Cybersecurity on Track Catherine Lovrics, Partner Ken Bousfield, Partner

Cybersecurity on track Catherine Lovrics, Partner Ken Bousfield, Partner

April 25, 2018 The Headlines

2 Project Honeytrain

Sophos (UK) and Koramis (DE) created a virtual rail transport control and operating system as a honeypot to analyse attacks against industrial control systems used in the railway industry. The Honeytrain included: - a virtual train control system - a web-based ticketing system - a CCTV media server • A total of 2,745,267 attacks were detected over 6 weeks. • Of these, 4 attacks successfully compromised the virtual train control system.

3 Cybersecurity to protect IP rights

Trade Secrets & Confidential Information • Duty to maintain confidentiality and not disclose

*consider if your measures are proprietary – e.g.: Patents Copyright

4 Cybersecurity to protect privacy rights

1. Safeguard personal information • physical measures, for example, locked filing cabinets and restricted access to offices; • organizational measures, for example, security clearances and limiting access on a “need-to-know” basis; and • technological measures, for example, the use of passwords and encryption 2. Limit collection of personal information 3. Notify government and consumers of certain breaches 4. Set policies and keep records

5 Regulator enforcement & class actions

• Violation of privacy laws (e.g. failure to safeguard; failure to notify of a breach) • Negligence • Tort of invasion of privacy • Breach of implied warranties – e.g. merchantability • Fraudulent concealment • Intentional or negligent misrepresentation

6 Public relations

7 Breach trends

• Escalating costs – Average cost per breached record = approx. $190 (2017) – Average cost of data breach = approx. $4.31 million dollars • Escalating scale and size – Average 21,750 records • Various causes – malicious attacks – hacking/unauthorized access by third parties/state sponsored attacks – system glitches and human error - accidental exposure of information (theft or loss) – snooping - misuse of information by employees, contractors and insiders (disgruntled, curious, or corrupted) – third party vulnerability

8 Cybersecurity, an oversimplified “how to”

AUDIT, PROTECT, DETECT, RESPOND AND IMPROVE • Take inventory, limit and secure  data, devices, software, admin and access privileges, secure networks, establish malware and boundary defenses, wireless access controls, etc. • Assess readiness, skills/ability/knowledge and fill gaps • Implement and follow policies, procedures and plans (and update!) • Heighten organizational awareness with education and training • Continuously assess vulnerability and remediate • Maintain, monitor and analyze logs • Penetration testing and red team exercises • Have an incident response team and plan in place

9 Cybersecurity frameworks, guidelines and standards

National Institute of Standards and Technology (NIST) Cybersecurity Framework International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) IEC 27001/2 Standards Center for Internet Security (CIS) Critical Security Controls (CSC) Information Security Forum (ISF) Standard of Good Practice ISACA’s Control Objectives for Information and Related Technologies (COBIT) International Society for Automation (ISA) ISA99 Industrial Automation and Control Systems Security (also IEC 62443 and IEC 62734) Payment Card Industry Compliance and Data Security Standard (PCI DSS) Hire experts to audit and implement

10 Industry Standards

AAR and other security standards • Conform to the (many) applicable AAR standards pertaining to communications and electronic control • ISO 27001 • NIST SP800-53 • ISA/IEC 62443 • ISO/IEC TR 15443 • BS EN 50159:2010 (UK) • APTA

Generally • Stay up to date with the evolution of standards (standards should be living documents) • Support standards-setting agencies and participate in the development of standards

11 Data considerations

Know what you have • Conduct an audit to determine what data you hold – pay particular attention to personal information, including sensitive data, confidential information and trade secrets • Collect and retain only what you need! Avoid over-collection. Know where it is kept • Location - physical, cloud and jurisdiction • Set rules for backups and archiving (e.g. minimize redundant and rogue storage and avoid non-secure storage to the extent possible) Encrypt whenever viable • Encrypt data when stored and in transit • Require data on portable storage devices to be encrypted first (portable storage devices are notoriously easy to lose and are susceptible to theft) Destroy & purge • Retain data only as long as necessary or legally required • shred documents; destroy CDs, USBs; permanently wipe hard drives

