Cybersecurity for Construction & Real

Estate

Presented by:

Carly Devlin and Thomas Groenke

Moderated by:

Teresa Cushman

TODAY’S PRESENTERS

Carly DevlinManaging Director, Columbus Office

Clark Schaefer Consulting

Thomas GroenkeManager, Construction & Real Estate

Clark Schaefer Hackett

Cybersecurity for Construction & Real Estate

Presented by:Carly Devlin and Thomas Groenke

Moderated by:Teresa Cushman

AGENDA

• Understanding Cyber Risk

• Cyber Threats

• Case Studies

• Managing Cyber Risk

• Cybersecurity Tools

• Questions

UNDERSTANDINGCYBER RISK

What is Cyber Risk

▪ Failure to mitigate this risk may cause:

- Disruption of systems/business processes

- Loss of confidential data

- Financial loss

- Fraudulent reporting and metrics

- Damage to reputation

Any risk of financial loss, disruption, or damage to the reputation of an organization from a failure of its information technology systems.

Source: The Institute of Risk Management

Cybersecurity Industry Facts

Cyber Crime Damage:

$6 trillion annually by 2021

Cybersecurity Spending:

Will exceed $124 billion in 2019

Unfilled Cybersecurity

Jobs:

3.5 million by 2021

Human Attack Surface:

6 billion people by 2022

Global Ransomware

Damage Costs:

Will reach $11.5 billion in 2019

Source: CSO

Cybersecurity Definitions

Threat:

Circumstance or event with the

potential to adversely impact

organizational operations,

organizational assets, and/or

individuals, through an information

system via unauthorized access,

destruction, disclosure,

modification of information, and/or

denial of service.

Threat Actors Actor Motives

National Governments Cyber warfare/espionage

Terrorist Groups Spread terror

Organized Crime Financial gain

Hacktivists Political agenda

Hackers Notoriety/financial gain

Insider Threats Revenge/financial gain

CYBER THREATS

Security Incident Survey

2018 Verizon Data

Breach Report:

Construction & Real

Estate

Our Clients: Most Common Cyber Threats

Phishing

Ransomware

Human Error

Software Vulnerabilities

Internet of Things (IoT)

Threat Horizon and Industry Outlook

▪ Social engineering attacks (phishing) will continue to be a matter of concern for the construction and real estate industries

▪ Ransomware continues to be a rising concern for the construction and real estate industries

▪ The rise of the Internet of Things (IoT) will continue to bring the threat of cyber attacks

CASE STUDIES

Attack #1 – BNP Paribas (Real Estate Subsidiary)

Attack Victim BNP Paribas

Attack Date June 2017

Description BNP Paribas’ real estate unit took a hit from a global cyber attack that disrupted the computers of companies around the world (malware).

Attack #2 – All-Ways Excavating USA

Attack Victim All-Ways Excavating USA

Attack Date January 2019

Description 15-person construction contractor in Salem, Oregon fell victim to a cyber attack that was most likely carried out by a foreign government.

Attack #3 – DC-Area Real Estate Company

Attack Victim DC-Area Real Estate Company

Attack Date Within the last couple years

Description Cybercriminals stole client contact information from a DC-area real estate company, then created a phishing scam, which resulted in $1.5 million being stolen in a wire fraud scheme from a couple about to close on a home.

Attack #4 – Target

Attack Victim Target

Attack Date 2013

Description Hackers gained access to the network credentials that a small HVAC contractor used to remotely access Target’s network, resulting in the breach of credit and debit card information for tens of millions of customers in the U.S.

MANAGING CYBER RISK

Managing Cyber Risk

Mitigation vs. Elimination of Risk

2018 SEC OCIE Examination Priorities

▪ 2018 Examination Priorities – The SEC’s Office of Compliance Inspections and

Examinations (OCIE) has prioritized cybersecurity.

▪ Compared to 2017, the OCIE has extended the scope of its examination to include:

▪ As a result, the OCIE examiners could potentially request related documents,

particularly ownership of third-party risks as it relates to tenants and vendors.

Governance and Risk

Assessment

Access Rights and Controls

Data Loss Prevention

Vendor Management

TrainingIncident

Response

Use of a Security Framework

A series of documented processes that are used to define policies and procedures

around the implementation and ongoing management of information security controls

in an enterprise environment.

Security Frameworks

ISO

NIST

ISO/IEC 27001: 2013

▪ Established by:

The International Organization for Standardization (ISO) and the International

Electrotechnical Commission (IEC)

▪ Designed to:

Provide requirements for an information security management system (ISMS)

▪ Overview:

Specifies the requirements for establishing, implementing, maintaining, and continually

improving an information security management system within the context of an

organization. It also includes requirements for the assessment and treatment of

information security risks tailored to the needs of the organization. The requirements are

intended to be applicable to all organizations, regardless of type, size, or nature.

