Cybersecurity Analysis

Part
01
of 56
Part
01

Cybersecurity Importance - Insurance Industry

Three of the top reasons why cybersecurity is important for insurance firms include the massive amounts of identity data that insurers collect on their customers, the widespread use of third party vendors and business partners, and the heightened regulatory requirements for security of insurance firms.

Massive Amounts of Identity Data

  • The most important reason for insurance firms to have top-notch cybersecurity capabilities is that insurance firms by nature collect and store massive amounts of personal, identifying data from their customers.
  • This information ranges from the basic, like social security numbers and addresses, to the more complex, like health records and payment data.
  • In a survey of insurers, 62% reported that "data leakage or data loss prevention" was a high priority for their firm.
  • Additionally, 64% of insurers surveyed reported that "customers’ personal, identifiable information is the most valuable information to cyber criminals."
  • In most known security breaches at insurance companies, this personal customer data has been obtained, including the breach of a US health insurer in July 2016 where 3.7 million customers and health care providers had confidential data stolen, a breach of a different health insurer in 2015 where the personal data of 78 million users was obtained, or another IT breach of a different insurer in 2015 where identifying data for 1.1 million members was compromised. These are just some of many examples.
  • If consumer data is compromised, consumer confidence in the insurance brand is damaged and there can be severe financial consequences.

Widespread Use of Third-Party Partners

  • Insurance firms also make use of many third-party partners like subrogation vendors, law firms, and other business partners.
  • As such, insurance firms must not only make certain their cybersecurity programs are state of the art, but also that those of any third party vendors they utilize are on-par. In the words of the experts, "even the most sophisticated insurance company spending hundreds of thousands of dollars on cybersecurity are only as secure as the weakest subrogation vendor or law firm they utilize."
  • Currently, this does not seem to be happening. When surveyed, only 41% of insurance companies stated that they held their partners to "the same cybersecurity standards as they do their own business."
  • If a data breach were to happen within one of an insurance firms business partners or contractors, the fallout in terms of business reputation, consumer trust, regulatory fines and financial losses could be the same as if the breach occurred at the insurance firm itself.
  • Just in January of 2019, a third party vendor of HSBC Life Insurance was breached, Humana insurance was breached via a business partner, and Highmark BCBS, Aetna, Humana, and United Health were all breached due to their use of a third-party administrator.

Increased Regulatory Requirements

  • In order to remain in compliance with regulation, insurance companies must have more cyber security protections than required for many other industries.
  • One regulation specific to the US is the 23 NYCRR Part 500, a mandatory regulation established by the New York State Department of Financial Services (NYDFS) requiring "covered entities to calibrate their cybersecurity programs by using periodic risk assessments to determine criteria to identify, evaluate and mitigate risks by establishing appropriate controls and technological developments."
  • All health insurers in the US are regulated under HIPAA laws.
  • Additionally, many of the top US insurers like AIG, Berkshire Hathaway, MetLife and The UnitedHealth Group all work internationally, including in the European Union. Therefore, these insurers must also comply with EU General Data Protection Regulation (GDPR), which has strict data protection requirements.
  • Failure to comply with these regulations can result in regulatory fines, especially if data was found to have been compromised.
  • Experts have stated that "regulation is one of the key differentiators driving cyber insurance uptake in different geographic regions."

Research Strategy

Reasons selected were identified as most important based on the fact that they were mentioned by multiple experts across different media.
Part
02
of 56
Part
02

Data Protection - Insurance Industry

Insurance companies collect an enormous amount of data on each potentially-insured person and each insured person. This includes personal demographic data, personal financial data, health information, home and property information, and others. The most important pieces of this information to protect are the birthdates, social security numbers, driver’s license numbers, and financial data as those are most vulnerable to becoming fodder for identity theft and fraud.

General Data Collection & Use by Insurance Companies

  • Insurance companies collect data on the insured, and use this information to inform the costs of insurance. These companies collect data like: occupations, levels of education, and credit scores which, in turn, significantly impact the premiums they may pay.
  • Some states, like California and Massachusetts for example, have passed laws limiting the information insurance companies can collect and/or use to inform policy cost decisions.
  • Although many consumers believe they have the same protections from their insurance companies as they do for their financial institutions, this is not typically the case. Insurance laws vary from state to state, and most “are incomplete by virtue of the fact they do not state the specifics of what must be disclosed,” which leaves plenty of room open for the companies to make their own rules.
  • Most “consumers don’t know a database of insurance information is continuously collected on them,” or that it is routinely and widely shared within the industry.
  • Insurance companies collect a wealth of private information from the insured (or potentially insured), including: “credit reports, the market value of your home, age, marital status, education, and in the case of a life insurance policy, the status of your health.” Most of these companies have more information on the average person than “legal authorities can often obtain,” without the need for pesky things like warrants.

