The Biggest Cybersecurity Threat: The Energy Sector

Michael Krancer
Follow: @MikeKrancer 

Cybersecurity has been at the forefront of the news for several years. Coverage of the space usually focuses on a breach at a consumer-facing company, resulting in people’s credit cards, bank and personal records being stolen. As bad as these kinds of incidents are, however, we have thus far avoided cybersecurity threats that pose far larger and scarier problems. It’s cyber attacks on the energy space, not the consumer credit space, that could cripple the United States — or any country — as well as bring about a collapse of order and society that most of us associate with apocalyptical scenarios.
http://static.chartbeat.com/js/chartbeat.js

Hollywood has picked up on this theme, producing a film earlier this year, Blackhat, which Wired called “the best hacker movie ever made.” The movie’s premise centers on the meltdown of a Hong Kong nuclear plant as a result of targeting by hackers. It takes much of its inspiration from Stuxnet, a malicious computer worm that the United States used to destroy a fifth of Iran’s uranium-enriching centrifuges. But the threat currently facing the world isn’t one dreamed up by Hollywood; it’s real. A congressional commission estimated that a large-scale blackout, if prolonged, could lead to 90% of the United States’ population perishing from disease, lack of food and general societal breakdown.

My team and I recently detailed these threats in an article for The Legal Intelligencer. The analysis of the piece runs quite deep, delving into some arcane aspects of state-level and federal-level legislation that look to address the threat from cyber attacks on the energy sector. Our examination in The Legal Intelligencer provides for some critical takeaways. Along with my Blank Rome co-authors on the paper, Margaret Anne Hill and Tom Duncan, I have closely studied the kind of domino effects yielded by particularly potent attacks on the information systems of our energy infrastructure. The conclusions we put forth should give all of us pause.

One very interesting tidbit:

According to a Wall Street Journal report, a survey of 625 IT executives in the U.S., U.K., France, and Germany found that 48 percent said they think it is likely there will be a cyber-attack on critical infrastructure, including energy infrastructure, in the next three years that will result in the loss of life. The costs of cybersecurity are also increasing at an alarming rate. For example, JPMorgan Chase’s annual cybersecurity expenditures are expected to double to $500 million within the next five years.

What continues to be clear through all of this — be it our examination or even the movie Blackhat, whose plot isn’t as hyperbolic as some might think — is that putting controls and measures in place to ensure the cybersecurity of our energy infrastructure should be a task of paramount importance.

The United States used to worry about the Soviets approaching with their ballistic missiles and bombers from the top of the world, flying over the North Pole. While the Soviet threat has faded, the Russians now sport a potent capacity to attack silently via the Web with malicious code. Theirs is just one of the many state-sponsored and now terrorist-sponsored cells who can execute a debilitating cyber attack. Just as we used to meet the Soviets with our own national ingenuity and will (and fighter jets), we need to meet this newer threat with equal vigilance.

Michael L. Krancer is Partner & Energy, Petrochemical and Natural Resources Practice Group Leader at Blank Rome LLP and a former secretary of the Pennsylvania Department of Environmental Protection. His blog,Energy Trends Watch, follows developments in energy, petrochemical and natural resources.

“The Biggest Cybersecurity Threat: The Energy Sector,” by Michael L. Krancer, was published by Forbes on November 4, 2015. To read the article online, please click here.

Energy Sector Beware: Cybersecurity Now Top Security Threat

Michael L. Krancer, Margaret Anne Hill, Thomas M. Duncan, and Frank L. Tamulonis III

What is the No. 1 worldwide security threat? The answer is cybersecurity. This is especially so for our critical energy production and delivery infrastructure.

A cyberattack presents the risk of unfathomable asymmetrical physical damage to life and property, as well as the potential for flat-lining the enterprise value of any targeted company. A congressional commission has estimated that in a prolonged nationwide blackout (in the context of an electromagnetic pulse attack), about 90 percent of the U.S. population would be dead from disease, lack of food and resources, and societal breakdown. That 90 percent won’t care whether the nation was struck by an EMP attack or a cyberattack.