12 Device and system considerations

Control the use of computers and devices • Encryption • Block access to inappropriate websites • Prohibit use of unapproved software • Require employees to select strong passwords and change them at regular intervals Monitor • BYOD program – to ensure employees are following policies • Access and use of computer systems is authorized Systems • Keep security and anti-virus software up-to-date • Manage use of portable media and BYOD • Use a VPN for remote access • Back-up (this is especially useful in instances of ransomware) • Use data-loss prevention software

13 Employee considerations

Written policies and procedures – Duty to immediately report potential / suspected / confirmed security incidents – How to spot potential scams (i.e., phishing, malware) – Physical security (clean desk, locked drawers) – Bring your own device (BYOD) Awareness, training & education – On-boarding of new employees , with sign-off on policies – Conduct yearly re-training for all employees Limit access – Access and privileges on a dynamic “need to know” basis – Restrict “admin” access – Revoke access when no longer necessary – Implement a separation of duties – Off-boarding of employees Consider other devices (e.g. wearables) used by employees and tracking Audit employees Hold third parties to the same standards

14 Heightened risk with critical infrastructure

15 Hacks

16 The target: nuissance/prank

17 The target: personal information

18 The target: other information & kinetic effect

Allianz Insurance: Vulnerability of shipping to Cyber Attacks: • “Examples of cyber security issues reported to date include a hacker causing an oil platform located off the coast of Africa to tilt to one side, thus forcing it to temporarily shut down. (Emphasis added.)

• Hackers have also infiltrated cyber systems in a port to locate specific containers loaded with illegal drugs and remove them undetected.”

• Allianz Risk Barometer, 2015. • http://www.agcs.allianz.com/insights/expert- risk-articles/cyber-incidents-and-piracy/

19 Social engineering (the human element)

“A company can spend hundreds of thousands of dollars on firewalls, intrusion detection systems and encryption and other security technologies, but if an attacker can call one trusted person within the company, and that person complies, and if the attacker gets in, then all that money spent on technology is essentially wasted. It's essentially meaningless.”

-- Kevin Mitnick

20 The human element (Stuxnet)

• Targeted programmable logic controllers (PLCs) used to run centrifuges at the Natanz nuclear enrichment facility in Iran. • Succeeded in causing significant technical problems at the facility, including a “significant nuclear accident” in 2009 • Natanz was an “air-gapped” facility, i.e. isolated from the public internet

21 Ransomware attacks

22 Ransomware

23 San Francisco MTA

"We never considered paying the ransom. We have an IT team on staff who can fully restore all systems," said San Francisco Municipal Transportation Agency spokesman Paul Rose.”

24 City of Atlanta

25 Distributed denial of service (DDoS) attacks

26 Websites, booking/ticketing and travel planning apps

27 Looking ahead…

28 Looking ahead…

29 Be prepared…

Create an incident response plan – easier to plan now then try to plan on the fly during a high-stress situation: • Involve senior level management – make it a corporate priority • Identify key stakeholders & decision makers – with a clear leadership structure – Information technology – Legal & regulatory compliance – Security & risk – Communications - designate spokespeople, determine channels (Twitter, designated website, etc.) – Human resource • Engage / retain third parties – legal counsel, breach coach, cybersecurity insurance, PR firm, forensics, etc. • Identify legal notification obligations (who do you have to notify and when?)

Test your incident response plan • Set up a mock disaster, test how well the team responds and see whether there are any issues with your plan before a real disaster strikes

Review your incident response plan • Determine whether there are any new areas of risk that have been identified / developed since the plan was created • Revise your plan – hackers are trying to stay one step ahead of you!