Homeowners’ / Renters’ Insurance

  • To register for homeowners’ or renters’ insurance, individuals must submit personal information, like birthdates and social security numbers, the address of the home, information on the home (cost, size/dimensions, mortgage information which means financial info), and information on current conditions of the home (including amenities) and whether any renovations or repairs have been done on the home.
  • To cover items within the home, listings with descriptions and pictures must also be submitted.

Auto, Boat, Recreational Vehicle Insurance

  • To register for auto, boat, or recreational vehicle insurance, individuals must submit various information to insurance companies, including: vehicle information, names of all drivers to be covered, current coverages/limits, as well as personal information, including social security numbers and driver’s license numbers for all potential covered members. Additionally, individuals must submit to a driving history and potential background checks.

Life Insurance

  • To register for life insurance, individuals must submit personal information (again birthdate, social security number, etc), current and past health history information, as well as information on income and assets.

Importance of Protecting the Data

  • The primary reason for protecting personal insurance information, which includes most importantly birthdates, social security numbers, driver’s license numbers, and financial information, is the same as it would be for any industry: to avoid identity theft and the fraud that follows.
  • Hackers have identified the wealth of private data collected by insurance companies, and in the last few years, data breaches of these companies have been on the rise, largely because they know “the insurance industry as one which handles extremely sensitive information,” and that it “has yet to put in place few measures to effectively safeguard itself and its customers from cyber-attacks.”

Research Strategy

We identified the types of data collected by insurance companies for various types of insurance. From this collection, we identified which of these would be most vital to protect based on the worst-case scenarios, which involve identity theft and fraud.

Part
03
of 56
Part
03

Cybersecurity Vulnerabilities - Insurance Industry

Examples of cybersecurity vulnerabilities affecting firms in the insurance industry include phishing mail, ransomware, and DDoS attacks. While these are vulnerabilities that have been noted to be affecting the U.S. insurance industry specifically, overall, expert insights suggest that the same types of cyber risks often span geographic boundaries and boundaries between industries.

1: Phishing Mail

  • According to a 2019 report by EIOPA, phishing mail is among the most common cybersecurity incidents that are affecting insurers, with the term 'cyber incident' being defined as an event that "jeopardizes the cyber security of an information system."
  • Phishing mail works by directing unsuspecting users to a website that mimics that of the legitimate organization and then asks the user to update their credentials and personal identity information.
  • In September 2019, it was reported that a major phishing scam was affecting the U.S. insurance industry, as cyber criminals were posing as the National Association of Insurance Commissioners while sending fake emails to insurance industry personnel encouraging them to click on a dangerous download.

2: Malware Infections (Ransomware)

  • According to a 2019 report by EIOPA, malware is among the most common cybersecurity incidents that are affecting insurers.
  • Ransomware blocks a user's access to their own personal data and threatens to publish it unless the user pays a ransom.
  • Chicago-based Stradley Ronan published a 2017 report on cyber attacks that target the insurance industry which noted that ransomware is "the fastest-growing malware across all industries" due to the fact that "little expertise is needed to launch the attack."

3: Denial of Service (DDoS)

  • According to a 2019 report by EIOPA, DDoS attacks are among the most common cybersecurity incidents that are affecting insurers.
  • A DDoS attack enables a hacker to shut down an online service by "overwhelming it with traffic from multiple sources."
  • Chicago-based Stradley Ronan notes in their 2017 report on cyber attacks targeting insurers that DDoS attacks are a top risk for the industry.

Research Strategy

To conduct this research, our team began by analyzing the cyber risks/vulnerabilities that are most commonly affecting insurance companies. The vast majority of information available related to this topic discusses the role of 'cyber insurance' in mitigating vulnerabilities for other types of firms. This posed a significant challenge in our attempt to locate information that talks about risks targeting insurers. Despite this, we were able to find some information that shines a light on this topic. The most credible, thorough, and recently published resource we could find that addresses this is a report published by EIOPA, a European organization, which provided a list of the most common vulnerabilities insurance companies are facing. Although sourcing information relevant to Europe was not ideal for this request, it was ultimately determined that this data could be used as a jumping-off point to further investigate whether these same factors are affecting the U.S. market. Further research concluded that this is indeed the case. This conclusion is further supported by statements made by industry expert, Siobhan O'Brien. O'Brien states: “The thing with cyber is it’s not predictable. It doesn’t respect geographic boundaries. Cyber risk happening in Europe could also be happening at the same time in the U.S., [and] it can hit every type of business at the same time.”

