Recent events have left no doubt: cyber attacks already present a substantial threat to critical infrastructure and other industrial systems. Companies in the energy, chemicals, transportation, manufacturing, infrastructure or other relevant sectors should understand and be able to respond to these threats. Indeed, numerous reports have described sophisticated nation state actors’ efforts to compromise the electric grid, and leading security firms have analyzed destructive attacks on industrial systems around the world. An attack on a Florida municipality’s water system, for example, highlighted how attacks can lead to physical injury or environmental harm. Likewise, the recent pipeline shutdown showed how cyber attacks on critical infrastructure could have substantial ripple effects across the economy.
Legal and reputational risks from industrial cyber attacks are also substantial. While specific legal risks vary by sector, businesses may face regulatory enforcement, consumer class action or mass tort litigation, commercial litigation, securities or derivative litigation, or other forms of suit. Likewise, companies may face substantial reputational risk after a publicly disclosed attack or vulnerability, including from public scrutiny of their engagement with the government, their decision on whether to pay ransom and their sharing of information with the public.
This scrutiny will continue to increase as governments prioritize strengthening critical infrastructure cybersecurity. In the United States, for example, the US National Security Agency recently warned companies about the cybersecurity risks to industrial systems. And President Biden’s Executive Order 14208 on Improving the Nation’s Cybersecurity expressly highlights the operational technology that supports critical infrastructure. It urges the private sector to “adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace.” Likewise, the Biden administration already has moved to impose new cybersecurity regulatory requirements on the pipeline industry.
Managing cyber risk consequently is a priority for operators of critical infrastructure and other industrial systems—and legal departments have an important role to play. Industrial cybersecurity presents legal risks distinct from those of traditional enterprise cybersecurity. An attack that halts an industrial compressor is very different than a compromise of personal data. Still, legal teams can draw on familiar risk management practices to mitigate these risks. Here are five such steps that legal departments can take now to reduce the legal risks from cyber threats to critical infrastructure and other industrial systems.
Understand Your Risk.
Understanding the legal risks a company faces from industrial cyber threats can provide a strong foundation on which a legal team can build. While the specifics will vary by company, answering three questions can help a legal team understand its applicable regulatory, litigation and contractual risk under governing frameworks.
First, evaluate the maturity of the company’s industrial cybersecurity program. To be clear, the legal team should not expect to be able to offer an opinion on the adequacy of technical security controls or architectures. However, basic questions can help a legal team quickly understand the cybersecurity program’s general posture—i.e., the nature and scale of threats that it faces, the quality of its defenses and its readiness to respond effectively if those defenses fail. For example, a legal team can ask whether the company has performed a cyber risk assessment for the systems it operates and, if so, what actions the company has taken in response to that assessment. Likewise, the legal team can review relevant policies and procedures to evaluate whether they address necessary topics and provide sufficient guidance to the relevant teams. The legal team can also review existing contracts to determine whether responsibility and liability are appropriately allocated between themselves and their vendors. Moreover, the legal team can evaluate existing governance mechanisms to understand whether industrial cyber risk is managed effectively across stakeholder groups and overseen effectively by senior management. Through these and related inquiries, the legal team can quickly understand the overall state of the company’s program for managing industrial cyber risk.
Second, consider how technical or administrative hurdles may complicate cyber legal risk mitigation. Industrial systems are often not visible to company administrators, for example, and a company may not be readily able to patch machines or take them offline when an incident occurs. Industrial machines are not smartphones, after all; these machines have high uptime requirements and extended lifecycles (including beyond their support date in many instances) and must be managed differently as a result. Understanding how such practical constraints apply in the context of their business will help legal departments better understand relevant legal risks.
Third, identify existing touch points with the government, along with likely government expectations for future engagement. Operators of critical infrastructure in particular should anticipate a wide range of government stakeholders to take interest in their activities. Whether through regulatory or non-regulatory agencies, that engagement can bear significant risks for companies. Understanding those likely touchpoints can help companies avoid being caught off guard by such outreach.
One practical tip: legal teams should be skeptical of claims that a company does not need to focus on cybersecurity because its industrial systems are not connected to the internet or are too old to be hacked. A legal team may need to pressure test such claims in order to mitigate cyber risk effectively, including by suggesting that a third-party expert validate such statements through a penetration test or other means. Indeed, fuller engagement of third parties to assess the risk posed by industrial cyber threats is often a feature of more-established cybersecurity programs.
