System Integrator, Beware and Be Aware

There are a lot of predictions and resources that talk about cyber security for 2016, but not specifically about our industry; building/facility control system integration.  However, intermingled in all of these reports, predictions, and pundit speak are things that we need to be aware of and probably things that we need to beware of.

Predictions

1) Closer Scrutiny of Our Cybersecurity Practices

Ericka Chickowski posted on the website DarkReading “Boldest Cybersecurity Predictions For 2016“.  One of the predictions was entitled “Contractors Get Cyber Pat-Down“.   This prediction stated “Small contractors aren’t going to get a free pass anymore, predicts Deepak Patel of Imperva.

“Working with partners and contractors is critical to the day-to-day operations of most organizations. But recent, high-profile breaches shine a spotlight on the security risks of contractor insecurity,” says Patel. “2016 is the year where major enterprises will require all vendors to demonstrate that their cybersecurity is on par or better than the standard set by the enterprise. The derivative effect will be an increase in liability resulting in the maturity of the cyber-insurance market.” (reference link)

Further info from the Imperva article (reference link) stated ” Major corporations will enforce cyber security assessments of the third party firms and contractors. The Target data breach happened because of a compromised HVAC contractor. The Anthem data breach occurred through a smaller insurance firm that Anthem had just acquired. JP Morgan was no different with the hackers gaining unauthorized access through a third party firm. Each of these companies had well-defined policies for the infrastructure that they directly managed, and the outside firms with privileged access became the weak links. 2016 is the year where major enterprises will require all vendors to demonstrate that their cyber security is on par or better than the standard set by the enterprise. The derivative effect will be an increase in  liability/indemnity resulting in the maturity of the Cyber Insurance market. Similar to how high fire insurance premiums resulted in better building codes and ultimately safer buildings, the move to require increased cyber insurance coverage from the third party entities will result in stronger cyber security.”

2) Physical Damage and Life Safety

McAfee released McAfee Labs 2016 Threats Predictions (reference link) and had this to say about control system equipment:

“…our 2016 predictions about critical infrastructure attacks must acknowledge that they are low-incident, but high-impact events.  That said, we are witnessing an ever more connected world,  from digital oilfields to water treatment applications being hosted on the public cloud. The “isolated” nature of operational technologies is no longer the case, as discussed in research highlighting Internet-facing critical infrastructure devices. It should concern all of us that some of these devices use nothing more than default login credentials for protection. Add to this to an emerging trend in which criminals are selling direct access to critical infrastructure systems. The reality we now face is that the number of critical infrastructure vulnerabilities is increasing.”

3) Targeted Attacks

CIO-Today quoted Brian Contos, chief security strategist and senior vice president of field engineering at Norse to say “We’ll see cybercriminals continue to target industrial control systems,” said Contos. Kaspersky Lab has called targeted attacks on industrial control systems the biggest threat to critical national infrastructure.”  Contos also said ‘“There will be more malware designed to evade legacy sandboxing techniques,” Contos said. That’s bad news, given the rapid spread of malware in 2015. Researchers at German security firm G Data said that the first half of this year saw 12 new malware families a minute. Yes, that’s every 60 seconds.” (reference link)

PC Tech Magazine stated (reference link)  “… as control systems become increasingly connected, this will extend the potential attack surface – which will require better protection.”

4) Cybersecurity Issues Will Kill A Major Product

Also mentioned in the DarkReading Article “Boldest Cybersecurity Predictions For 2016” was a quote (reference link) from Mark Painter, a security evangelist for Hewlett Packard Enterprise.  “We are increasingly close to finding out. In 2016, we’ll see a major product shutdown due to security issues, as the product will no longer be worth producing due to the costs of fixing these vulnerabilities and brand reputation.”

Already Happened

1) More Government Involvement

In the latter part of 2015 we saw the FTC gained the ability to sue companies for not protecting client data (reference link 1 – reference link 2). The FTC alleged that Wyndham engaged in a number of practices that “unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft” including the following:”

1. the storage of credit card information in clear, unencrypted text;
2. failure to require employees to use complex user IDs and passwords to access company servers;
3. failure to use readily available security measures, such as firewalls to limit access between the corporate network and the Internet;
4. failure to implement reasonable information security procedures prior to connecting local computer networks to corporate-level networks;
5. failure to “adequately restrict” the access of third-party vendors to its networks;
   
6. failure to employ reasonable measures to detect and prevent unauthorized access to its computer network or to conduct security investigations; and
7. failure to follow proper incident response procedures.

