June 16, 2015 Article

Best Practices on Cybersecurity: Guidance for Energy Organizations from the Department of Justice

Energy Organizations Take Note

Protecting your business from cyber breaches can be a daunting task. This is especially so with limited budgets and personnel. Most know of the horror stories, some think "it will not happen to my company", "we’re too small to care about", "we’re not vital to the industry", "we have adequate security". . . . Even so, many executives still worry about the business interruption, customer data loss, company reputation, the cost of protecting cyber information and possible litigation.

The U.S. Department of Justice has recently issued a cybersecurity “best practice” guidance document written for smaller organizations that provides helpful cost efficient practices.

What is important about the DOJ cybersecurity guidance for smaller organizations is that, if followed, it may well serve to help mitigate litigation expense while providing a cost effective means to enhance your organization’s cybersecurity program. It was drafted with smaller, less resourced organizations in mind; however, even larger organizations with more experience in handling cyber incidents may benefit from it.

We understand that many smaller energy organizations may have in place hardware and software to protect their corporate computer systems. We also understand that many smaller energy organizations’ computer systems that control and operate their energy assets are not subject to the high-level NERC CIP Standards, or in many cases not subject to any NERC Standards.

Nevertheless, we have learned that prudence dictates that all organizations have in place cybersecurity “programs”, not just protection hardware and software, but written cybersecurity “programs” that meet some recognized standard for their corporate computer systems and computer systems that control and operate energy assets. The DOJ cybersecurity “best practices” for smaller organizations may well serve as a recognized standard and thus help protect your organization and mitigate expensive litigation.


Highlights from the DOJ Cybersecurity “Best Practices” Document – Version 1.0 (2015)

Excerpt:

Any Internet-connected organization can fall prey to a disruptive network intrusion or costly cyber attack. A quick, effective response to cyber incidents can prove critical to minimizing the resulting harm and expediting recovery. The best time to plan such a response is now, before an incident occurs.

This “best practices” document was drafted by the Cybersecurity Unit to assist organizations in preparing a cyber incident response plan. It reflects lessons learned by federal prosecutors while handling cyber investigations and prosecutions, including information about how cyber criminals’ tactics and tradecraft can thwart recovery. It also incorporates input from private sector companies that have managed cyber incidents. It was drafted with smaller, less resourced organizations in mind; however, even larger organizations with more experience in handling cyber incidents may benefit from it.


U.S. Department of Justice – Cyber Incident Preparedness Checklist


Before a Cyber Attack or Intrusion

  • Identify mission critical data and assets (i.e., your “Crown Jewels”) and institute tiered security measures to appropriately protect those assets.
  • Review and adopt risk management practices found in guidance such as the National Institute of Standards and Technology Cyber security Framework.
  • Create an actionable incident response plan.
    • Test plan with exercises.
    • Keep plan up-to-date to reflect changes in personnel and structure.
  • Have the technology in place (or ensure that it is easily obtainable) that will be used to address an incident.
  • Have procedures in place that will permit lawful network monitoring.
  • Have legal counsel that is familiar with legal issues associated with cyber incidents.
  • Align other policies (e.g., human resources and personnel policies) with your incident response plan.
  • Develop proactive relationships with relevant law enforcement agencies, outside counsel, public relations firms, and investigative and cyber security firms that you may require in the event of an incident.


During a Cyber Attack or Intrusion

  • Make an initial assessment of the scope and nature of the incident, particularly whether it is a malicious act or a technological glitch.
  • Minimize continuing damage consistent with your cyber incident response plan.
  • Collect and preserve data related to the incident.
    • “Image” the network.
    • Keep all logs, notes, and other records.
    • Keep records of ongoing attacks.
  • Consistent with your incident response plan, notify—
    • Appropriate management and personnel within the victim organization.
    • Law enforcement.
    • Other possible victims.
    • Department of Homeland Security.
  • Do not—
    • Use compromised systems to communicate.
    • “Hack back” or intrude upon another network.


After Recovering from a Cyber Attack or Intrusion

  • Continue monitoring the network for any anomalous activity to make sure the intruder has been expelled and you have regained control of your network.
  • Conduct a post-incident review to identify deficiencies in planning and execution of your incident response plan.

  • Preti Flaherty helps organizations of all sizes develop and implement cybersecurity programs for their corporate and operations computer systems. For the full 15-page DOJ cybersecurity “best practices” document, or for additional information, please contact William Roberts at [email protected] or call 617.226.3800.

    Firm Highlights

    Publication

    Litigation and Arbitration Venue Provisions in Construction Contracts: When and How They Work

    Venue and choice-of-law provisions are fairly standard in construction contacts, but can be overlooked due to their location within a contract. When drafted effectively, these provisions can help limit uncertainty about where and how...

    Press Coverage

    Maine State Police May Be Spying on You

    Police and governments are increasingly turning to new tracking and monitoring methods in their efforts to prevent and record evidence of crimes. A Portland Press Herald investigation examines these expanding law enforcement abilities and the...

    News

    Preti Flaherty Welcomes Government Relations Liaison Andrew I. Roth-Wells to the Firm

    Preti Flaherty is pleased to announce that Andrew I. Roth-Wells has joined the firm as a Government Relations Liaison. Andrew will help manage legislative and regulatory advocacy efforts for the firm’s Government Affairs Team...

    Publication

    ConsensusDocs vs. AIA - Which Contract Is Best for Contractors?

    Choosing the right contract is essential to protecting your rights as a contractor. AIA Contracts have long been the industry standard, but Consensus Docs are fast becoming a reasonable option. In this article, Nathan...

    Event

    2020 Cannabis Law Breakfast - Winter Update

    Event

    2020 Employment Law Series: A Legislative Update for HR Professionals

    For more than 25 years, Preti Flaherty's Employment Law Group has been keeping clients, business partners, and friends up to date on recent developments in employment law. Join us as we continue that tradition...

    Press Coverage

    Bangor superintendent blocked BDN reporter on Twitter after critical news coverage

    In an apparent violation of the First Amendment, Bangor schools superintendent Betsy Webb temporarily blocked a journalist on Twitter following a report that news of a student suicide was announced over the loudspeaker at...

    Event

    2020 Employment Breakfast Series: Strengthening Your Company's Management of Accommodation Requests

    For more than 25 years, Preti Flaherty's Employment Law Group has been keeping clients, business partners, and friends up to date on recent developments in employment law. Join us as we continue that tradition...

    Publication

    The Potential of the Blockchain for Asset Protection Planning

    While many legal scholars focus on the challenges and complications seemingly inherent to blockchain and cryptocurrency, others look past the fear and see potential. In this article for Cumberland Law Review , Ian Huyett and Brian Quirk...

    News

    Preti Flaherty Attorney Benjamin S. Piper Promoted to Partner

    Preti Flaherty is pleased to announce that the firm’s partnership has named attorney Benjamin S. Piper as a partner. Ben is a member of the firm's Environmental, Litigation, and Media Law Practice Groups and works...