According to the U.S. Department of Homeland Security (DHS), over the past several years the energy sector has incurred the greatest number of cybersecurity incidents. The Pennsylvania Public Utility Commission held a multiagency summit on cybersecurity Oct. 1, which was intentionally timed with National Cybersecurity Awareness Month. The PUC, to its credit, gathered in one room the DHS, as well as state and local agencies including the Office of Administration, the Pennsylvania Emergency Management Agency, the Pennsylvania State Police, the Pennsylvania Office of Homeland Security, and several large utilities to vet this problem and talk about preparedness, prevention and solutions.

So far, so good in Pennsylvania in getting the job done to protect critical energy infrastructure from cyberattacks. But, the summit stressed that the danger is not going away and that we must constantly work together to stay vigilant. Indeed we must. According to a Wall Street Journal report, a survey of 625 IT executives in the United States and Europe found that 48 percent said they think it is likely there will be a cyberattack on critical infrastructure, including energy infrastructure, in the next three years that will result in the loss of life. The costs of cybersecurity are also increasing at an alarming rate.

What are the threats, you ask? They are too numerous to list in this article, but here are a few: the Havex Trojan targets industrial control systems after it is mistakenly downloaded by customers; malware called BlackEnergy has targeted systems used in nuclear power plants; and an Iranian hacking campaign is under way that the FBI believes may be targeting the energy and defense industries. The Chinese, Russians and North Koreans can be added to the list of “usual suspects” as cybercrime, cyberespionage and cybersabotage have increasingly become their weapons of choice lately—and recent events show they are good and getting better at it. ISIS is also considered a dire threat in this regard.

In fact, nationalized cyberweaponization has become the norm for our enemies. According to Director of National Intelligence James Clapper, Russia’s Ministry of Defence is establishing its own cyber-command, which is expected to conduct offensive cyberactivities such as inserting malware into enemy command and control systems. In May 2014, the U.S. Department of Justice indicted five officers from China’s People’s Liberation Army on charges of hacking U.S. companies.

The highly interconnected nature of the national power grid and the increasing pressure placed on grid reliability by federal and state policies, including the U.S. Environmental Protection Agency’s recently issued Clean Power Plan and states’ renewable portfolio standards, could exacerbate the impacts of a cyberattack on energy infrastructure and potentially lead to “cascading blackouts.”

Power generation and delivery are not alone, of course. The oil and gas sectors are inviting targets as well. Some experts say that particular vulnerabilities exist at “single-point” assets such as refineries, storage terminals and other buildings, as well as “networked features” such as pipelines and cybersystems. Enemies may focus on a large-scale attack with the goal of temporarily halting the supply of oil and gas or even to create an environmental disaster.

Reminiscent of the time after World War I in which the world’s powers were sucked up in the vortex of a naval arms race and in came the Washington Naval Treaty of 1922, today’s superpowers are now doing something similar. President Obama appeared with Chinese President Xi Jinping on Sept. 25 to announce that the United States and China had reached an agreement on a number of issues related to cybersecurity. This U.S.-China agreement comes on the heels of China’s May cybersecurity agreement with Russia, and China’s recent attempt to enact laws requiring foreign firms operating in China to use China-approved encryption and reveal all source code for inspection. In the agreement, the United States and China agreed to cooperate “with requests to investigate cybercrimes, collect electronic evidence, and mitigate malicious cyberactivity emanating from their territory” and “to provide updates on the status and results of those investigations.” To review the timeliness and quality of responses to these requests, both countries have agreed “to establish a high-level joint dialogue mechanism on fighting cybercrime and related issues.”

In addition to this recent agreement, the United States and China are believed to have a framework in place for a cyberwarfare agreement that would prohibit either country from launching an initial cyberattack on the other’s critical infrastructure during peacetime. One hopes for, but experience shows cannot count on, better success now on cybersecurity than with the Washington Naval Conference.

Additional American domestic efforts to improve national cybersecurity are coming from both the executive and legislative branches. Executive Order 13636 requires the National Institute of Standards and Technology, part of the U.S. Department of Commerce, to create a framework to reduce cybersecurity risk for organizations within critical infrastructure sectors, including the energy sector. The framework is based on existing standards, guidelines and practices. Compliance with the framework, however, is voluntary.