We also saw the SEC now can fine companies for not protecting client data (reference link 1 – reference link 2).  In the language in the Matter of R.T. Jones Capital Equities Management, Inc. it stated “R.T. Jones Failed to Adopt Written Policies and Procedures Reasonably Designed to Safeguard Customer Information” (reference link).  Even though this action was against an investment adviser, we too could be subject to this type of ruling if we are not doing all that we can to protect client data.

The DoD new rules, DFARS clauses and regulations were established with language to guide the examination of contractors to make sure they have the required security controls in place.  This was posted on the JD Supra Business Advisor website by Melinda Biancuzzo, Alexander Major, and Dave Thomas in the article entitled Government Forces Awaken: The Rise of Cyber Regulators in 2016 (reference link).  There is also information about the FTC and SEC actions.

Also in this article is a list of other federal agencies suiting up for cyber enforcement which include:

• The Consumer Financial Protection Board’s (CFPB) growing Cybersecurity Program Management Office;
• The Department of Energy’s (DOE) Office of Electricity Delivery and Energy Reliability, examining the security surrounding critical infrastructure systems;
• The Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services, addressing healthcare providers and health insurers’ compliance with health information privacy and security safeguard requirements; and
• The Food and Drug Administration, examining the cybersecurity for networked medical devices containing off-the-shelf (OTS) software.

2) Insurance – Limitations, Exclusions, and Caps

Insurance companies are trying to figure out the best way to offer cyber coverage and not go out of business.  Like it or not, they have to make a profit to stay in business so that means policies are getting more specific, restrictive, and more expensive.

2015 saw more “players” offering cyber security policies and not all of them were creditable.  It’s kind of like when an area suffers a lot of hail damage, roofers come out of the woodwork to offer roof replacements at a discounted rate.  Problem is, when the roof starts leaking down the road, they are nowhere to be found.

Insurance companies see cyber insurance as a growth market.  According to an article by Jonathan S. Ziss and Jonathan L. Schwartz entitled “Cyber Insurance 2015: Inside a robust and rapidly changing market” on the website Property Casualty 360 (reference link), “The market remains robust and continues to present for insurers opportunities for unprecedented growth.” – “We have continued to see in 2015 once-in-a-lifetime growth in the insurance market, driven almost exclusively by Cyber insurance.”

Insurance companies are continually working on the insurance they offer.  While these policies do cover you, they may be restrictive and/or cause you to change or add processes to your overall business platform.  For example; you may be required to add mandatory, annual cyber awareness to your employee training docket. If you don’t, this could be a loophole to deny a claim.

In the article mentioned above, insurance companies are offering policies with limits of 100 million dollars or less.  With the average cost of a breach hovering around $154 per record according to the Ponemon Institute (reference link), the cost of a breach could easily exceed this coverage.  Another study by NetDiligence puts that number at nearly $1,000 per record. (reference link) Either way if you take into account brand damage, legal fees, and whether or not the federal government may sue you, 100 million dollars may not cover the financial damage to your company.

Wells Fargo released a white paper entitled: 2015 Cyber Security and Data Privacy Survey: How prepared are you? (reference link)  On page 2 it states “Nearly half (44%) of the companies surveyed that have cyber and data privacy insurance have filed a claim with their carriers.”  It also states “that nearly all the companies (96%) that have filed a claim are satisfied with their coverage and the handling of the claim.” which is a good thing.

Just because a claim is paid doesn’t mean the issue is closed.  A case last year involved an insurance company suing a client to recover a $4 million claim.  The insurance company, Columbia Casualty, alleged that Cottage Healthcare Systems didn’t maintain its security controls, which left the company vulnerable to this cyber attack (reference link).

Summing Up

2016 should be an interesting year.  As a control system integrator, you need to be looking at not only how you are designing and implementing control systems for your customers.  You need to also take stock of your overall cyber strategy and ask yourself these questions:

• Do I have cyber insurance and is it the right insurance for the company?
• Do I have an incident response plan in place?  If so, do all the participants know their roles and responsibilities?
• Is there a cyber awareness training available internally or externally for my company?
• Does my company have access to billing systems for work orders, service orders, etc.? If so does each user have a unique login?

Of course these are just a few pieces of the puzzle.  There is more that needs to be done, but this will get you started.

If you would like further information, contact myself at fred.gordy@smartcore.com or cybersec@smartcore.com.