Cyber threats are ever increasing and along with it the government and private sectors are scrambling to create definitions of responsibility, regulations, and compliance. The impact to your controls business could be devastating if you are not prepared and do not understand the implications. Ignorance is no longer a defense.
In the good ole days of system integration, system integrators would do anything to help their customer. This included running private IP networks so the building engineer could see their system from his computer in his office. This required us to learn how to setup IPs and switches and crimp CAT 5 connectors.
Our customers then asked us to connect their system to the corporate network so others in the building could connect to the control system. This was easy… Put another NIC in the frontend PC and bridge the two networks. All we needed to know then was how to install a NIC in a PC and setup an additional IP. Or the other solution was to migrate the entire system over to the corporate network. All that was needed was for us to change the IPs so they would communicate on the corporate network and connect CAT 5 cables to the corporate network…
Then the building engineer wanted to be able to check their system from home at night and on the weekends so we, the system integrators, learned how to setup routers with public IPs. This put the control system outside the firewall so no matter where the building engineer was in the world he and billions of people could see his system. In fact system integrators would even advertise this fact as a feature. But that was okay because who really cared about a control system anyway… Right?
We also assumed other responsibilities. We administered their users and user rights. We provided the PCs or servers and patched them. We installed the antivirus flavor of the week to “protect” their control system. We would install consumer grade switches and routers from the big box stores and setup VPNs.
Is this a bad thing? Depends…
In my opinion we need to stop and take a look at our core competencies, certifications, and insurance. Yes, insurance. Your insurance probably doesn’t cover a cyber acts unless you have recently reviewed and added insurance specifically to cover a cyber incident. And not all cyber insurance is created equal. It’s kind of like if you bought a life insurance policy and didn’t pay attention to fine print which says “In order for the policy to pay out, the policy holder must expire on January 18th at 4:47 PM.” Okay… A little exaggerated, but you get the point.
Now that you have your “ironclad” insurance policy you need to decide what is your liability appetite. You need to honestly look at what you do and how it will expose you to risk. In other words, if you are installing network routers and configuring VPNs is this something you have the certifications and proficiencies in? If not, hire a contractor that does. Move that liability off you and do what you know, control systems.
Are you administering your customers users?
This may not sound so bad, but by administering the customer’s users you are placing yourself between the risk and your customer. All an attorney may need to hang the breach on you is this. This shows that the customer did not have total control of their system and anyone from your company could have planted a backdoor.
Speaking of backdoors…
Have you changed or removed that username and password that every employee since the dawn of your control business knows which is in all of the systems you installed? If not, you should. Better yet, have your customer do it. This way if you are involved in a dispute after a breach, the customer can attest to fact that this user was removed. Of course this only counts if the breach happens after your user has been removed. Yes, this is considered a backdoor.
When you buy a PC or server does Dell, HP, etc. setup your users?
When we turn the “keys” of the system over to the customer we should have them take on full responsibility for administering their users, including us. This will accomplish not only limiting the liability to your company, but it will also mean your team doesn’t have to carry around every customer’s username and password. When your team member arrives on site the customer will either log them in or give them a temporary access user. This is not so different than when we arrive at a site have to check out a badge from security.
Do you still have customer systems outside the firewall with a public IP?
If you haven’t recommended to your customer to move their system inside the firewall, you need to. Believe or not some customers will say they do not want to do this because it will make it harder for them to connect to their system. It is their prerogative, but make sure you have documentation showing that you advised them of this and they opted out.
Do you have a cyber policy that your employees have to sign as condition of employment?
This is a tricky one… Having a clearly defined cyber policy takes time to put together. You need to take a hard look of where your vulnerabilities are and put together a policy that informs the workforce what is expected. For example if your company provides smart phone, the phone needs to lock after a short period of time with a passcode. Preferably a pass code that is complex. iPads and iPhones passcode by default is 4 numbers which anyone standing beside you can see what your passcode is. You can change the complexity of the passcode in the settings of the iPad or iPhone which will let the user put in alpha and numeric characters. If the employee defeats this (turns it off) it could be grounds for disciplinary actions up to dismissal.
