybersecurity in the Construction Industry:Is the Threat Real?
What Can I do?
October 2, 2018
© Copyright 2017 Saul Ewing Arnstein & Lehr LLP
Construction and Insurance
Counsel
© Copyright 2017 Saul Ewing Arnstein & Lehr LLP
Is the Threat to our Transportation Infrastructure Real?
Unfortunately – Yes!
© Copyright 2017 Saul Ewing Arnstein & Lehr LLP
Where do Vulnerabilities Exist In the Transportation Industry?
• The Department of Homeland Security has deemed each of the following sectors at risk Aviation Highway Infrastructure and Motor Carrier Maritime Mass Transit and Passenger Rail Pipeline Systems Freight rail Postal and shipping
© Copyright 2017 Saul Ewing Arnstein & Lehr LLP
To date, Where Have Attacks on Critical Infrastructure Been Successful?
• 2003: Sobig virus shut down a railroad’s signaling, dispatching and other systems• 2014: Chinese National Train Reservations system hacked – PII• 2015: Polish National Airline had to cancel flights due to Cyber intrusion to
computer system• 2015: Flights at Swedish Airports cancelled because of attack on air traffic control• 2015: Attack on Ukraine’s Power Grid left Large areas Without Electricity• 2016: Attack on command-and-control system of dam in Rye Brook, NY (foreign
nation)• 2016: San Francisco Light Rail Held Hostage by Hackers using malware • 2018: Danish Shipping Company had transport and logistics attacked by hackers –
costing $300 million
© Copyright 2017 Saul Ewing Arnstein & Lehr LLP
What Is Facilitating The Increased Risk Of Cyber Attack?
• Increased Dependence on the Internet • Shared resources – Integrated Project Delivery and
Building Information Modeling (BIM)• Shared Networks with a Multiplicity of Vendors and
Suppliers• Internet of Things (IOT) Highly Insecure Frequently Incapable of Remote Software Updates Manufacturers compromising security for faster time to
market
© Copyright 2017 Saul Ewing Arnstein & Lehr LLP
What Is at Risk?
• All Digital Assets Business plans and acquisition strategies Proprietary designs Customer, Contractor and Supplier lists and
pricing Personally Identifiable Information (PII) Facilities Security Information
© Copyright 2017 Saul Ewing Arnstein & Lehr LLP
Pay Now, or Pay More Later
• Why do cybersecurity incidents cost so much?• Typical costs for breach of PII Investigation (IT, legal, compliance, personnel) Remediation (IT, legal, compliance, personnel) Breach notification Remedies to affected individuals
• Potential additional costs Litigation Loss of IP Business interruption Regulatory investigation Enforcement agency action
© Copyright 2017 Saul Ewing Arnstein & Lehr LLP
What Can I Do to Address The Risk Posed by Cyber Threats?
• Develop and Implement Sound Risk Management Best Practices and Continue to Update Them
• Insure Against the Risk of Cyber Harm
© Copyright 2017 Saul Ewing Arnstein & Lehr LLP
Cyber Risk Management Best Practices
• Take a comprehensive approach: Establish board oversight Create a culture of security awareness and training Apply industry best practices and frameworks – NIST, ISACA, ISO standards, ISACs Map legal, regulatory, public, insurance, etc. disclosures for all jurisdictions of private
info ahead of time. Create an incident response team and plan and test periodically
• Take specific steps relating to data and IT: Inventory your assets – hw, sw, infrastructure Conduct a data inventory and establish data governance policies Penetration testing/vulnerability assessment Continuous monitoring Conduct periodic risk assessments
• Treat a cyber incident like any other crisis
© Copyright 2017 Saul Ewing Arnstein & Lehr LLP
How Can Costs be Contained?
• Invest in IT as if your organization depends on it• Maintain clear and current policies• Require regular and effective training• Prepare for the worst• Manage vendor/ supply chain risk• Consider insurance coverage
© Copyright 2017 Saul Ewing Arnstein & Lehr LLP
Invest in IT as if YourOrganization Depends on IT
• Know your IT Astonishing how many organizations don’t have anyone who really
knows their IT Where does different information map to? Where are different users authorized to go?