Additionally, some vulnerabilities identified in this request have also been corroborated in this report of the top cybersecurity vulnerabilities (in general), which was published in 2018 by Compuquip.

Part
04
of 56
Part
04

Cybersecurity Compliance Standards - Insurance Industry

The New York Cybersecurity Regulations, The NAIC Insurance Data Security Model Law, The South Carolina Data Security Act, The Ohio Insurance Data Security Law, and The Michigan House Bill 6491 are five examples of compliance standards currently required/practiced in the insurance industry. Below are explanations of each standard, including an overview of what they entail.

The New York Cybersecurity Regulations

The NAIC Insurance Data Security Model Law

The South Carolina Data Security Act

The Ohio Insurance Data Security Law

  • The Ohio Insurance Data Security Law also borrows from the NAIC Model law, with a few modifications. It became effective on December 19, 2018, when Ohio Governor, John Kasich approved Senate Bill 273. The new law necessitates the need for insurance entities and agents to protect policyholder data.
  • It also requires all Ohio licensees under the state’s insurance laws to create written information security programs (WISPs), unless exempted. They must also implement cybersecurity programs to protect business and individual data from cybersecurity breaches. Equally, these entities must establish response plans in the event an attack occurs.
  • The response plan includes investigating the breach and reporting the event, along with other relevant details to the state's Department of Insurance. The licensees must also notify the affected parties, i.e., businesses, stakeholders, customers, etc.

The Michigan House Bill 6491

Research Methodology

Your research team uncovered a list of three cybersecurity compliance standards in the insurance industry, along with reports indicating states that are passing new cybersecurity laws within the insurance industry. These reports had examples of cybersecurity compliance standards and details regarding them. We further expanded into searching for more information specific to these laws and regulations. Importantly, we downloaded a PDF file published by Greenberg Traurig, LLP, a renowned law firm in North America. The research team also uncovered other examples from law firms like Alston & Bird, LLP, HL Data Protection, and Thompson Hine, LLP. Overall, the core details of each compliance standard are analyzed above under respective subheadings.
Part
05
of 56
Part
05

Meeting Compliance Standards - Insurance Industry

The New York Department of Financial Services (NYDFS) Cybersecurity Regulations and the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law for insurance companies are being observed diligently by US insurance companies like American National, 21st Century Insurance, Country Financial, AIG, State Farm Group, Liberty Mutual, and AAA Carolinas, among others. Relevant information about how insurance companies are meeting compliance standards for the Michigan House Bill 6491, South Carolina Data Security Act and The Ohio Insurance Data Security Law, even after exhaustive research, was not available. Below is an outline of our research strategies to better understand why the information requested is publicly unavailable as well as a deep dive into our findings.

Meeting Compliance Standards — Insurance Industry

1) NYDFS Cybersecurity Regulations

  • The US financial services companies and banks had until March 1, 2019, to modify and create processes that ensure their compliance with the NYDFS Cybersecurity Regulation.
  • To ensure that the 1,400 insurance companies regulated by the New York Department of Financial Services (NYDFS) abide by cybersecurity regulations, the NYDFS monitors their compliance.
  • Technical providers like OneSpan, a multi-factor authentication system, are already being used by insurance companies like American National, 21st Century Insurance, Country Financial, and AAA Carolinas, to comply with the NYDFS Cybersecurity Regulation.
  • As of December 2018, NYDFS reported that they received approximately 1,000 reports of cybersecurity events from regulated institutions, which complies with the Cybersecurity Regulation requirement that "regulated entities and licensed persons submit notices to the Department of cybersecurity events as defined in the regulation to include both successful and certain unsuccessful attempts."
  • The first certification deadline by the NY Department of Financial Services for their Cybersecurity Regulations last February 15, 2018, was "successful and provided DFS with information from which we have been working to improve our processes."

