L R A

fishglugSoftware and s/w Development

Dec 13, 2013 (3 years and 6 months ago)

71 views

U
NDER

THE

R
ADAR
:

L
EGAL

R
ESPONSIBILITIES

A
RISING

FROM


C
YBER

T
HREATS

AND

S
EVERE

I
MPACTS

TO

THE

G
RID



b
y


Stephen J. Humes

Holland & Knight


Roland L. Trope

Trope and Schramm LLP


© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

For

Edison Electrical Institute

Spring Legal Conference

DISCLAIMER:


VIEWS EXPRESSED ARE SOLELY THOSE OF THE AUTHORS,


AND HAVE NOT BEEN REVIEWED OR APPROVED BY,


AND SHOULD NOT BE ATTRIBUTED TO




THE U.S. MILITARY ACADEMY,


THE DEPARTMENT OF THE ARMY


THE DEPARTMENT OF DEFENSE, OR


THE U.S. GOVERNMENT.



2

OVERVIEW

Emerging Responsibilities


Causes:


Escalating threats to critical infrastructure


Regulatory standards and enforcement


Executive Order (EO) 13636


NERC Task Force guidance (May 2012)



© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

3

Questions
for

Boards
, C
-
Officers, and Counsel


1.
Are
we prepared to receive

DHS
cyber intel reports?


2.
Do we need
to revise our
response
plans
for
a

coordinated
cyber
attack
?


3.
Do our disaster recovery
plans cover a “Severe
Cyber Impact”?


4.
Are there new legal issues
we need to address?



© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

4

ESCALATING THREATS

TO

CRITICAL INFRASTRUCTURE

© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

5

TIMELINE


Escalating Threats to Critical Infrastructure



2009

EVENTS IN U.S.

EVENTS OVERSEAS

2011

6

2010

2012

2013

2014

China’s “Comment Group” penetrates

Diablo Canyon nuclear plant

Stuxnet damages Iranian

uranium enrichment centrifuges

Recent Attack
Record

Diablo Canyon


Plant operated by Pacific Gas
& Electric Co.



Reportedly breached
computer of senior nuclear
planner



No solid indication of data
stolen



Attempting “to identify …
security of U.S. nuclear
power generation facilities.”

© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

7

TIMELINE


Escalating Threats to Critical Infrastructure



2012

EVENTS IN U.S.

EVENTS OVERSEAS

AUG

Iranian cyberattacks

o
n Citigroup, Wells Fargo,

Bank of America, and U.S. Bank

APR

DEC

SEPT

Iranian cyberattacks

on Aramco, wipe out

h
ard drives on 55,000 PCs



¾’s of Aramco’s corporate PCs

8

9

DHS OIG Report 2013

Security of Industrial Control Systems (ICS)


“A recent survey in the energy sector revealed that
a
majority of the companies

in the sector had
experienced cyber attacks, and about
55 percent of
these attacks targeted ICS
.”



“A successful cyber attack on ICS may result in
physical damage, loss of life, and
cascading effects
that could disrupt services.








10

11

THREAT ASSESSMENT

2013


Increasing risk to U.S. critical infrastructure



During next 2 years


remote chance an attack
would result in


“long
-
term, wide
-
scale disruption of services, such
as a regional power outage”


© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

12

THREAT ASSESSMENT

2013



But



isolated state or nonstate actors …
could access
some poorly protected US networks that
control
core functions, such as power generation
…”


© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

13

REGULATORY STANDARDS

AND

ENFORCEMENT

© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

14

TIMELINE


Regulatory Standards and Enforcement



2005


FERC EVENTS

NERC EVENTS

15

EPAct ‘05 enacted;
§
1211, became
§

215 of FPA; FERC to oversee mandatory
reliability standards bulk power grid

NERC certified as electric
reliability organization

2006

2007

2008

FERC Order 706
approves first CIP
Standards

2009

FERC rejects business judgment rule
as part of CIP standards

2010

2011

2012

FERC approves

NERC CIP Standards,

Version 3 Version 4

CIP Standards Enforcement





© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

16




FY2012, FERC staff participated in regional
audits of owners, users, and operators of the
bulk power system per Order No. 706;



Audited compliance with CIP Reliability
Standards

CIP Standards Enforcement





© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

17



152

violations of CIP Reliability Standards (CIP
-
002 through CIP
-
009).