The Department of Energy’s Office of Electricity Delivery and Energy Reliability also focuses on cybersecurity and works with the DHS, industry, and other agencies to reduce the risk of energy disruptions from cyberattacks. The office designed the Cybersecurity for Energy Delivery Systems (CEDS) program to assist the energy sector asset owners (electric, oil and gas) by developing cybersecurity solutions for energy delivery systems through integrated planning and a focused research and development effort. CEDS co-funds projects with industry partners to make advances in cybersecurity capabilities for energy delivery systems.

The Department of Energy’s Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model (ONG-C2M2), developed in partnership with the DHS, is an 83-page document that helps improve cybersecurity capabilities and includes reference material and implementation guidance specifically tailored for the oil and natural gas segments of the energy sector. The model can be used to strengthen cybersecurity capabilities in the ONG subsector; enable ONG organizations to effectively and consistently evaluate and benchmark cybersecurity capabilities; share knowledge, best practices and relevant references within the subsector as a means to improve cybersecurity capabilities; and enable ONG organizations to prioritize actions and investments to improve cybersecurity. The ONG-C2M2 is designed for use with a self-evaluation methodology and toolkit.

Before the Senate now is a bill sponsored by Sen. Richard Burr, R-North Carolina, S 754, the “Cybersecurity Information Sharing Act” (CISA), which requires the director of national intelligence, the DHS secretary, the secretary of Defense, and the U.S. attorney general to create a system to promote the sharing of a broad range of cybersecurity information.

CISA would give private entities, including oil and gas companies, greater liability protection for sharing personal data related to certain cybersecurity information. CISA has faced strong opposition, mainly due to concerns that it may impinge on individuals’ Fourth Amendment right to privacy. If agencies are to store personal information, they must maintain highly sophisticated cybersecurity systems. CISA, however, does not include any requirements or funds to promote these systems. Twenty-two amendments are on the Senate floor, many of which limit the events that provide legal immunity and reduce the ability for agencies to share information with one another. The DHS has expressed concern because the bill allows other agencies to collect this information, potentially reducing the DHS’s current role in this space.

Others have criticized CISA for not going far enough. CISA only creates a framework for information-sharing intended to allow agencies to identify how best to protect against future cyberattacks. What some expect, or hope, to follow CISA is ultimately the enactment of minimum standards for corporate cybersecurity systems. A vote on the bill is expected soon.

Pennsylvania is acting as well, with the PUC in particular showing exemplary leadership. Public utilities are required to develop and maintain a written cybersecurity plan under 52 Pa. Code Sections 101.1-101.7. The PUC took the occasion of its October cybersecurity summit to release its second edition of the PUC “Cybersecurity Best Practices for Small and Medium Pennsylvania Utilities.” The best-practices document is available on the PUC’s website (goo.gl/oMPaae). The document is a magnum opus loaded with information including ways to prevent identity or property theft; how to manage vendors and contractors who may have access to a company’s data; what to know about antivirus software, firewalls and network infrastructure; how to protect physical assets, such as a computer in a remote location or a misplaced employee device; how to respond to a cyberattack and preserve forensic information after the fact; how to report incidents; the potential benefits of engaging a law firm in advance of a breach; and a list of federal cyberincident resources.

In light of the enormous asymmetrical physical and financial damage that cyberattacks can inflict, as well as our apparent vulnerability to those attacks, one thing is clear: A good defense (and perhaps even offense) against such mischief is going to require not only continued efforts, but also an ever-increasing amount of attention, teamwork, effort, and human and financial capital investment going forward.

“Energy Sector Beware: Cybersecurity Now Top Security Threat,” by Michael L. Krancer, Margaret Anne Hill, Thomas M. Duncan, and Frank L. Tamulonis III was published in The Legal Intelligencer on October 16, 2015. To read the article online, please click here.

