Cyber Security Seminar · 2019-12-23 · Cyber Security Seminar September 14, 2019 Presentations...
Transcript of Cyber Security Seminar · 2019-12-23 · Cyber Security Seminar September 14, 2019 Presentations...
![Page 1: Cyber Security Seminar · 2019-12-23 · Cyber Security Seminar September 14, 2019 Presentations from: Sean McMillan, P.E. of Jones|Carter Kim Courte, CPCU of Arthur J. Gallagher](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed85c35ccc74c106c24c1c0/html5/thumbnails/1.jpg)
Cyber Security SeminarSeptember 14, 2019
Presentations from:
Sean McMillan, P.E. of Jones|Carter
Kim Courte, CPCU of Arthur J. Gallagher & Co.
![Page 2: Cyber Security Seminar · 2019-12-23 · Cyber Security Seminar September 14, 2019 Presentations from: Sean McMillan, P.E. of Jones|Carter Kim Courte, CPCU of Arthur J. Gallagher](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed85c35ccc74c106c24c1c0/html5/thumbnails/2.jpg)
![Page 3: Cyber Security Seminar · 2019-12-23 · Cyber Security Seminar September 14, 2019 Presentations from: Sean McMillan, P.E. of Jones|Carter Kim Courte, CPCU of Arthur J. Gallagher](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed85c35ccc74c106c24c1c0/html5/thumbnails/3.jpg)
Agenda
American Water Infrastructure Act
Texas HB 3834
How do I stay informed?
![Page 4: Cyber Security Seminar · 2019-12-23 · Cyber Security Seminar September 14, 2019 Presentations from: Sean McMillan, P.E. of Jones|Carter Kim Courte, CPCU of Arthur J. Gallagher](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed85c35ccc74c106c24c1c0/html5/thumbnails/4.jpg)
Latest Threat Landscape - Ransomware
• Multiple cities and other governmental agencies have been attacked this year.
• Cities attacked include Baltimore, Albany, Laredo, Amarillo, Atlanta, and many more.
• Lake City, Florida had insurance which paid a ransom of $460,000 in Bitcoin. Riviera Beach Florida paid $600,000.
• Atlanta refused to pay $51,000 ransom. It is estimated the recovery will cost $17 million.
• Baltimore refused to pay $75,000. It is estimated the recovery will cost $18 million.
• Cities and municipalities are having problems hiring cybersecurity staff and paying for necessary resources and equipment.
• Paying ransoms may be the least expensive way to solve the problem, but encourages more attacks and provides funds to enable more attacks.
![Page 5: Cyber Security Seminar · 2019-12-23 · Cyber Security Seminar September 14, 2019 Presentations from: Sean McMillan, P.E. of Jones|Carter Kim Courte, CPCU of Arthur J. Gallagher](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed85c35ccc74c106c24c1c0/html5/thumbnails/5.jpg)
Latest Threat Landscape - Ransomware
• On the morning of August 16, 2019, a coordinated attack of 22 Texas cities was conducted. It is the largest coordinated ransomware attack so far.
• A single threat actor is behind the attack. It is believed to be Ryuk, which is the same virus used in the Florida attack.
• Governor Abbott ordered a Level 2 Escalated Response and has deployed cybersecurity experts to help assess damage and bring the affected entities back online.
![Page 6: Cyber Security Seminar · 2019-12-23 · Cyber Security Seminar September 14, 2019 Presentations from: Sean McMillan, P.E. of Jones|Carter Kim Courte, CPCU of Arthur J. Gallagher](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed85c35ccc74c106c24c1c0/html5/thumbnails/6.jpg)
• AWIA was passed by Congress on October 23,2018.
• It requires all utilities that serve a population of more than 3,300 people to develop risk assessments and emergency response plans.
AWIA – American Water Infrastructure Act
![Page 7: Cyber Security Seminar · 2019-12-23 · Cyber Security Seminar September 14, 2019 Presentations from: Sean McMillan, P.E. of Jones|Carter Kim Courte, CPCU of Arthur J. Gallagher](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed85c35ccc74c106c24c1c0/html5/thumbnails/7.jpg)
• Each community water system serving a population of greater than 3,300 persons shall assess the risks to, and resilience of, its system. Such an assessment shall include:– the risk to the system from malevolent acts and natural hazards;
– the resilience of the pipes and constructed conveyances, physical barriers, source water, water collection and intake, pretreatment, treatment, storage and distribution facilities, electronic, computer, or other automated systems (including the security of such systems) which are utilized by the system;
– the monitoring practices of the system;
– the financial infrastructure of the system;
– the use, storage, or handling of various chemicals by the system; and
– the operation and maintenance of the system.