NERC cited 279 other violations of CIP Reliability
Standards


led to
$6,490,499
in proposed
penalties;



L
argest single penalty assessed was
$400,000
.

TIMELINE


Events Leading Up to EO 13636



2012

EVENTS IN EXECUTIVE BRANCH

EVENTS IN LEGISLATIVE BRANCH

18

2011

SEC Staff issues

Cybersecurity

Disclosure Guidance

Senate votes down

proposed cybersecurity bill

AUG

White House circulates

draft Executive Order

SEPT

NOV

Senate votes down

proposed cybersecurity bill

White House circulates

r
evised draft EO

FEB

2013

APR

President issues

Executive Order 13636

EXECUTIVE ORDER 13636


FEB 12, 2013

© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

19

EXECUTIVE ORDER 13636

Risk Assessment



“Repeated cyber intrusions into critical
infrastructure demonstrate the need for
improved cybersecurity.”




© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

20

EXECUTIVE ORDER 13636

Standards


Purpose
:


Help owners and operators “identify, assess
and manage cyber risks”



Direction
:


NIST to coordinate development of

Cybersecurity Framework




Results
:


A set of “voluntary consensus
-
based standards
and industry best practices”











© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

21

EXECUTIVE ORDER 13636

Standards


Caution:


Participation
is “
voluntary”



But EO envisions Framework as a
metric

for
judging a company’s cybersecurity



Sec. 7(b): It
“shall include guidance for
measuring the performance
of an entity in
implementing” the Framework











© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

22

Andy Ozment

White House Senior Director for Cybersecurity

FEB
28,
2013


Strategy of “Framework”
:



“[S]ome regulators need to
improve, and we will ask
them to consider the
Framework and
issue new
regulations










23

© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

EXECUTIVE ORDER 13636

Information Sharing


Kinds of Federal Cyber Intel
:


1.
Classified



shared thru participation in
Enhanced Cybersecurity Services


2.
Unclassified



Imminent Target Notices


3.
Confidential



Catastrophic Target Notices







© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

24

IMMINENT TARGET NOTICES

© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

25




unclassified

reports of cyber threats to U.S.
homeland that identifies a specific targeted
entity”



Deliver to targeted entity

CATASTROPHIC TARGET NOTICES

© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

26



Identify “where a cybersecurity incident could
reasonably result in
catastrophic

regional or
national effects”



Confidentially notify
owners & operators



Provide them with basis for determination

Questions
for

Boards
, C
-
Officers, and Counsel






1.
Are
we prepared to receive

DHS
cyber intel reports?




© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

27

BEFORE

YOU RECEIVE

IMMINENT TARGET NOTICES


Basic Questions re Receipt, Review, & Action




Who receives it?


Who reviews it?




Who decides what actions we should take?


Who will document what we do with it?




28

© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

BEFORE

YOU RECEIVE

IMMINENT TARGET NOTICES


Questions re Content and Timing



What information will Notice provide?



What will it withhold?



How far ahead of attack will it arrive?






29

© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

Andy Ozment

White House Senior Director for Cybersecurity

FEB 28, 2013



“When you get the
information, you will see
that much of it is
fragmentary and vague
.”



“We may say your sector
faces an
unknown

type of
attack, at an
unknown

time, and of
unknown

intensity, and we can’t tell
you more than that or
how to use it.”


30

© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

BEFORE

YOU RECEIVE

IMMINENT TARGET NOTICES


Basic Questions re Protecting and Sharing Intel



How will we safeguard the intel?



What stakeholders should we notify?


NERC and State Regulators


Customers and Suppliers


Banks and Insurers


Investors


SEC filing



Who will speak to
media
and
social media
?


How will we prevent “
leaks
” to media and social media?




31

© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

Focus Preparedness on

Severe Event Impact





3
3
5
3

P
e
a
c
h
t
re
e

R
o
a
d

N
E

S
u
i
t
e

6
0
0
,
No
r
t
h

T
o
w
e
r

A
t
l
a
n
t
a
,
G
A

3
0
3
2
6

40
4
-
44
6
-
25
6
0

|

w
w
w
.n
e
rc
.c
o
m

Cy
b
e
r
A
t
t
a
ck
T
a
s
k
F
or
ce


F
i
n
al

R
e
p
o
r
t




B
o
a
r
d

o
f

T
r
u
s
t
e
e
s

A
c
ce
p
t
e
d
:

M
a
y

9
,

2
0
1
2


32

NERC GUIDE ON

WARNINGS



NERC TASK FORCE GUIDANCE FOR RECEIPT OF THREAT WARNINGS



“If there is warning of a possible attack …, operating entities
may want to consider
staffing each of the sites where it has
some operating capability
.


