Energy Organizations Take Note

Protecting your business from cyber breaches can be a daunting task. This is especially so with limited budgets and personnel. Most know of the horror stories, some think "it will not happen to my company", "we’re too small to care about", "we’re not vital to the industry", "we have adequate security". . . . Even so, many executives still worry about the business interruption, customer data loss, company reputation, the cost of protecting cyber information and possible litigation.

The U.S. Department of Justice has recently issued a cybersecurity “best practice” guidance document written for smaller organizations that provides helpful cost efficient practices.

What is important about the DOJ cybersecurity guidance for smaller organizations is that, if followed, it may well serve to help mitigate litigation expense while providing a cost effective means to enhance your organization’s cybersecurity program. It was drafted with smaller, less resourced organizations in mind; however, even larger organizations with more experience in handling cyber incidents may benefit from it.

We understand that many smaller energy organizations may have in place hardware and software to protect their corporate computer systems. We also understand that many smaller energy organizations’ computer systems that control and operate their energy assets are not subject to the high-level NERC CIP Standards, or in many cases not subject to any NERC Standards.

Nevertheless, we have learned that prudence dictates that all organizations have in place cybersecurity “programs”, not just protection hardware and software, but written cybersecurity “programs” that meet some recognized standard for their corporate computer systems and computer systems that control and operate energy assets. The DOJ cybersecurity “best practices” for smaller organizations may well serve as a recognized standard and thus help protect your organization and mitigate expensive litigation.

Highlights from the DOJ Cybersecurity “Best Practices” Document – Version 1.0 (2015)

Excerpt:

Any Internet-connected organization can fall prey to a disruptive network intrusion or costly cyber attack. A quick, effective response to cyber incidents can prove critical to minimizing the resulting harm and expediting recovery. The best time to plan such a response is now, before an incident occurs.

This “best practices” document was drafted by the Cybersecurity Unit to assist organizations in preparing a cyber incident response plan. It reflects lessons learned by federal prosecutors while handling cyber investigations and prosecutions, including information about how cyber criminals’ tactics and tradecraft can thwart recovery. It also incorporates input from private sector companies that have managed cyber incidents. It was drafted with smaller, less resourced organizations in mind; however, even larger organizations with more experience in handling cyber incidents may benefit from it.

U.S. Department of Justice – Cyber Incident Preparedness Checklist

Before a Cyber Attack or Intrusion

• Identify mission critical data and assets (i.e., your “Crown Jewels”) and institute tiered security measures to appropriately protect those assets.
• Review and adopt risk management practices found in guidance such as the National Institute of Standards and Technology Cyber security Framework.
• Create an actionable incident response plan.
  • Test plan with exercises.
  • Keep plan up-to-date to reflect changes in personnel and structure.
• Have the technology in place (or ensure that it is easily obtainable) that will be used to address an incident.
• Have procedures in place that will permit lawful network monitoring.
• Have legal counsel that is familiar with legal issues associated with cyber incidents.
• Align other policies (e.g., human resources and personnel policies) with your incident response plan.
• Develop proactive relationships with relevant law enforcement agencies, outside counsel, public relations firms, and investigative and cyber security firms that you may require in the event of an incident.

During a Cyber Attack or Intrusion

• Make an initial assessment of the scope and nature of the incident, particularly whether it is a malicious act or a technological glitch.
• Minimize continuing damage consistent with your cyber incident response plan.
• Collect and preserve data related to the incident.
  • “Image” the network.
  • Keep all logs, notes, and other records.
  • Keep records of ongoing attacks.
• Consistent with your incident response plan, notify—
  • Appropriate management and personnel within the victim organization.
  • Law enforcement.
  • Other possible victims.
  • Department of Homeland Security.
• Do not—
  • Use compromised systems to communicate.
  • “Hack back” or intrude upon another network.

After Recovering from a Cyber Attack or Intrusion

Preti Flaherty helps organizations of all sizes develop and implement cybersecurity programs for their corporate and operations computer systems. For the full 15-page DOJ cybersecurity “best practices” document, or for additional information, please contact William Roberts at [email protected] or call 617.226.3800.