For employees with laptops the laptop must lock after a short period time and employees must not share laptop passwords with other employees. The laptop must be used strictly for company business and have up-to-date AV and malware that is centrally monitored within your company. If the laptop goes missing the employee must inform the company designated IT person or staff. If tracking software is on the laptop and the ability to remotely wipe it, IT can lock the machine so it can not be used. If the employee does not follow it could be grounds for disciplinary actions up to dismissal.
These are couple examples, but the main point here is this… Have an electronic device policy that outlines your company’s position and has condition of employment. This could come in handy if you are named in a cyber breach lawsuit. It shows you are trying to be proactive and that you take cyber security seriously as a company.
Does your company have a Cyber-Incident Response?
Not having this has been the death of some companies. Having this has minimalized the damage inflicted on companies.
I cannot stress the importance of this enough. We have all seen the results of having and not having a cyber incident response even if we didn’t know it. I will not mention names, but in the past 18 months or so we have seen examples of both. In some cases more damage was done due to the lack of response within the first 48 hours after an announced breach. Put together a team in your company to build response plan and educate your entire company on what it is and how it will be enacted.
What is a Cyber-Incident Response?
According to the Department of Homeland Security’s paper entitled “Recommended Practice: Developing an Industrial Control Systems Cybersecurity Incident Response Capability”
Cyber incident response is the way in which an organization responds to a perceived cyber-related incident that may impact ICS owner assets or their ability to operate. An incorrect response may result in chaotic and reactionary actions that are ineffective or increase damage. Every organization should strive for a smooth, planned response with minimal impact to a company’s operations. Accomplishing this will require plans and procedures that are in place and tested before a cyber incident occurs.
What this basically means is this…
- Timing is everything (sooner rather later)
- What you say publically could can either make you or break you
- Everyone in your company has a role even if it is to be mute (loose lips sink ships)
There are several really good outlines that can be tailored to fit your company. If you do not feel like this is something you can come up with confidently, consult a professional. This is not an area you want to be found lacking.
According to the Harvard Business Review article by Tucker Bailey and Josh Brandley entitled Ten Steps to Planning an Effective Cyber-Incident Response “A response should be guided by a response plan that aims to manage a cyber security incident in such a way as to limit damage, increase the confidence of external stakeholders, and reduce recovery time and costs.”
In this article Tucker Bailey and Josh Brandley list 10 principles to help guide companies in creating and implementing incident response plans.
- Assign an executive to take on responsibility for the plan and for integrating incident-response efforts across business units and geographies.
- Develop a taxonomy of risks, threats, and potential failure modes. Refresh them continually on the basis of changes in the threat environment.
- Develop easily accessible quick-response guides for likely scenarios.
- Establish processes for making major decisions, such as when to isolate compromised areas of the network.
- Maintain relationships with key external stakeholders, such as law enforcement.
- Maintain service-level agreements and relationships with external breach-remediation providers and experts.
- Ensure that documentation of response plans is available to the entire organization and is routinely refreshed.
- Ensure that all staff members understand their roles and responsibilities in the event of a cyber incident.
- Identify the individuals who are critical to incident response and ensure redundancy.
- Train, practice, and run simulated breaches to develop response “muscle memory.” The best-prepared organizations routinely conduct war games to stress-test their plans, increasing managers’ awareness and fine-tuning their response capabilities.
Too many times fear of saying the wrong thing can paralyze a company to the point that they miss the opportunity to minimize the impact of the breach. That is not to say that by having a incident response plan you can totally mitigate the damage, but it can mean a lessening of the financial and brand damage that an incident can cause. By having a plan in place, continually refreshing the content, and practicing, will make for a fluid response which give your company the appearance being in control of the situation and ready to act. Instilling confidence from your customers.
I heard this statement a few months ago at a cyber panel… “This is a problem for which there is no solution”. Scary thought… Right? It is and it means you will have to change how you do business. You may decide to drop some of the services you were offering to your customers. It may mean you will have to have uncomfortable conversations with your customers to explain to them what you setup in the past has put them in a vulnerable state now. You will have to change your company’s culture and some in your organization will either think you are overreacting or that it will never happen to your company so why bother. The truth is it can happen to your company and if it does what will those people say when your brand is so damaged that the doors are closed and no one has a job?
We may not be able to dodge the bullet, but we can lessen the impact.