Cybersecurity in the Construction Industry: Is the threat ... · • 2015: Polish National Airline had to cancel flights due to Cyber intrusion to computer system • 2015: Flights

© Copyright 2017 Saul Ewing Arnstein & Lehr LLP

Cybersecurity in the Construction Industry:Is the Threat Real?

What Can I do?

October 2, 2018


Construction and Insurance

Counsel


Is the Threat to our Transportation Infrastructure Real?

Unfortunately – Yes!


Where do Vulnerabilities Exist In the Transportation Industry?

• The Department of Homeland Security has deemed each of the following sectors at risk Aviation Highway Infrastructure and Motor Carrier Maritime Mass Transit and Passenger Rail Pipeline Systems Freight rail Postal and shipping


To date, Where Have Attacks on Critical Infrastructure Been Successful?

• 2003: Sobig virus shut down a railroad’s signaling, dispatching and other systems• 2014: Chinese National Train Reservations system hacked – PII• 2015: Polish National Airline had to cancel flights due to Cyber intrusion to

computer system• 2015: Flights at Swedish Airports cancelled because of attack on air traffic control• 2015: Attack on Ukraine’s Power Grid left Large areas Without Electricity• 2016: Attack on command-and-control system of dam in Rye Brook, NY (foreign

nation)• 2016: San Francisco Light Rail Held Hostage by Hackers using malware • 2018: Danish Shipping Company had transport and logistics attacked by hackers –

costing $300 million


What Is Facilitating The Increased Risk Of Cyber Attack?

• Increased Dependence on the Internet • Shared resources – Integrated Project Delivery and

Building Information Modeling (BIM)• Shared Networks with a Multiplicity of Vendors and

Suppliers• Internet of Things (IOT) Highly Insecure Frequently Incapable of Remote Software Updates Manufacturers compromising security for faster time to

market


What Is at Risk?

• All Digital Assets Business plans and acquisition strategies Proprietary designs Customer, Contractor and Supplier lists and

pricing Personally Identifiable Information (PII) Facilities Security Information


Pay Now, or Pay More Later

• Why do cybersecurity incidents cost so much?• Typical costs for breach of PII Investigation (IT, legal, compliance, personnel) Remediation (IT, legal, compliance, personnel) Breach notification Remedies to affected individuals

• Potential additional costs Litigation Loss of IP Business interruption Regulatory investigation Enforcement agency action


What Can I Do to Address The Risk Posed by Cyber Threats?

• Develop and Implement Sound Risk Management Best Practices and Continue to Update Them

• Insure Against the Risk of Cyber Harm


Cyber Risk Management Best Practices

• Take a comprehensive approach: Establish board oversight Create a culture of security awareness and training Apply industry best practices and frameworks – NIST, ISACA, ISO standards, ISACs Map legal, regulatory, public, insurance, etc. disclosures for all jurisdictions of private

info ahead of time. Create an incident response team and plan and test periodically

• Take specific steps relating to data and IT: Inventory your assets – hw, sw, infrastructure Conduct a data inventory and establish data governance policies Penetration testing/vulnerability assessment Continuous monitoring Conduct periodic risk assessments

• Treat a cyber incident like any other crisis


How Can Costs be Contained?

• Invest in IT as if your organization depends on it• Maintain clear and current policies• Require regular and effective training• Prepare for the worst• Manage vendor/ supply chain risk• Consider insurance coverage


Invest in IT as if YourOrganization Depends on IT

• Know your IT Astonishing how many organizations don’t have anyone who really

knows their IT Where does different information map to? Where are different users authorized to go?