NIST Cybersecurity Framework

▪ Established by:

The National Institute of Standards and Technology (NIST)

▪ Designed to:

Be a U.S. government-ordered, cybersecurity framework

▪ Overview:

A structure for the nation’s financial, energy, healthcare, and other critical systems to

better protect their information and physical assets from cyber attack. NIST provides a

common language with which to address and manage cyber risk in a cost-effective way

based on business needs, without additional regulatory requirements.

NIST Cybersecurity Framework (CSF)

▪ Three Parts:

– Framework Core

– Framework Implementation Tiers

– Framework Profiles

Allows organizations to:

▪ Describe current cybersecurity posture

▪ Describe target state for cybersecurity

▪ Identify and prioritize opportunities for improvement

▪ Assess progress towards target state

▪ Communicate using common language among internal and external

stakeholders about cybersecurity risk

CSF Core

CSF Core

CSF Tiers/Profiles

▪ Tiers

–Tier 1: Partial

–Tier 2: Risk Informed

–Tier 3: Repeatable

–Tier 4: Adaptive

▪ Profiles

–Current profile (“as is”)

–Target profile (“to be”)

CSF – Applying the Framework

1. Prioritize & scope

2. Orient

3. Create a current profile

4. Conduct a risk assessment

5. Create a target profile

6. Determine, analyze &

prioritize gaps

7. Implement action plans

Rep

eata

ble

CSF – Benefits and Challenges

▪ Benefits:

–Voluntary

–Expose new risks

–Sharing, collaboration

–Layered approach

▪ Challenges:

–Not “set it and forget it”

–Requires “buy-in”

–Communicating risks

–Large, complex organizations

–Lack of quantifiable metrics

OTHER CYBERSECURITY TOOLS

NIST 800-53

▪ Security and Privacy Controls for Federal Information Systems

and Organizations

▪ 18 security areas

–Management/enterprise

–Operational

–Technical

▪ 8 privacy areas

NIST 800-53: Example Control

NIST 800-53: Benefits and Challenges

▪ Benefits:

–Comprehensive

–Supplemental guidance useful

–Baselines allow risk-based approach

–Supported by 53A, allowing for corresponding assessment

–Cross references throughout and to other NIST SPs

▪ Challenges:

–Comprehensive! (Complex)

–Focus on Federal systems

• Private entities? State/Local government?

–Focus on information systems

• IoT devices, industrial control systems, weapons systems

NIST 800-61: Computer Security Incident Handling Guide

▪ Organizing a Computer Security Incident Response Capability

-Understanding Events and Incidents

-Incident Response Policy, Plan, Procedures

-Incident Response Team Structure

▪ Handling an Incident

-Preparation

-Detection and Analysis

-Containment, Eradication and Recovery

-Post-Incident Activity

NIST 800-61: Benefits and Challenges

▪ Benefits:

-Easy to understand for detection, analyzing, prioritizing, handling

incidents

-Provides checklists, scenarios, examples, recommendations

▪ Challenges:

-Less focus on establishing incident response program

-Doesn’t provide specific template for Incident Response Policy or

Plan

1800 Series: Cybersecurity Practice Guides

SP 1800-1 July 2015 Securing Electronic Health Records on Mobile Devices

SP 1800-2 August 2015 Identity and Access Management for Electric Utilities

SP 1800-3 September 2015 Attribute Based Access Control

SP 1800-4 November 2015 Mobile Device Security: Cloud and Hybrid Builds

SP 1800-5 October 2015 IT Asset Management: Financial Services

SP 1800-6 November 2016 Domain Name Systems-Based Electronic Mail Security

SP 1800-7 February 2017 Situational Awareness for Electric Utilities

SP 1800-8 May 2017 Securing Wireless Infusion Pumps in Healthcare Delivery Organizations

SP 1800-9 August 2017 Access Rights Management for the Financial Services Sector

SP 1800-10 Not yet released Identity and Access Management

SP 1800-11 September 2017 Data Integrity: Recovering from Ransomware and Other Destructive Events

SP 1800-12 September 2017 Derived Personal Identity Verification (PIV) Credentials

Questions?

Carly DevlinManaging Director

cdevlin@clarkschaefer.com

Thomas GroenkeManager, Construction & Real Estate

tgroenke@cshco.com

Thank you!

Carly DevlinManaging Director

cdevlin@clarkschaefer.com

Thomas GroenkeManager, Construction & Real Estate

tgroenke@cshco.com