In the event that anyone or multiple sites are damaged the
remaining facility
may be able to take control, if only
partially
.”





33

© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.





3
3
5
3

P
e
a
c
h
t
re
e

R
o
a
d

N
E

S
u
i
t
e

6
0
0
,
No
r
t
h

T
o
w
e
r

A
t
l
a
n
t
a
,
G
A

3
0
3
2
6

40
4
-
44
6
-
25
6
0

|

w
w
w
.n
e
rc
.c
o
m

Cy
b
e
r
A
t
t
a
ck
T
a
s
k
F
or
ce


F
i
n
al

R
e
p
o
r
t




B
o
a
r
d

o
f

T
r
u
s
t
e
e
s

A
c
ce
p
t
e
d
:

M
a
y

9
,

2
0
1
2


NERC GUIDE

ON WARNINGS



NERC TASK FORCE GUIDANCE FOR RECEIPT OF THREAT WARNINGS



“In an environment of heightened cyber threat, operating
entities may consider
not keeping [primary and backup
control centers] … synchronized
and using different sets of
cyber controls and hardware to ensure that both centers do
not have common vulnerabilities to potential cyber threats.”





34

© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.





3
3
5
3

P
e
a
c
h
t
re
e

R
o
a
d

N
E

S
u
i
t
e

6
0
0
,
No
r
t
h

T
o
w
e
r

A
t
l
a
n
t
a
,
G
A

3
0
3
2
6

40
4
-
44
6
-
25
6
0

|

w
w
w
.n
e
rc
.c
o
m

Cy
b
e
r
A
t
t
a
ck
T
a
s
k
F
or
ce


F
i
n
al

R
e
p
o
r
t




B
o
a
r
d

o
f

T
r
u
s
t
e
e
s

A
c
ce
p
t
e
d
:

M
a
y

9
,

2
0
1
2


WHAT SHOULD WE DO WITH THE INTEL?


Consider what’s changed


View it post
-
attack



Can’t say “attack wasn’t foreseeable”


You received federal cyber intel


DHS Notice “put you on notice”



Can’t say “we didn’t anticipate damage to others”


Inaction


inexcusable


L
ack of preparedness


indefensible


35

© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

WHAT SHOULD WE DO WITH THE INTEL?


“Hurricane Sandy” test


Can’t be blamed for coordinated

cyber
attack



Will be
judged chiefly on




Resilience
to disruption


Preparedness
for recovery


Speed and extent of
restored
operations





36

© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

Questions
for

Boards
, C
-
Officers, and Counsel




2.
Do we need
to revise our
response
plans
for
a

coordinated
cyber
attack?


3.
Do our disaster recovery
plans cover a “Severe
Cyber Impact”?





© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

37

Severe Impact





38


An emergency situation so
catastrophic

that complete
restoration of electric service
is not possible.



Preparedness aims at
graceful
degradation



The BPS is operated at
reduced state of reliability and
supply for months or possibly
years through New Normal
period.

SEVERE INCIDENT RESPONSE

Challenges

39


Do your plans cover “worst case” of a Severe Incident?



Analogy: Events of Nature become much worse when the
ocean is
involved



Examples: Hurricane Sandy’s “
tidal surge”; Tōhoku earthquake’s
“tsunami”



Like the ocean, “Advanced Persistent Attacks” add
magnitude,
complexity, and severity



Other critical infrastructure


like cellular service


will probably be
overwhelmed (as in Boston after bombing)


plan to use text messages









© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

SEVERE INCIDENT RESPONSE

Challenges

40




Do your plans:



Require scenario
-
based


and stress
-
tested


drills



Model on USN’s “damage control” drills


Test resourcefulness
by removing key people and resources



“[p]repare staff on the potential confusion and hesitation which
is inherent in an ongoing security incident”








© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.