Have a Plan.
A well-tailored incident response plan can be the difference between an effective response to a cyber incident and a response that compounds the problems caused by a cyber incident. Plans can vary substantially across companies based on their culture, organization and specific legal risks and obligations. At bottom, however, incident response plans typically describe the process that companies will follow in responding to incidents and roles and responsibilities of identified stakeholders—and do so in a manner that is tailored to the company. Putting such a plan in place is a critical first step. Importantly, companies that operate critical infrastructure or other industrial systems should not assume that a business continuity plan or disaster recovery plan will adequately address the full range of cyber incidents that a company may experience. Likewise, a critical infrastructure company should not assume that its plan for responding to attacks on its traditional IT systems or to a data breach will provide sufficient guidance for responding to incidents involving industrial systems. Rather, they should ensure that their plans leverage appropriate technical teams and escalation protocols given the types of industrial systems at issue and the internal allocation of responsibilities.
Over time, a critical infrastructure company should ensure that its incident response plan continues to provide relevant and timely guidance. For example, a plan (or plans) should provide guidance for likely scenarios, including attacks at the points where information technology systems and industrial systems converge, as well as attacks on operational technology itself. The incident response plan also should guide the relevant team through decisions a company may have to make, including how to evaluate containment options and when and how to engage with law enforcement and other government stakeholders. Similarly, an incident response plan should incorporate lessons learned from prior incidents and exercises.
Delivering timely advice to the right stakeholders is critical to reducing a company’s risk from industrial cyber threats. This will require groups responsible for securing, operating or supporting industrial systems to know why, when and how to work with the legal team on industrial cybersecurity matters. This in turn requires the prior development of working relationships with those stakeholders, including those in engineering, safety and plant management.
That work can take time, particularly if the legal team must win their buy-in and educate them on the legal department’s role in industrial cybersecurity. But that work pays dividends. Engaging with those stakeholders will allow the legal team to explain how it can help reduce relevant risks, as well as when those stakeholders should reach out to the legal team for assistance. Likewise, it will enable the legal team to understand roles and responsibilities within the organization, potential sources of friction or uncertainty, and potential gaps in the company’s approach. Whether through formal training or informal outreach, those relationships can be extremely valuable for understanding how to navigate industrial cyber risk management challenges within the company, as well as for building trust that the team can draw on during an incident.
Companies with more mature programs may well have established relationships in place. While the heavy lifting may largely be done for those organizations, maintaining strong relationships is an ongoing process because stakeholders can change positions or leave the company and new challenges may strain existing relationships.
Engage Outside Experts.
Forensics companies can provide critical expertise in the wake of a cyber attack, along with valuable validation of a company’s investigation. Attacks on industrial systems in particular demand distinct expertise from that offered by a traditional enterprise IT security company. As a result, it can be valuable to engage an appropriate security team, with expertise specific to the industrial systems a company operates, in advance of any future incident. Retaining that provider under privilege through counsel can help ensure that counsel can advise the company about an incident based on a clear understanding of the facts.
In addition, a company may wish to retain a communications firm that is expert in crisis communications. Again, doing so through counsel will facilitate candid discussions about a company’s communications strategy in the wake of a cyber incident.
Whatever outside support a company needs, there will be value in putting it in place before an incident. Doing so can help a company avoid losing precious time seeking and engaging experts when an incident has occurred.
An organization should not test its incident response plan for the first time during an actual cyber attack on industrial systems. Companies instead should use tabletop exercises to prepare to handle a real incident and to capture any lessons learned for further refinement of governing plans and policies. The tabletop scenario should be tailored to risks faced by the company to ensure these exercises are as realistic and effective as possible. Such exercises can contribute to the relationship building discussed above, as well as further clarify appropriate roles and responsibilities across groups. They also can feed back into the legal team’s ongoing assessment of the company’s cybersecurity posture by allowing the legal team to determine how the company’s team, policies and procedures fare when facing a hypothetical, but realistic, scenario. In this way, tabletop exercises can play an important role in a company’s ongoing strengthening of its cybersecurity program.