• Resist the temptation to DIY it Know the limits of what you know
• If you get contract help, read the contract carefully – review indemnity clauses and manage vendor risk
• If you switch IT providers, get detailed documentation A forensic image might not hurt
© Copyright 2017 Saul Ewing Arnstein & Lehr LLP
Maintain Clear and Current Policies• According to some major studies, over half of cybersecurity incidents
result from insider actions Inadvertent: 23% Malicious: 35%
• Personnel policies can make clear: Consent to monitoring in the workplace Restrictions on downloading files or applications Limitations on bring your own device Consequences for failure to comply
• IT policies can provide additional technical detail for system administrators and other users on issues affecting data security and privacy, e.g. Retention limits Backup practices
© Copyright 2017 Saul Ewing Arnstein & Lehr LLP
Require Regular and Effective Training
• Require regular and effective training Training on personnel policies relating to IT use
• Phishing attacks• Social engineering• Password management• Use of removable media• Laptops and other mobile devices
Training on an incident response plan• So the team knows who they are and what to do if an emergency
arises• Testing the plan is an effective way to reveal its flaws
© Copyright 2017 Saul Ewing Arnstein & Lehr LLP
Manage Vendor/ Supply Chain Risk
• All vendors can introduce cybersecurity risk• Vendor management is a team sport
Legal IT/Security Finance Risk Management Procurement SMEs
© Copyright 2017 Saul Ewing Arnstein & Lehr LLP
Manage Vendor/ Supply Chain Risk• IT/Security:
Any vendor that has access to your network is an extension of your network
Robust vendor screening is a good first step In depth vendor questionnaire Not enough to simply have in contract- how to measure and enforce?
• Right to audit• Third party audit (SOC?)• Application of third party standards (NIST, ISO)
• Procurement and SMEs Is the correct form of agreement being presented at the outset? Is the vendor diligence being performed prior to the start of contract
negotiations Is vendor risk being considered in pricing Are the right SMEs being asked to evaluate the vendor based on the
services? Ongoing vendor management/evaluation
© Copyright 2017 Saul Ewing Arnstein & Lehr LLP
Manage Vendor/ Supply Chain Risk
• Legal Component: Robust contract intake to identify possible risks Review contracts Policies and requirements need to apply to vendors by contract Indemnification and warranties Approvals for material changes Any special requirements?
• Finance and Risk Management: Does the vendor have the $$$ to perform? Does the vendor have $$$ if there is a breach Does the vendor have a pro-active approach to risk management and
mitigation• vulnerability disclosure and management
Does the vendor carry cyber insurance suitable for the risks presented?
© Copyright 2017 Saul Ewing Arnstein & Lehr LLP
What Types of Insurance Are Available?
• First Party Coverage Damaged or lost digital assets Lost business opportunities or increased operational costs due to interruption Cyber extortion – ransom Funds stolen through electronic crime
• Third Party Coverage (protection of entities that manage the network or system that holds the data Breaches of employee data Lost customer information Notification after a breach Public relations as well as combatting claims and litigation
© Copyright 2017 Saul Ewing Arnstein & Lehr LLP
What Will Insurance Underwriters Be Looking For As Premiums Are Determined?
• Best practices to guard against attacks• Written policies and procedures• Education and training of all employees• Effective response and recovery plan when
attacks do occur
© Copyright 2017 Saul Ewing Arnstein & Lehr LLP
Prepare for the Worst: the Incident Response Plan
• The most effective cyber incident response is based on an incident response plan that is: Tailored to your organization Tested through tabletop exercises and scenarios Trained for executives and line personnel Updated regularlyAnd Puts outside relationships in place where needed
• With outside counsel• With forensics experts• With crisis communications
© Copyright 2017 Saul Ewing Arnstein & Lehr LLP
Incident Response Plan
• Part of a comprehensive cybersecurity program and policy
• Tailored to your organization
• Updated regularly
• Tested through tabletop exercises and scenarios
• Training for executives and line personnel
• Puts relationships in place with outside counsel, forensics expert and crisis communications.
© Copyright 2017 Saul Ewing Arnstein & Lehr LLP
Components of an Incident Response Plan
• An incident response plan should:
Identify roles and responsibilities
Define escalation paths and criteria
Outline approaches for specific scenarios
Provide out-of-band contact methods and information for each member of
the team
Dictate the method for record-keeping throughout the incident
Provide a step-by-step guide for bringing a strategic approach to a chaotic
situation
© Copyright 2017 Saul Ewing Arnstein & Lehr LLP
Incident Response Team
• Internal• Risk Management and Financial• Operations and Business Continuity• Communications• IT• Legal• HR
• External• Outside counsel• Forensics IT consultant• Call center• Insurance
• Integrate into overall governance, risk management, and business continuity framework
© Copyright 2017 Saul Ewing Arnstein & Lehr LLP
Role of Forensic IT Professional
• Engagement process (Think in minutes not days!)