3
3
5
3

P
e
a
c
h
t
re
e

R
o
a
d

N
E

S
u
i
t
e

6
0
0
,
No
r
t
h

T
o
w
e
r

A
t
l
a
n
t
a
,
G
A

3
0
3
2
6

40
4
-
44
6
-
25
6
0

|

w
w
w
.n
e
rc
.c
o
m

Cy
b
e
r
A
t
t
a
ck
T
a
s
k
F
or
ce


F
i
n
al

R
e
p
o
r
t




B
o
a
r
d

o
f

T
r
u
s
t
e
e
s

A
c
ce
p
t
e
d
:

M
a
y

9
,

2
0
1
2


SEVERE INCIDENT RESPONSE

“Graceful Degradation”

41




Do your plans cover
Isolation, Islands, and Survivability
:



Provide for “trying to maintain reliable operations in a
reduced state for as long as possible”









© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.





3
3
5
3

P
e
a
c
h
t
re
e

R
o
a
d

N
E

S
u
i
t
e

6
0
0
,
No
r
t
h

T
o
w
e
r

A
t
l
a
n
t
a
,
G
A

3
0
3
2
6

40
4
-
44
6
-
25
6
0

|

w
w
w
.n
e
rc
.c
o
m

Cy
b
e
r
A
t
t
a
ck
T
a
s
k
F
or
ce


F
i
n
al

R
e
p
o
r
t




B
o
a
r
d

o
f

T
r
u
s
t
e
e
s

A
c
ce
p
t
e
d
:

M
a
y

9
,

2
0
1
2


SEVERE INCIDENT RESPONSE

“Graceful Degradation”

42




Do your plans cover
Islanding
:


Provide strategies for




Reduced monitoring


Reduced situational awareness


Loss of Internet


Re
-
charging of cell phones, tablets and other devices


Options to communicate with customers


Twitter, Facebook










© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.





3
3
5
3

P
e
a
c
h
t
re
e

R
o
a
d

N
E

S
u
i
t
e

6
0
0
,
No
r
t
h

T
o
w
e
r

A
t
l
a
n
t
a
,
G
A

3
0
3
2
6

40
4
-
44
6
-
25
6
0

|

w
w
w
.n
e
rc
.c
o
m

Cy
b
e
r
A
t
t
a
ck
T
a
s
k
F
or
ce


F
i
n
al

R
e
p
o
r
t




B
o
a
r
d

o
f

T
r
u
s
t
e
e
s

A
c
ce
p
t
e
d
:

M
a
y

9
,

2
0
1
2


SEVERE INCIDENT RESPONSE

Use of Twitter

(
Assumes Internet is Operational
)

43











© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

SEVERE INCIDENT RESPONSE

Use of Twitter

(
Assumes Internet is Operational
)

44











© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

SEVERE INCIDENT RESPONSE

Investigation and Forensics




Key element


preserve forensic data



Keep detailed records


more information generally
better than less



Verify that all system clocks are synchronized



Seek Board approval for internal investigation by outside
counsel


obtains maximum coverage of privilege











45





3
3
5
3

P
e
a
c
h
t
re
e

R
o
a
d

N
E

S
u
i
t
e

6
0
0
,
No
r
t
h

T
o
w
e
r

A
t
l
a
n
t
a
,
G
A

3
0
3
2
6

40
4
-
44
6
-
25
6
0

|

w
w
w
.n
e
rc
.c
o
m

Cy
b
e
r
A
t
t
a
ck
T
a
s
k
F
or
ce


F
i
n
al

R
e
p
o
r
t




B
o
a
r
d

o
f

T
r
u
s
t
e
e
s

A
c
ce
p
t
e
d
:

M
a
y

9
,

2
0
1
2


Recovery during

“New Normal”



Do your plans:


Define “
critical
” and “
priority
” loads for system restoration
and managing load shedding




46

© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.





3
3
5
3

P
e
a
c
h
t
re
e

R
o
a
d

N
E

S
u
i
t
e

6
0
0
,
No
r
t
h

T
o
w
e
r

A
t
l
a
n
t
a
,
G
A

3
0
3
2
6

40
4
-
44
6
-
25
6
0

|

w
w
w
.n
e
rc
.c
o
m

Cy
b
e
r
A
t
t
a
ck
T
a
s
k
F
or
ce


F
i
n
al

R
e
p
o
r
t




B
o
a
r
d

o
f

T
r
u
s
t
e
e
s

A
c
ce
p
t
e
d
:

M
a
y

9
,

2
0
1
2


Recovery during

“New Normal”




Do your plans cover:


Loss of primary and backup control centers?


