On February 12, 2014, the Commerce Department’s National Institute of Standards and Technology (NIST) released its “Framework for Improving Critical Infrastructure Cybersecurity” (the “Framework”).1 Developed jointly by government officials and private industry leaders over a year-long process, the Framework establishes a set of national standards for managing and mitigating risk arising from cybersecurity incidents. With over 1,300 confirmed breaches in 2013, cybersecurity is becoming an increasingly important issue for companies, and especially energy companies. The energy industry faces unique cybersecurity threats because energy companies control and protect some of the most crucial components of our nation’s infrastructure.
The “Framework Core” consists of five key functions—identify, protect, detect, respond and recover—that guide an organization’s preparation for and reaction to cybersecurity incidents. The Framework Core provides specific sections of standards, guidelines, and practices that illustrate how to achieve desired cybersecurity outcomes. Following the Framework Core is not a trivial task. Below, we discuss four of the Framework’s recommended activities and their implications for the energy industry.
I. Inventory physical devices and systems within the organization and determine their vulnerabilities.
Energy companies are uniquely vulnerable to cyber-attacks due to their distributed IT infrastructure and reliance upon legacy industrial control systems (or ICS). Typically located outside of corporate offices, industrial control systems (e.g., SCADA systems) are used in the field to control, monitor, and manage critical energy infrastructure such as pipelines and drilling operations. For instance, ICS may be used on an oil rig to receive data from sensors in the ground and actuate valves and breakers in response.
Increasingly, companies are connecting ICS to networks to enable automation and remote monitoring of industrial processes in the field. While an Internet connection often enables ICS to increase productivity, it also provides a means for intruders to compromise a company’s field operations. Alarmingly, many ICS use features from the 1990s that make them vulnerable to attack. For example, some ICS use default passwords like “admin,” and others lack the ability to encrypt sensitive operational data. Following the Framework is important for energy companies since cyber-incidents affecting ICS can have disastrous effects, including power outages, ecological catastrophes, and harm to the safety and health of individuals.
To mitigate these risks, the Framework Core recommends that companies perform inventories of their systems and understand their associated vulnerabilities.2 This can be a daunting task for energy companies due to the shortcomings of commonly used industrial control systems. Fortunately, the Department of Homeland Security operates a website3 that helps energy companies inventory and understand their ICS vulnerabilities. The website, which is particularly helpful for IT managers in the energy industry, lists ICS products by vendor, the known vulnerabilities for each product, and particular ways to address the security risks of each product.
One way to use the website is to set an initial meeting with IT managers to perform a preliminary analysis of the company’s ICS vulnerabilities. A company can use the website to locate the ICS it uses in the field, learn how those systems can be compromised by intruders, and determine how best to protect those systems from attack. Then, the company can hold periodic meetings with IT managers to review any updates to the website that affect the company’s ICS.
II. Inform third parties of their roles and responsibilities in supporting the company’s cybersecurity initiatives.
Traditionally, energy companies rely upon third-party vendors to provide a wide variety of products and services. If these vendors are not exercising reasonable care in preparing for and responding to cybersecurity threats, incidents may occur and could subject the energy company to liability. Recognizing these issues, the Framework Core suggests that an energy company proactively work with its vendors to foster the use of smart cybersecurity practices.4
One way to do so is by contracting for cybersecurity protections when the relationship with the third-party vendor is first formed. For instance, an energy company could craft contractual provisions that require vendors to perform regular malware scans, to patch vulnerable systems in a timely manner, and to enforce a strong password policy.
In the case of preexisting contracts and relationships, however, it is incumbent upon the energy company to understand the rights and obligations of the vendor in relation to the company’s own rights and responsibilities. Working together with outside counsel, the energy company can perform a full audit of its previous contracts to determine whether cybersecurity gaps exist, and then determine how best to fill any gaps through contract renegotiation with the vendor.