Cybersecurity Claim Under CGL Policy Prevails Against Strong Insurance Industry Pushback, As Fourth Circuit Upholds Policyholder’s Coverage For Data Breach Claims

Kevin J. Bruno and Charrise L. Alexander

On April 11, 2016, the United States Court of Appeals for the Fourth Circuit made headlines by holding that a commercial general liability (“CGL”) policy covers the defense of a data breach-related class action lawsuit. In Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC, No. 13-1944 (4th Cir. Apr. 11, 2016), the Fourth Circuit affirmed a 2014 decision from the Eastern District of Virginia holding that Travelers Indemnity Company of America (“Travelers”) has a duty to defend its insured, Portal Healthcare Solutions, LLC (“Portal”), in a 2013 class action lawsuit filed in New York State Court. This is a major victory for policyholders, in particular for those with potential cybersecurity-related claims under CGL policies without a cybersecurity exclusion. Attempts by the insurance industry to downplay the significance of this ruling are unavailing, and contrary to the arguments made before the court by various insurance industry trade groups, which had warned that a ruling in the policyholder’s favor would “undermine the certainty and predictability” necessary for the proper functioning of the insurance marketplace. In addition, and although policyholders going forward are well-advised to consider purchasing cyber/data breach insurance policies given the prevalence of cyber-related exclusions in current CGL forms, the Fourth Circuit’s interpretation of the coverage-defining term “publication” will have a much broader, policyholder favorable application in many other insurance claim contexts.

Facts

Two patients of Glen Falls Hospital alleged that when they conducted a search for themselves on Google, the first link that appeared was a direct link to their respective Glen Falls medical records. The underlying class action followed in April 2013, which was filed in New York State Court, and alleged that Portal, a business specializing in the electronic safekeeping of medical records, failed to secure a server containing confidential records for patients, making the records available for anyone to view online. Specifically, plaintiffs alleged that Glen Falls patients’ medical records were “accessible, viewable, copyable, printable, and downloadable from the Internet by unauthorized persons without security restriction from November 2, 2012 to March 14, 2013.” Portal had two CGL polices, both issued by Travelers for the policy periods of 2012 and 2013. The policies provided coverage for the “electronic publication of material that…discloses information about a person’s private life.” Travelers denied coverage and preemptively sued Portal in Virginia Federal Court.

Procedural History

In the coverage case, Travelers moved for summary judgment seeking a declaration that it does not have a duty to defend Portal in the class action suit. Portal also moved for summary judgment seeking an order compelling Travelers to defend. In its August 2014 decision, U.S. District Judge Gerald Bruce Lee found that Travelers has a duty to defend Portal because “making confidential medical records publicly accessible via an Internet search does fall within the plain meaning of ‘publication,’” thereby triggering the personal and advertising injury coverage provision in the insurer’s CGL policy. Travelers appealed.

The Fourth Circuit’s Ruling

The Fourth Circuit affirmed the District Court’s decision and ruled that Judge Lee correctly followed the “eight corners” rule by comparing the allegations of the complaint to the language of the policy. Additionally, the Fourth Circuit found that Judge Lee properly recognized that insurers must “use ‘language clear enough to avoid…ambiguity’ if there are particular types of coverage that it does not want to provide.”

The Fourth Circuit held that “[p]ut succinctly, we agree with the opinion that Travelers has a duty to defend Portal against the class-action complaint,” and that “[g]iven the eight corners of the pertinent documents, Travelers’ efforts to parse alternative dictionary definitions [of ‘publication’] do not absolve it of the duty to defend Portal.” To better understand the Fourth Circuit’s ruling, it is best to analyze the District Court’s ruling in more detail. Judge Lee first noted that the policies contained two prerequisites to coverage. First, there must have been a “publication,” which is undefined in the policies. Second, the published material must “give unreasonable publicity” to or disclose information about a person’s private life. Applying Traveler’s proposed dictionary definition of “publication,” the District Court reasoned that exposing medical records online placed a patient’s information before the public, which fell within the plain meaning of “publication.” Second, Judge Lee concluded that public availability of a patient’s confidential medical record constitutes “unreasonable publicity” to a patient’s private life and “disclose[d]” information about the patient’s private life.”

Significantly, for this and related claims, the District Court also rejected Travelers’ arguments that because Portal did not intend to publish the medical information and because there is no evidence that any third parties viewed the information, the policy does not cover the underlying allegations. Instead, “unintentional publication is still a publication.” Furthermore, Judge Lee reasoned that “[p]ublication occurs when information is ‘placed before the public,’ not when a member of the public reads the information placed before it.”

