Cyber Security SeminarSeptember 14, 2019
Presentations from:
Sean McMillan, P.E. of Jones|Carter
Kim Courte, CPCU of Arthur J. Gallagher & Co.
Agenda
American Water Infrastructure Act
Texas HB 3834
How do I stay informed?
Latest Threat Landscape - Ransomware
• Multiple cities and other governmental agencies have been attacked this year.
• Cities attacked include Baltimore, Albany, Laredo, Amarillo, Atlanta, and many more.
• Lake City, Florida had insurance which paid a ransom of $460,000 in Bitcoin. Riviera Beach Florida paid $600,000.
• Atlanta refused to pay $51,000 ransom. It is estimated the recovery will cost $17 million.
• Baltimore refused to pay $75,000. It is estimated the recovery will cost $18 million.
• Cities and municipalities are having problems hiring cybersecurity staff and paying for necessary resources and equipment.
• Paying ransoms may be the least expensive way to solve the problem, but encourages more attacks and provides funds to enable more attacks.
Latest Threat Landscape - Ransomware
• On the morning of August 16, 2019, a coordinated attack of 22 Texas cities was conducted. It is the largest coordinated ransomware attack so far.
• A single threat actor is behind the attack. It is believed to be Ryuk, which is the same virus used in the Florida attack.
• Governor Abbott ordered a Level 2 Escalated Response and has deployed cybersecurity experts to help assess damage and bring the affected entities back online.
• AWIA was passed by Congress on October 23,2018.
• It requires all utilities that serve a population of more than 3,300 people to develop risk assessments and emergency response plans.
AWIA – American Water Infrastructure Act
• Each community water system serving a population of greater than 3,300 persons shall assess the risks to, and resilience of, its system. Such an assessment shall include:– the risk to the system from malevolent acts and natural hazards;
– the resilience of the pipes and constructed conveyances, physical barriers, source water, water collection and intake, pretreatment, treatment, storage and distribution facilities, electronic, computer, or other automated systems (including the security of such systems) which are utilized by the system;
– the monitoring practices of the system;
– the financial infrastructure of the system;
– the use, storage, or handling of various chemicals by the system; and
– the operation and maintenance of the system.
Requirements of the AWIA
• Assault on Utility – Physical• Contamination of Finished Water – Accidental*• Contamination of Finished Water – Intentional• Theft or Diversion – Physical• Cyber Attack on Business Enterprise Systems• Cyber Attack on Process Control Systems• Sabotage – Physical• Contamination of Source Water – Accidental*• Contamination of Source Water – Intentional
AWIA – Baseline Threat Information
• Cyber Attack on Business Enterprise Systems
– Social Media?
– Notification Systems?
– Social Engineering Attacks?
• Cyber Attack on Process Control Systems
– SCADA
– Alarm Dialers
AWIA – Baseline Threat Information
• Requires a risk and resiliency assessment and emergency response plan.
• Requires utilities to submit certification that they have completed the plans. Do not submit the plan itself.
• There are tools for performing a self assessment from EPA. There are also professionals who can help.
• Because most utilities will have to do it, resources will be strained. Don’t wait.
AWIA – Cyber Attacks
Texas HB 3834
• The State of Texas (HB3834) is now requiring government employees and elected officials to take a cybersecurity awareness training program.
• Exemption if the entity employees a ‘dedicated information resources cybersecurity officer.
• Texas department of Information Resources is currently reviewing training plans.
• Annual training must be completed by June 14, 2020 by the following employees:• State Agencies: Employees who use a computer to complete at least 25 percent
of the employee’s required duties, and elected or appointed officers of the agency.
• Local Government Entities: Employees who have access to a local government computer system or database, and elected officials.
• Contractors of state agencies who have access to a state computer system or database must complete training during the term of the contract and during any renewal period.
How do I stay informed?
• Monitor sources such as:– https://www.us-cert.gov/
– https://csrc.nist.gov/
– https://www.sans.org/security-resources/blogs
– https://www.cybrary.it/
– https://krebsonsecurity.com/
– https://www.schneier.com/
– EPA
– AWWA
– Water ISAC
– The news
District Cyber
PresentationKim Courte, CPCU
W.I.N. Program Director
Gallagher
14
TOPICS
Causes
Cyber & Privacy Liability
Data Breach & Response
Protection
15
CAUSES Hackers use-Internet & Email
Malware
Ransomware, Extortion, Terrorism
Phishing/Spear Phishing
Paper, Computer Systems & Employees (direct & vendors) Negligence
Websites
Security Failures
Lost Mobile Devices
Improper Disposal
Malicious
Equipment Controls Connected to Internet
16
CYBER & PRIVACY LIABILITYArises From and Cost Associated: Failure of computer security resulting in transmission of
malicious code, denial of services etc.
Data Breach: Unauthorized release of information when
legally required to keep private
Defense cost in State or Regulatory proceedings that
involve violations of privacy
Expert resources and monetary reimbursement of
related out of pocket expense
17
DATA BREACH 2004-2017 BY THE NUMBERS
18
Handling the Long-Term
Consequences
Managing the Short-Term
Crisis
Evaluation of the Data Breach
Discovery of a Data Breach
Theft, loss, or Unauthorized Disclosure of
Personally Identifiable Non-Public Information
Forensic Investigation
and Legal Review
Notification and Credit Monitoring
Class-Action Lawsuits
Regulatory Fines, Penalties, and
Consumer Redress
Public Relations
Reputational Damage
Income Loss
SIMPLIFIED VIEW OF A DATA BREACH
19
BROAD FORM CYBER INSURANCE PROVIDES
24 Hour Immediate Engagement of Cyber Specialist
Crisis Management & Public Relations
Assistance with Forensic Investigation
Notification Cost
Credit Monitoring Expenses (Required and Voluntary)
Defense Cost
State Regulatory
Liability
Cost of Settlements or Judgements
20
CONCLUSION
Cyber Attack: It is not a question of “if”, it is “when”
PrepareIdentify and Mitigate Risk
Written Information Security Policy
Incident Response Plan
Manage Vendors
Protect Your Entity and your customers with Cyber Liability Insurance
Top Related