Public Power s Cyber Threat Defense

Transcription

1 Public Power s Cyber Threat Defense MONITORING/ ASSESSMENT ENGINEERING/ CONSULTING LIABILITY INSURANCE

2 Overview of AESI Supporting utility clients since 1984 providing services to over 500 utilities in North America and internationally Our mission is to provide our clients with services that provide value, delivered cost effectively with knowledge transfer Many staff members are from the utility industry credible & professional with extensive industry experience Strong Cyber & Physical Security, IT and Operational Technology (OT) experience Substantiated and proven long term public power experience with JAAs and distribution utilities Selected by Hometown Connections Partner for cyber and physical services for public power

3 Cyber Attacks on Utilities

4 The Threat Landscape

5 Cyber Attacks on Utilities The ransomware was delivered via a phishing attack and malicious attachments that locked them out of all their systems. The Lansing Board of Water & Light chose to pay $25,000 in bitcoin because it was cheaper than replacing all the infected computers and software, which would have cost up to $10 million. As it is, the incident cost them $2.5 million to wipe the infected computers and beef up their security controls, much of which was covered by insurance.

6 AON 2017 Global Risk Management Report Top 10 Risks Computer crimes/ hacking is up four spots from As cyber crimes become more rampant, more costly, and take longer to resolve, companies need to improve their risk readiness.

7 Philosophy & Culture of Cyber Security It is a Risk Management issue, not an IT issue Executive Team / Management Team / Board support is crucial It is a continuous process requiring increasing maturity levels, not a one and done DOE C2M2 Maturity Levels MIL0: Not Performed MIL1: Initiated MIL2: Repeatable MIL3: Managed / Adaptive Can emulate existing safety programs

8 Cyber Risk Management Tools

9 The NIST Cybersecurity Framework Functions Categories Subcategories IDENTIFY PROTECT DETECT RESPOND RECOVER

10 Use a Blueprint to Manage Your Program Can be color coded to show phased approach

11 To Address Cyber Security Take a holistic approach use a Blueprint Align to standards Allocate appropriate budgets Address risk with controls and insurance

12 About N-Dimension Solutions Since 2002 About N-Dimension Solutions Since 2002 Industry Associations Insurance Companies Tech & Vendor Companies Since 2002, N-Dimension Solutions has been focused on cybersecurity for Power & Energy Industry in North America Provides Managed Cybersecurity Services for utilities helping them discover and protect from cyber threats and vulnerabilities. Partnered with global industry leaders and associations.

13

14 Cyber Threats to Utilities Utilities worms, viruses Morris worm 1988 I Love You 2000 Nimda 2001 Code Red 2001 SQL Slammer 2003 Zotob 2005 state level Google Aurora 2010 Operation Shady Rat 2011 DigiNotar 2011 Flame 2012 Snowden 2013 financial Sony 2011, 2014 Cryptolocker 2013 Target 2013 Unlimited Operations 2014 Carbanak 2015 IRS 2015 botnets botnets botnets energy sector INL Aurora 2007 Stuxnet 2010 Duqu 2011 Night Dragon 2011 ARAMCO 2012 Telvent 2012 Energetic Bear 2014 Black Energy 2015

15 How Threats Often Gain Access Vendo rs Cloud Grid Network ISO 3. Internal Breaches 2. Third Party Access 1. Attacks that pass through firewall Corporate Applications SCADA Operations Personnel SCAD A Host SCADA Operations Servers Smart Meters Collectors 4. Communications Internet Engineering Applications AMI Head-End Server 5. System Vulnerabilities

16 Core Solution Overview Core Solution Overview Extensive Utility Industry Experience Continuous Cyber Threat Detection Cyber Threat Hunting Utility Community Intelligence Active Threat Intelligence Platform Guidance provided by a team of Cyber Experts Cyber Risk Vulnerabilit y Assessment 24x7 Actionable Information

17 Risk Mitigation Plan Risk Mitigation Plan 1. Define the system 2. Identify/classi fy assets 3. Executive Management Sponsorship Assign Responsibility to Senior Management 4. Identify the electronic security perimeter (ESP) 5. Conduct vulnerability assessments 8. Monitor and assess effectiveness 7. Select security controls 6. Assess risks

18 HYPOTHESIS Mitigating 100% Of Cyber Risk Is A Financial Hardship And Nearly Impossible THE PLAN - Target Mitigation Of 80% Of Cyber Risk At A Reasonable Cost - Deploy Cyber Insurance For Balance Sheet Protection From Other 20%.