• Resist the temptation to DIY it Know the limits of what you know

• If you get contract help, read the contract carefully – review indemnity clauses and manage vendor risk

• If you switch IT providers, get detailed documentation A forensic image might not hurt


Maintain Clear and Current Policies• According to some major studies, over half of cybersecurity incidents

result from insider actions Inadvertent: 23% Malicious: 35%

• Personnel policies can make clear: Consent to monitoring in the workplace Restrictions on downloading files or applications Limitations on bring your own device Consequences for failure to comply

• IT policies can provide additional technical detail for system administrators and other users on issues affecting data security and privacy, e.g. Retention limits Backup practices


Require Regular and Effective Training

• Require regular and effective training Training on personnel policies relating to IT use

• Phishing attacks• Social engineering• Password management• Use of removable media• Laptops and other mobile devices

Training on an incident response plan• So the team knows who they are and what to do if an emergency

arises• Testing the plan is an effective way to reveal its flaws


Manage Vendor/ Supply Chain Risk

• All vendors can introduce cybersecurity risk• Vendor management is a team sport

Legal IT/Security Finance Risk Management Procurement SMEs


Manage Vendor/ Supply Chain Risk• IT/Security:

Any vendor that has access to your network is an extension of your network

Robust vendor screening is a good first step In depth vendor questionnaire Not enough to simply have in contract- how to measure and enforce?

• Right to audit• Third party audit (SOC?)• Application of third party standards (NIST, ISO)

• Procurement and SMEs Is the correct form of agreement being presented at the outset? Is the vendor diligence being performed prior to the start of contract

negotiations Is vendor risk being considered in pricing Are the right SMEs being asked to evaluate the vendor based on the

services? Ongoing vendor management/evaluation


Manage Vendor/ Supply Chain Risk

• Legal Component: Robust contract intake to identify possible risks Review contracts Policies and requirements need to apply to vendors by contract Indemnification and warranties Approvals for material changes Any special requirements?

• Finance and Risk Management: Does the vendor have the $$$ to perform? Does the vendor have $$$ if there is a breach Does the vendor have a pro-active approach to risk management and

mitigation• vulnerability disclosure and management

Does the vendor carry cyber insurance suitable for the risks presented?


What Types of Insurance Are Available?

• First Party Coverage Damaged or lost digital assets Lost business opportunities or increased operational costs due to interruption Cyber extortion – ransom Funds stolen through electronic crime

• Third Party Coverage (protection of entities that manage the network or system that holds the data Breaches of employee data Lost customer information Notification after a breach Public relations as well as combatting claims and litigation


What Will Insurance Underwriters Be Looking For As Premiums Are Determined?

• Best practices to guard against attacks• Written policies and procedures• Education and training of all employees• Effective response and recovery plan when

attacks do occur


Prepare for the Worst: the Incident Response Plan

• The most effective cyber incident response is based on an incident response plan that is: Tailored to your organization Tested through tabletop exercises and scenarios Trained for executives and line personnel Updated regularlyAnd Puts outside relationships in place where needed

• With outside counsel• With forensics experts• With crisis communications


Incident Response Plan

• Part of a comprehensive cybersecurity program and policy

• Tailored to your organization

• Updated regularly

• Tested through tabletop exercises and scenarios

• Training for executives and line personnel

• Puts relationships in place with outside counsel, forensics expert and crisis communications.


Components of an Incident Response Plan

• An incident response plan should:

Identify roles and responsibilities

Define escalation paths and criteria

Outline approaches for specific scenarios

Provide out-of-band contact methods and information for each member of

the team

Dictate the method for record-keeping throughout the incident

Provide a step-by-step guide for bringing a strategic approach to a chaotic

situation


Incident Response Team

• Internal• Risk Management and Financial• Operations and Business Continuity• Communications• IT• Legal• HR

• External• Outside counsel• Forensics IT consultant• Call center• Insurance

• Integrate into overall governance, risk management, and business continuity framework


Role of Forensic IT Professional

• Engagement process (Think in minutes not days!)