Operating at
a remote
and physically secure alternate site?




47

© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.





3
3
5
3

P
e
a
c
h
t
re
e

R
o
a
d

N
E

S
u
i
t
e

6
0
0
,
No
r
t
h

T
o
w
e
r

A
t
l
a
n
t
a
,
G
A

3
0
3
2
6

40
4
-
44
6
-
25
6
0

|

w
w
w
.n
e
rc
.c
o
m

Cy
b
e
r
A
t
t
a
ck
T
a
s
k
F
or
ce


F
i
n
al

R
e
p
o
r
t




B
o
a
r
d

o
f

T
r
u
s
t
e
e
s

A
c
ce
p
t
e
d
:

M
a
y

9
,

2
0
1
2


Questions
for

Boards
, C
-
Officers, and Counsel






4.
Are there new legal issues
we need to address?



© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

48

SEVEN PRIORITY CONCERNS



APR 2013


APR 2014

© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

49

SEVEN PRIORITY CONCERNS

1.
Responsibilities for response and recovery will
increase.



When DHS starts issuing


IMMINENT TARGET NOTICES


CATASTROPHIC TARGET NOTICES



When DHS reviews Cybersecurity Framework



When threat assessments and incidents intensify





50

© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

SEVEN PRIORITY CONCERNS

2.
Information sharing agreements will need to be
drafted and/or updated



For threat warnings



For Severe Impacts



For third
-
party access to company sensitive data



To address necessary disclosures despite NDA’s








51

© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

SEVEN PRIORITY CONCERNS

3.
Incid
ent response plans will need new
sections



For ensuring orderly “graceful degradations” of operations



For seeking Federal assistance against cyberattack



To report NERC CIP
-
Standards violations


seek waivers?



For insurance notifications and coverage


52

© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

SEVEN PRIORITY CONCERNS

4.
Recovery plans will need new sections



For months/years of New Normal “degraded operations”



Disclosures to:


SEC


State regulators


Customers and suppliers



Update mutual assistance agreements








53

© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

SEVEN PRIORITY CONCERNS

5.
To what extent will you adopt NIST’S Cybersecurity
Framework standards?



Will the “Framework” include some standards that exceed
NERC CIP Standards?



“Best practices” always surpass minimum standards




Reputational damage if avoid or delay adoption



e.g.,

what if postpone until after a Severe Impact?



54

© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

SEVEN PRIORITY CONCERNS

6.
How will you position your company to defend
against alleged violations of:



Multiple applicable versions of NERC CIP standards



NERC compliance and enforcement audits



Lawsuits


stakeholders alleging damages under
New
Normal



E.g.,

Customers not receiving restored power on priority basis



Rate recovery of cybersecurity investment and recovery
costs






55

© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

SEVEN PRIORITY CONCERNS

7.
Company legal strategies will need to be updated to
reflect changing attitudes by courts and regulators



Patco

Construction Co. v. People’s United Bank
(1
st

Cir, 2012)



Over 7 days, Bank authorized fraudulent transfers of
$588,851
, ignored red flags of timing, value, and location



Bank’s security held
not “commercially reasonable”



If you’re in best position to provide security, must do so












56

© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

SEVEN PRIORITY CONCERNS

FTC v. HTC America (settlement),
FEB 2013



HTC America failed to employ
reasonable and



appropriate security practices in design of



software

for mobile devices



Failed to test software
to identify vulnerabilities



Security assessments every other yr. for 20 yrs.



Software vendors may become liable for
vulnerabilities





















57

© Copyright 2013 Roland L. Trope and Stephen J. Humes. All Rights Reserved.

58








QUESTIONS

59



EOP
-
004
: Event Reporting standard


within
24 hrs.



CIP
-
001
-
2a
: Sabotage Report


to
Interconnection parties, and FBI or RCMP



CIP
-
008
: Cyber Security


all reportable
Cyber Security Incidents reported to ES
-
ISAC






REPORTING REQUIREMENTS