Requirements of the AWIA
![Page 8: Cyber Security Seminar · 2019-12-23 · Cyber Security Seminar September 14, 2019 Presentations from: Sean McMillan, P.E. of Jones|Carter Kim Courte, CPCU of Arthur J. Gallagher](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed85c35ccc74c106c24c1c0/html5/thumbnails/8.jpg)
• Assault on Utility – Physical• Contamination of Finished Water – Accidental*• Contamination of Finished Water – Intentional• Theft or Diversion – Physical• Cyber Attack on Business Enterprise Systems• Cyber Attack on Process Control Systems• Sabotage – Physical• Contamination of Source Water – Accidental*• Contamination of Source Water – Intentional
AWIA – Baseline Threat Information
![Page 9: Cyber Security Seminar · 2019-12-23 · Cyber Security Seminar September 14, 2019 Presentations from: Sean McMillan, P.E. of Jones|Carter Kim Courte, CPCU of Arthur J. Gallagher](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed85c35ccc74c106c24c1c0/html5/thumbnails/9.jpg)
• Cyber Attack on Business Enterprise Systems
– Social Media?
– Notification Systems?
– Social Engineering Attacks?
• Cyber Attack on Process Control Systems
– SCADA
– Alarm Dialers
AWIA – Baseline Threat Information
![Page 10: Cyber Security Seminar · 2019-12-23 · Cyber Security Seminar September 14, 2019 Presentations from: Sean McMillan, P.E. of Jones|Carter Kim Courte, CPCU of Arthur J. Gallagher](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed85c35ccc74c106c24c1c0/html5/thumbnails/10.jpg)
• Requires a risk and resiliency assessment and emergency response plan.
• Requires utilities to submit certification that they have completed the plans. Do not submit the plan itself.
• There are tools for performing a self assessment from EPA. There are also professionals who can help.
• Because most utilities will have to do it, resources will be strained. Don’t wait.
AWIA – Cyber Attacks
![Page 11: Cyber Security Seminar · 2019-12-23 · Cyber Security Seminar September 14, 2019 Presentations from: Sean McMillan, P.E. of Jones|Carter Kim Courte, CPCU of Arthur J. Gallagher](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed85c35ccc74c106c24c1c0/html5/thumbnails/11.jpg)
Texas HB 3834
• The State of Texas (HB3834) is now requiring government employees and elected officials to take a cybersecurity awareness training program.
• Exemption if the entity employees a ‘dedicated information resources cybersecurity officer.
• Texas department of Information Resources is currently reviewing training plans.
• Annual training must be completed by June 14, 2020 by the following employees:• State Agencies: Employees who use a computer to complete at least 25 percent
of the employee’s required duties, and elected or appointed officers of the agency.
• Local Government Entities: Employees who have access to a local government computer system or database, and elected officials.
• Contractors of state agencies who have access to a state computer system or database must complete training during the term of the contract and during any renewal period.
![Page 12: Cyber Security Seminar · 2019-12-23 · Cyber Security Seminar September 14, 2019 Presentations from: Sean McMillan, P.E. of Jones|Carter Kim Courte, CPCU of Arthur J. Gallagher](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed85c35ccc74c106c24c1c0/html5/thumbnails/12.jpg)
How do I stay informed?