Outside counsel can help with this

• Pre-existing relationship is ideal –

But not the IT provider you use for everyday purposes

• Experience, reputation and references

• Softskills and technical skills

• First: Do No Harm

Often means restoring service first; Root cause later

But also requires preserving evidence for forensic review

Requires collaboration between day-to-day IT team and foresnics team


Role of Counsel

• Almost always a good idea for counsel to direct investigation and retain third parties (e.g., forensics)

Attorney Client Privilege

Quick advice on time-sensitive legal obligations

Expertise on the process

Ability to scale up for incident response work

Coordination with crisis communications/ PR team

Legal review of contractual obligations


Required Notifications - State

• All 50 states now have data breach laws, plus DC, Puerto Rico

• Every law is different – and constantly changing

• Generally:

Cover Personally Identifiable Information (PII)

Often require reporting to a state official (Attorney General or other)

Usually require notifying affected individuals

Some have very short and specific deadlines for notifications

Many have very specific reqiurements about the form and content of notifications

Some require credit monitoring for affected individuals

• Fast, accurate compliance with state breach laws is essential to an effective incident

response


Notifying Law Enforcement

• Frequently optional

Outside counsel can advise

Not for every incident

• Pros and cons

Can provide investigatory tools and contacts

Visibility into other similar acts or actors

May give the opportunity to delay notice

May slow down investigation or take it outside of your control


Other Notifications

• Other notifications that may be legally required:

Subcontractors

Third party vendors

International Data Privacy Authorities

• Europe’s General Data Protection Regulation (GDPR)

• Optional notifications to consider:

Information Sharing and Analysis Centers (ISACs), such as:

• Public Transportation ISAC

• Surface Transportation ISAC

• Aviation ISAC

Law enforcement


Questions?

Garry R. BoehlertSAUL EWING ARNSTEIN & LEHR LLP

1919 Pennsylvania Avenue, NWWashington, DC 20006-3434

[email protected] | www.saul.com

April F. DossSAUL EWING ARNSTEIN & LEHR LLP

500 E. Pratt Street, Suite 800 Baltimore, MD 21202-3133

[email protected]| www.saul.com

mailto:[email protected]

http://www.saul.com/

mailto:[email protected]

http://www.saul.com/


BaltimoreLockwood Place

500 East Pratt Street, Suite 900 Baltimore, MD 21202-3171

T: 410.332.8600 • F: 410.332.8862

Boston131 Dartmouth Street

Suite 501Boston, MA 02116

T: 617.723.3300 • F:617. 723.4151

Chesterbrook1200 Liberty Ridge Drive

Suite 200 Wayne, PA 19087-5569

T: 610.251.5050 • F:610.651.5930

Fort Lauderdale200 E. Las Olas Blvd.

Suite 1000Fort Lauderdale, FL 33301

T: 954.713.7600 • F: 954.713.7700

HarrisburgPenn National Insurance Plaza

2 North Second Street, 7th Floor Harrisburg, PA 17101-1619

T: 717.257.7500 • F: 717.238.4622

MiamiSoutheast Financial Center

200 S. Biscayne Blvd., Suite 3600Miami, FL 33131

T: 305.428.4500 • F: 305.374.4744

NewarkOne Riverfront Plaza

Newark, NJ 07102 T: 973.286.6700 • F: 973.286.6800

PhiladelphiaCentre Square West

1500 Market Street, 38th FloorPhiladelphia, PA 19102-2186

T: 215.972.7777 • F: 215.972.7725

PittsburghOne PPG Place

30th FloorPittsburgh, PA 15222

T: 412.209.2500 • F:412.209.2570

Washington1919 Pennsylvania Avenue, N.W. Suite

550 Washington, DC 20006-3434

T: 202.333.8800 • F: 202.337.6065

West Palm Beach515 N. Flagler Drive

Suite 1400West Palm Beach, FL 33401

T: 561.833.9800 • F: 561.655.5551

Wilmington1201 North Market Street

Suite 2300 • P.O. Box 1266 Wilmington, DE 19899

T: 302.421.6800 • F: 302.421.6813

Chicago161 North Clark

Suite 4200Chicago, IL 60601

T: 312.876.7100 • F: 312.876.0288

New York555 Fifth Avenue, Suite 1700

New York, NY 10017 T: 212.672.1995 • F: 212.372.8798

Princeton650 College Road East, Suite 4000

Princeton, NJ 08540-6603 T: 609.452.3100 • F: 609.452.3122

30

Documents

Cybersecurity in the Construction Industry: Is the threat ... · • 2015: Polish National Airline had to cancel flights due to Cyber intrusion to computer system • 2015: Flights