Energy companies need not draft cybersecurity provisions from scratch. The Department of Homeland Security offers example provisions to cover most situations.5 For example, DHS recommends that an energy company should obligate its vendors to apply patches to ICS and other systems within a pre-negotiated timeframe:
The Vendor shall have a patch management and update process. Pre-contract award, the Vendor shall provide details on their patch management and update process. Responsibility for installation and update of patches shall be identified. The Vendor shall provide notification of known vulnerabilities affecting Vendor supplied or required OS, application, and third-party software within a pre-negotiated period after public disclosure. The Vendor shall verify and provide documentation that all services are patched to current status.6
As another example, DHS recommends that an energy company should include provisions in its contracts that require vendors to enforce strong password policies:
The Vendor shall provide a configurable account password management system that allows for selection of password length, frequency of change, setting of required password complexity, number of login attempts, inactive session logout, screen lock by application, and denial of repeated or recycled use of the same password.7
Of course, these provisions are mere examples. An energy company should adapt these examples to its own situations.
III. Perform security audits on all systems.
The Framework Core urges companies to implement security audits to help assess the overall security of their network and connected devices and to provide a valuable baseline for determining appropriate safeguards.8 Indeed, a full, objective audit can help improve a company’s security posture by identifying potential vulnerabilities before they become security incidents. While it may be cheaper and easier to use internal IT teams to perform such an audit, hiring an independent cybersecurity firm may lead to increased objectivity and a more thorough investigation. Additionally, if the cybersecurity firm is hired through outside counsel, any issues discovered by the cybersecurity firm can be protected under attorney-client privilege and remain confidential.
As described in Part I above, energy companies can use the DHS website to perform vulnerability monitoring for their industrial control systems. Energy companies should also consider taking a more proactive approach by attempting to uncover security holes on their own. One way to do so is through the use of the Shodan search engine.9 Dubbed the “Google for hackers,” Shodan searches for Internet-facing systems with subpar security. By proactively using Shodan to search for systems under its control, a company may be able to find and patch a vulnerability before it is discovered and exploited by a hacker.
IV. Formulate a response plan and execute the plan upon discovering an attack.
The Framework Core advises that a company’s response to a cyber-attack be guided by a response plan that aims to limit damage, increase the confidence of external stakeholders, and reduce recovery time and costs.10 Because responding to cyber-attacks is time-sensitive, the response plan should be prepared and ready for implementation before an attack. The response plan should be a part of an energy company’s crisis management plan. That is, all information in the response plan should be available to the company in the face of catastrophe, such as when electric power and other systems may be unavailable.
An important part of any response plan is a communications scheme that includes a list of parties that should be contacted in the event of a security breach. While contact lists will be specific to each company, an energy company’s plan should likely include contacts from the following company departments:
Executive Management—Decision makers in the company need to be informed of a breach as quickly as possible so that they can begin implementing the response plan.
Information Technology—Internal or external IT experts will be needed to perform forensics on compromised systems to determine how the breach occurred and how best to mitigate any further damage.
Legal—Legal expertise is necessary to ensure compliance with all national, international, federal, and state laws and regulations; to understand what evidence is admissible when taking action against intruders; to explain how evidence can be collected; to manage third-party liability exposure; and to help the team understand what pitfalls, such as privacy rights violations, should be avoided.
Public Relations—Energy companies control some of the United States’ most important infrastructure and need to maintain the trust of the public. Managing public relations is thus a crucial aspect of an energy company’s recovery from a cybersecurity incident.
Bear in mind that communications systems may not be available in the fallout after an attack, so these contact lists should be maintained in both electronic and hardcopy formats.
Energy companies face unique challenges in preparing for and responding to cybersecurity incidents. The NIST Framework Core is an important resource for any organization that faces cybersecurity risk. By performing the recommended activities, companies can help harden their systems against cybersecurity attacks and establish evidence that they have fulfilled their duty of care in protecting their systems and information.
2Cybersecurity Framework at 20–22.
4Cybersecurity Framework at 24.
5Cyber Security Procurement Language for Control Systems (available here).
6Id. at 11.
7Id. at 21.
8Cybersecurity Framework at 28–30.
10Cybersecurity Framework at 33–34.