19 The Future is Here BakerHostetler 2016 Data Security Incident HOW ARE THE BREACH'S OCCURRING?

20 Data Breach Calculation Tools NUMBER OF RECORDS (PCI) 5,000 20, ,000 Forensics $14,700 $16,800 $28,000 Security Remediation $70,700 $72,700 $84,000 Breach Coach/Legal Advice $38,000 $38,000 $38,000 INVESTIGATION COST TOTAL $123,400 $127,500 $150,000 Fines & Penalties $26,000 $26,000 $25,000 Fraud Assessment $62,500 $250,000 $1,250,000 Card Re-Issuances $10,000 $40,000 $200,000 PCI TOTAL COST $98,500 $316,000 $1,475,000 Customer Notification $5,000 $20,000 $100,000 Call Center $375 $1,500 $7,500 Credit/ID Monitoring $4,500 $18,000 $72,500 Public Relations $21,000 $21,000 $21,000 CUSTOMER NOTIFICATION/CRISIS MANAGEMENT COST $30,875 $60,500 $201,000 State AG $6,650 $18,300 $58,300 HHS $0 $0 $0 Other $0 $0 $0 REGULTORY FINES/PENALTIES $6,650 $18,300 $58,300 Defense $283,000 $283,000 $283,000 E Discovery $73,600 $73,500 $140,000 Settlements/Damages $150,000 $150,000 $150,000 CLASS ACTION LAWSUIT COSTS $506,600 $506,500 $573,000 TOTAL COST $766,025 $1,028,800 $2,457,300 COST per RECORD $153 $51 $25 NOTES: FIRST BREACH FOR COMPANY, DATA STORED IN CENTRALIZED SYSTEM

21 Verizon 2016 Data Breach Investigations Report CYBER INSURANCE PAYOUTS PER TYPE OF COST

22 Cyber Liability Insurance Program CYBER LIABILITY PUBLIC POWER SURVEY RESULTS CYBER LIABILITY - ALL SEGMENTS DO NOT PURCHASE Cyber Liability Insurance 6 7% 11 14% 22 28% UTILITY BUYS ITS OWN Cyber Liability Insurance Program PARENT ORGANIZATION INCLUDES THE UTILITY in the Parent Organization's Cyber Liability Insurance Program 40 51% No Answer

23 Cyber Liability Insurance Program CYBER LIABILITY PUBLIC POWER SURVEY RESULTS $60, $50, MEDIAN CYBER LIABILITY DEDUCTIBLE BY SEGMENT $50, $50, $25, $20, Limit per 1.0MM Revenue $23, $40, $30, $20, $10, $0.00 $15, $25, $25, $12, $25, $15, $10, $5, $8, $6, $11, $9, $7, $ MW 100MW 101MW 250MW 251MW 500MW 501MW 1,000MW > 1,000MW ALL

24 Cyber Liability Insurance Program CYBER LIABILITY INSURANCE THE COVERAGE Third Party Liability Coverages *Security & Privacy Liability *Regulatory Defense and Fines/Penalties Media Liability Coverage Description Damages & Expenses Incurred for liability from allegations of security and privacy wrongful acts. Amount obligated to pay from certain privacy regulatory actions.( i.e. HIPAA, NERC, FERC, NRC, Payment Card Assessments) Liability from allegations of multimedia wrongful acts (libel, slander, invasion of privacy, etc.). * Not Covered in Traditional General Liability Insurance First Party Coverages *Notification Expense/Credit Monitoring *Network Interruption Data Asset Restoration *Extortion Expenses *Fraud *Loss of Profits/Extra Expense *Crisis Management/ Reputational Harm Coverage Description Notification expenses incurred following a privacy event/breach. (Credit monitoring services, call center services, etc.) Costs to restore/replace computer programs, software and electronic data (i.e. Customer consumption and preference data). Money/Expenses paid relating to cyber extortion demands. Loss of funds arising out of fraudulent wire transfer requests or other direct monetary loss (Computer Fraud/Electronic Fraud/Social Engineering Fraud). Business Interruption/Extra Expense (Loss of profits) resulting from a Cyber Breach. Expenses including forensics, public relations etc.

25 AFTER THE BREACH INSURANCE CARRIER BREACH SERVICES The following services are available, as part of the claim process, through a dedicated toll-free number which connects directly to a 24/7 incident response center. Claims Management Process Management Including Appointing Specialists. Legal Services Help to investigate & Respond to Breach Incidents. Computer Forensic Services Assessment of Breach Impact and the How and When. Notification/Call Center Services Instructions for Reaction Response, Notification & Call Center. Fraud Resolution Services Credit/ID Theft Monitoring & Remediation. Public Relations and Crisis Management Services PR Consultation.

26 Cyber Liability Insurance Program CYBER LIABILITY INSURANCE PREMIUMS ANNUAL REV ($m) (1) POLICY LIMIT $1m $2m Premiums Deductible Network Monitoring (If bundled with Insurance)(2) 0-5 $2,525 $3,775 $2, $3,275 $4,850 $10, $4,650 $6,900 $10, $6,925 $10,300 $15, $9,200 $13,700 $15, $12,250 $19,000 $25,000 $7,500 *1st Year Cost Reduced to $1,960 for APPA members through DOE program $16,750 $25,000 $25,000 Over 100 Refer to Underwriters Higher Limits Available Upon Request (1) Parent( City) can be included in coverage if revenues are reported (2) Monitoring Cost is Annual Per Network, Assumes 1 Network

27 Recap & Costs -Risk Trending Towards Ransom and Physical Damage -Mitigating 100% Of Cyber Risk Is A Financial Hardship And Nearly Impossible -Target Mitigation Of 80% Of Cyber Risk At A Reasonable Cost - Deploy Cyber Insurance For Balance Sheet Protection From Other 20%.

28

29 Thank You Doug Westlund Senior VP AESI Inc Brad Luna Senior VP N-Dimension Solutions George Adkins Managing Director Wortham Insurance