Conclusion

Portal Healthcare is a victory for policyholders and highlights that coverage may exist under their CGL policies through the “personal and advertising liability” coverage for liabilities relating to the disclosure, or “publication,” of personal information. In a digital age, where companies and individuals increasingly rely on the Internet in their personal and commercial activities, this ruling is critical because the issue of what constitutes “publication” in an Internet context can and will arise in a multitude of situations. Simply put, data breaches are not all about third-party intentional “hacking” anymore. It is refreshing, and for many policyholders about time, that our courts have begun to recognize that the “old school” way of viewing what constitutes a “publication” in an insurance context must come into line with today’s reality, a reality that must fully account for the rather amorphous character of the Internet. In this regard, note the discussion before the court regarding the steps that must be taken by Google in order for material, including plaintiffs’ medical records, to be indexed and made fully searchable on the web.

We finish with a word of caution—while policyholders should be optimistic, they should also carefully evaluate their insurance policies and coverage needs. In more recent years (generally 2014), the CGL ISO policy form and many CGL polices have been amended and now contain exclusions, or other language that excludes coverage for data breaches or other cyber security risks. And as highlighted by the American Insurance Association and Complex Insurance Claims Litigation Associates, which both filed an amicus brief in this case, over the past several years there has been a growing market for policies specifically tailored for cyber related claims. Policyholders should be mindful of those exclusions in their CGL policies, carefully examine their risks and insurance needs, and may need to look to other coverage products, such as cybersecurity policies, to fill any gaps in coverage.

Joint Antitrust Policy Statement on Sharing Cybersecurity Information

By Steven Caponi

The Federal Trade Commission (“FTC”) and the Department of Justice (“DOJ”) recently issued a policy statement on the sharing of cybersecurity information that “makes clear that properly designed cyber threat information sharing is not likely to raise antitrust concerns and can help secure the nation’s networks of information and resources.”

The policy statement is intended to address a long-recognized roadblock to the aspirational goal of combating cyber threats by encouraging private entities to share confidential threat awareness information. To date, this objective has been thwarted by the realistic concern that the sharing of non-public information between competitors could violate antitrust laws or trigger an antitrust review.

FTC Chairwoman Ramirez notes that “[t]his statement should help private businesses by making it clear that antitrust laws do not stand in the way of legitimate sharing of cybersecurity threat information.” Sharing this viewpoint, Deputy Attorney General James M. Cole recognized that “[p]rivate parties play a critical role in mitigating and responding to cyber threats, and this policy statement should encourage them to share cybersecurity information.”

Although a step in the right direction, the policy statement is unlikely to materially impact the practices of many businesses because of its lack of specificity. Rather than provide a clear set of guidelines, the policy is merely an analytical framework to be used by the antitrust agencies to determine if the sharing of information crosses the line from permissible to impermissible. For example, the policy notes that “[t]he Agencies do not believe that antitrust is – or should be – a roadblock to legitimate cybersecurity information sharing” and their “primary concern in this context is that the sharing of competitively sensitive information – such as recent, current, and future prices, cost data, or output levels… .”

In the absence of a uniform legislative solution by Congress, businesses should view the policy statement’s invitation to share cyber threat information with caution.  Given the number of employees at the FTC and DOJ, their varying personalities, individual agendas, and autonomy, the subjective “analytical framework” will most likely not be applied in a uniform or predictive fashion.

Cybersecurity Trends for 2014

post_lockBy Steven Caponi

Nearly 100 million retail customers had their personal information stolen this past holiday season, signaling that cyber crime is becoming more pervasive, its perpetrators more sophisticated, and the harm it causes (to both individuals and companies) harder to calculate. Companies are adopting policies to prevent and respond to cyber attacks, but before they can agree and implement defensive measures or best practices, those perpetrating cyber attacks are diligently working to circumvent the defensive measures and expand into completely new areas.  Thus, companies must keep a vigilant eye on both yesterday’s attack and the emerging threat that may not materialize for another six months to a year.

For more information about this issue, as well as the cybersecurity landscape in 2014, visit Corporate Compliance Insights to read a recent article authored by me and Michael Iannucci.