Outside counsel can help with this
• Pre-existing relationship is ideal –
But not the IT provider you use for everyday purposes
• Experience, reputation and references
• Softskills and technical skills
• First: Do No Harm
Often means restoring service first; Root cause later
But also requires preserving evidence for forensic review
Requires collaboration between day-to-day IT team and foresnics team
© Copyright 2017 Saul Ewing Arnstein & Lehr LLP
Role of Counsel
• Almost always a good idea for counsel to direct investigation and retain third parties (e.g., forensics)
Attorney Client Privilege
Quick advice on time-sensitive legal obligations
Expertise on the process
Ability to scale up for incident response work
Coordination with crisis communications/ PR team
Legal review of contractual obligations
© Copyright 2017 Saul Ewing Arnstein & Lehr LLP
Required Notifications - State
• All 50 states now have data breach laws, plus DC, Puerto Rico
• Every law is different – and constantly changing
• Generally:
Cover Personally Identifiable Information (PII)
Often require reporting to a state official (Attorney General or other)
Usually require notifying affected individuals
Some have very short and specific deadlines for notifications
Many have very specific reqiurements about the form and content of notifications
Some require credit monitoring for affected individuals
• Fast, accurate compliance with state breach laws is essential to an effective incident
response
© Copyright 2017 Saul Ewing Arnstein & Lehr LLP
Notifying Law Enforcement
• Frequently optional
Outside counsel can advise
Not for every incident
• Pros and cons
Can provide investigatory tools and contacts
Visibility into other similar acts or actors
May give the opportunity to delay notice
May slow down investigation or take it outside of your control
© Copyright 2017 Saul Ewing Arnstein & Lehr LLP
Other Notifications
• Other notifications that may be legally required:
Subcontractors
Third party vendors
International Data Privacy Authorities
• Europe’s General Data Protection Regulation (GDPR)
• Optional notifications to consider:
Information Sharing and Analysis Centers (ISACs), such as:
• Public Transportation ISAC
• Surface Transportation ISAC
• Aviation ISAC
Law enforcement
© Copyright 2017 Saul Ewing Arnstein & Lehr LLP
Questions?
Garry R. BoehlertSAUL EWING ARNSTEIN & LEHR LLP
1919 Pennsylvania Avenue, NWWashington, DC 20006-3434
[email protected] | www.saul.com
April F. DossSAUL EWING ARNSTEIN & LEHR LLP
500 E. Pratt Street, Suite 800 Baltimore, MD 21202-3133
[email protected]| www.saul.com
© Copyright 2017 Saul Ewing Arnstein & Lehr LLP
BaltimoreLockwood Place
500 East Pratt Street, Suite 900 Baltimore, MD 21202-3171
T: 410.332.8600 • F: 410.332.8862
Boston131 Dartmouth Street
Suite 501Boston, MA 02116
T: 617.723.3300 • F:617. 723.4151
Chesterbrook1200 Liberty Ridge Drive
Suite 200 Wayne, PA 19087-5569
T: 610.251.5050 • F:610.651.5930
Fort Lauderdale200 E. Las Olas Blvd.
Suite 1000Fort Lauderdale, FL 33301
T: 954.713.7600 • F: 954.713.7700
HarrisburgPenn National Insurance Plaza
2 North Second Street, 7th Floor Harrisburg, PA 17101-1619
T: 717.257.7500 • F: 717.238.4622
MiamiSoutheast Financial Center
200 S. Biscayne Blvd., Suite 3600Miami, FL 33131
T: 305.428.4500 • F: 305.374.4744
NewarkOne Riverfront Plaza
Newark, NJ 07102 T: 973.286.6700 • F: 973.286.6800
PhiladelphiaCentre Square West
1500 Market Street, 38th FloorPhiladelphia, PA 19102-2186
T: 215.972.7777 • F: 215.972.7725
PittsburghOne PPG Place
30th FloorPittsburgh, PA 15222
T: 412.209.2500 • F:412.209.2570
Washington1919 Pennsylvania Avenue, N.W. Suite
550 Washington, DC 20006-3434
T: 202.333.8800 • F: 202.337.6065
West Palm Beach515 N. Flagler Drive
Suite 1400West Palm Beach, FL 33401
T: 561.833.9800 • F: 561.655.5551
Wilmington1201 North Market Street
Suite 2300 • P.O. Box 1266 Wilmington, DE 19899
T: 302.421.6800 • F: 302.421.6813
Chicago161 North Clark
Suite 4200Chicago, IL 60601
T: 312.876.7100 • F: 312.876.0288
New York555 Fifth Avenue, Suite 1700
New York, NY 10017 T: 212.672.1995 • F: 212.372.8798
Princeton650 College Road East, Suite 4000
Princeton, NJ 08540-6603 T: 609.452.3100 • F: 609.452.3122
30