30 Record keeping requirements

For example, in Canada: • All businesses will be required to maintain a record of any data breach that the business becomes aware of, and provide it to the Commissioner upon request (irrespective of whether the business concludes the breach gives rise to a real risk of significant harm to affected individuals). • The draft regulations also confirm a broad scope and 2-year retention period for data breach record-keeping. – Businesses must maintain a record of every breach of security safeguards for 24 months “after the day on which the business determines that the breach has occurred”. • Records must contain sufficient information to permit the Commissioner to verify compliance with the breach reporting regime. • For breaches reported to the Commissioner, the report submitted may be used as a “record” of the breach.

31 Glitch vs. breach?

32 Data breach notification

• Mandatory breach notification in numerous countries, with different triggers. • In Canada, for example: – Is there a “real risk of significant harm”? – Notify government and affected consumers • Goals: – encourage businesses to safeguard personal information and invest in security – inform consumers to enable ‘self-help’ to reduce and mitigate their damages – effective government oversight • ensure the government receives consistent and comparable information about data breaches

33 You can run but…

34 Notification fatigue

notification fatigue /nōdəfəˈkāSH(ə)n//fəˈtēɡ/ Noun • extreme tiredness after mental exertion resulting from attending to an influx of notifications • a state of inurement or indifference brought about by excessive appeals to one’s attention by notifications • a reduction in the efficiency of mental processing after being bombarded by notifications

35 Not all foreign governments are helpful

2009 – Roman Seleznev • US Secret Service met in Moscow with Russian Federal Security Service, (FSB) • US accused Seleznev of installing credit card malware to steal millions of credit card numbers • Father was a member of the Russian Parliament. • Within weeks, all evidence of Mr. Seleznev’s online identity vanished from the internet.

2014 – Evgeniy Bogachev – Operation Tovar • FBI offered $3 million reward. Russia refused to extradite

2016 - Dmitry Ukrainsky • Arrested in Thailand. Russian Government prevented extradition to US

2016 - Joshua Samuel Aaron • Wanted by the F.B.I. for stealing hundreds of millions of dollars from Wall Street banks. • Arrested after arriving on a flight from Moscow, is an American, not a Russian.

36 No travel for you …

Sacha Panin - Designer of SpyEye Software … - Infected Millions of computers - Arrested him on July 1, 2014 in the Dominican Republic while waiting to board a plane … - Sentenced in 2015 to 9 years in jail Vladislav Horohorin - Attacked RBS main server in Atlanta. 2.5 million stolen credit and debit card numbers - Arrested boarding a plane in Nice to go to Warsaw - In April 2013 sentenced to 7 years in jail; deported to Israel February 2017 Hamza Bendelladj, Algeria - Attacked over 200 financial institutions. Arrested Jan. 5, 2013, at the airport in Bangkok. - Extradited to the U.S. … 15 years in jail. Vladimir Drinkman, Russia - Commercial hack: $300 million. Targeted NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment … - Arrested June 28, 2012 in the Netherlands. - Signed a plea deal on May 19, 2015 as a co-operating witness. Still awaiting sentence. Albert Gonzales, Miami, Florida - Arrested for attacks on Dave & Busters (2008); Heartland Payments (2009); TJ Maxx (2010) - Alleged to have committed further offences while negotiating a plea deal. 20 years in prison..

37 I fought the law and the law won …

“Cybercriminals be forewarned: you cannot hide in the shadows of the internet,” said Sally Yates, then-US attorney in Georgia, subsequently deputy A.G. of the United States. “We will find you and bring you to justice.”

True for Roman Seleznev: Captured in 2014 vacationing in the Maldives, flown to Guam. April, 2017: Longest sentence in US Cyber Crime history: 27 years.

Russian gov’t declared Mr. Seleznev’s arrest unlawful “kidnapping.” Denied involvement and criticized the American government’s efforts to arrest Russian citizens traveling abroad…

38 Catherine Lovrics [email protected] Ken Bousfield [email protected]

April 25, 2018