• Monitor sources such as:– https://www.us-cert.gov/
– https://csrc.nist.gov/
– https://www.sans.org/security-resources/blogs
– https://www.cybrary.it/
– https://krebsonsecurity.com/
– https://www.schneier.com/
– EPA
– AWWA
– Water ISAC
– The news
![Page 13: Cyber Security Seminar · 2019-12-23 · Cyber Security Seminar September 14, 2019 Presentations from: Sean McMillan, P.E. of Jones|Carter Kim Courte, CPCU of Arthur J. Gallagher](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed85c35ccc74c106c24c1c0/html5/thumbnails/13.jpg)
District Cyber
PresentationKim Courte, CPCU
W.I.N. Program Director
Gallagher
![Page 14: Cyber Security Seminar · 2019-12-23 · Cyber Security Seminar September 14, 2019 Presentations from: Sean McMillan, P.E. of Jones|Carter Kim Courte, CPCU of Arthur J. Gallagher](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed85c35ccc74c106c24c1c0/html5/thumbnails/14.jpg)
14
TOPICS
Causes
Cyber & Privacy Liability
Data Breach & Response
Protection
![Page 15: Cyber Security Seminar · 2019-12-23 · Cyber Security Seminar September 14, 2019 Presentations from: Sean McMillan, P.E. of Jones|Carter Kim Courte, CPCU of Arthur J. Gallagher](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed85c35ccc74c106c24c1c0/html5/thumbnails/15.jpg)
15
CAUSES Hackers use-Internet & Email
Malware
Ransomware, Extortion, Terrorism
Phishing/Spear Phishing
Paper, Computer Systems & Employees (direct & vendors) Negligence
Websites
Security Failures
Lost Mobile Devices
Improper Disposal
Malicious
Equipment Controls Connected to Internet
![Page 16: Cyber Security Seminar · 2019-12-23 · Cyber Security Seminar September 14, 2019 Presentations from: Sean McMillan, P.E. of Jones|Carter Kim Courte, CPCU of Arthur J. Gallagher](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed85c35ccc74c106c24c1c0/html5/thumbnails/16.jpg)
16
CYBER & PRIVACY LIABILITYArises From and Cost Associated: Failure of computer security resulting in transmission of
malicious code, denial of services etc.
Data Breach: Unauthorized release of information when
legally required to keep private
Defense cost in State or Regulatory proceedings that
involve violations of privacy
Expert resources and monetary reimbursement of
related out of pocket expense
![Page 17: Cyber Security Seminar · 2019-12-23 · Cyber Security Seminar September 14, 2019 Presentations from: Sean McMillan, P.E. of Jones|Carter Kim Courte, CPCU of Arthur J. Gallagher](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed85c35ccc74c106c24c1c0/html5/thumbnails/17.jpg)
17
DATA BREACH 2004-2017 BY THE NUMBERS
![Page 18: Cyber Security Seminar · 2019-12-23 · Cyber Security Seminar September 14, 2019 Presentations from: Sean McMillan, P.E. of Jones|Carter Kim Courte, CPCU of Arthur J. Gallagher](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed85c35ccc74c106c24c1c0/html5/thumbnails/18.jpg)
18
Handling the Long-Term
Consequences
Managing the Short-Term
Crisis
Evaluation of the Data Breach
Discovery of a Data Breach
Theft, loss, or Unauthorized Disclosure of
Personally Identifiable Non-Public Information
Forensic Investigation
and Legal Review
Notification and Credit Monitoring
Class-Action Lawsuits
Regulatory Fines, Penalties, and
Consumer Redress
Public Relations
Reputational Damage
Income Loss
SIMPLIFIED VIEW OF A DATA BREACH
![Page 19: Cyber Security Seminar · 2019-12-23 · Cyber Security Seminar September 14, 2019 Presentations from: Sean McMillan, P.E. of Jones|Carter Kim Courte, CPCU of Arthur J. Gallagher](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed85c35ccc74c106c24c1c0/html5/thumbnails/19.jpg)
19
BROAD FORM CYBER INSURANCE PROVIDES
24 Hour Immediate Engagement of Cyber Specialist
Crisis Management & Public Relations
Assistance with Forensic Investigation
Notification Cost
Credit Monitoring Expenses (Required and Voluntary)
Defense Cost
State Regulatory
Liability
Cost of Settlements or Judgements
![Page 20: Cyber Security Seminar · 2019-12-23 · Cyber Security Seminar September 14, 2019 Presentations from: Sean McMillan, P.E. of Jones|Carter Kim Courte, CPCU of Arthur J. Gallagher](https://reader033.fdocuments.us/reader033/viewer/2022042310/5ed85c35ccc74c106c24c1c0/html5/thumbnails/20.jpg)
20
CONCLUSION
Cyber Attack: It is not a question of “if”, it is “when”
PrepareIdentify and Mitigate Risk
Written Information Security Policy
Incident Response Plan
Manage Vendors
Protect Your Entity and your customers with Cyber Liability Insurance