2) The NAIC Insurance Data Security Model Law

  • As of August 2019, eight US states have adopted the NAIC Insurance Data Security Model Law, which includes South Carolina, Ohio, Michigan, Mississippi, Alabama, Delaware, Connecticut, and New Hampshire, with Nevada and Rhode Island to follow their legislation enactment.
  • Although there are differences between the NAIC Insurance Data Security Model Law and the New York Cybersecurity Regulations, the drafters of the NAIC Model "included a drafting note indicating that a company that complies with the New York Cyber Regulation is also in compliance with the Model Law."
  • To comply with the NAIC Insurance Data Security Model Law, different insurance companies across the United States such as AIG, State Farm Group, and Liberty Mutual, continue to hire chief information security officers who are responsible for their cybersecurity programs and implementation of their cyber risk management required by the Model Law for compliance.

3) The Michigan House Bill 6491

  • Michigan House Bill 6491 was enacted on December 28, 2018, as the state's cybersecurity law applicable to insurance companies. Its effective date will not be until January 20, 2021.
  • The House bill was based on the NAIC Insurance Data Security Model Law, aside from significant differences which include changing of the breach notification deadline from 72 hours, based on NAIC's Model Law, to 10 days in Michigan; and NAIC's exemptions of smaller licensees with fewer than 10 employees and independent contractors, into fewer than 25 employees and independent contractors in Michigan.

Research Strategy:

First, we researched for the previous research regarding "Cybersecurity Compliance Standards — Insurance Industry" analysis, and found out the compliance standards that we're focusing are The New York Cybersecurity Regulations, The NAIC Insurance Data Security Model Law, The South Carolina Data Security Act, The Ohio Insurance Data Security Law, and The Michigan House Bill 6491. For Michigan House Bill 6491, we searched for information about how insurance companies are complying with these standards by using the Michigan Department of Insurance and Financial Services as the most credible source because it is the department that is responsible for insurance and financial institutions in the State of Michigan. We then found the public law's main information page and found out that although it was enacted last December 28, 2018, its effective date won't be until January 20, 2021. We also only found information about cybersecurity examination forms and general cybersecurity prevention checklists, which doesn't help us address the issue. Therefore, we concluded that this compliance standard won't have any information yet regarding how insurance companies are regulated by the State of Michigan Department of Insurance and Financial Services typically meet the compliance standards set by Michigan House Bill 6491 since the public law has a future effective date.

Second, we researched information regarding South Carolina Data Security Act and The Ohio Insurance Data Security Law by searching for their primary regulatory bodies on their individual state websites, which are the State of South Carolina Department of Insurance and State of Ohio Department of Insurance. Our goal was to find any update or report which provided information about how the insurance companies are meeting compliance standards. However, we did not find any relevant information. We only found presentations and reports about the public laws, and best practices of how to comply with them.

Third, we tried using triangulation by researching for the top insurance companies for Ohio and South Carolina, through industry sources such as Insurance Information Institute, eHealth, and Reviews.com, among others. We found out that some top insurance companies in South Carolina and Ohio are Allstate, Nationwide, Travelers, USAA, Berkshire Hathaway Inc., The Hartford, and Chubbs, among others. We then searched their individual company websites for press release information or annual reports which will provide information on their compliance with the South Carolina Data Security Act and The Ohio Insurance Data Security Law. However, we did not find any relevant information. We only found cybersecurity solutions and services offered by the insurance companies, which are not in the proper context.
Part
06
of 56
Part
06

Cybersecurity Trends - Insurance Industry

Notable cybersecurity-related trends in the United States insurance industry include the emergence of new state-level laws that insurers should comply with when they design cybersecurity systems, the emergence of cybersecurity solutions that are enabled by artificial intelligence or machine learning, and the emergence of data breaches and cyber attacks as the most important risk insurers face.

Emergence of New Cybersecurity Laws

  • Insurers in the country are hastening to comply with new state cybersecurity-related laws, as more and more states adopt the Insurance Data Security Model Law of the National Association of Insurance Commissioners (NAIC). Composed of insurance regulators from the country's states and territories, the NAIC is the organization that sets standards and regulations for the country's insurance industry.
  • Enacted in October 2017, the Insurance Data Security Model Law serves as a guide for states to follow when they draft cybersecurity-related bills. Quite similar to the cybersecurity rules enacted by the New York Department of Financial Services on March 1, 2017, it establishes the standards for both data security and "the investigation of and notification to the commissioner of a cybersecurity event."
  • South Carolina was the first state to adopt the model law. Its South Carolina Insurance Data Security Act became effective on January 1, 2019.
  • Michigan and Ohio have also enacted their own versions of data security laws for insurers. As of April 5, 2019, there were five states, including Connecticut, Mississippi, and New Hampshire, that were acting on the new model law.
  • In general, the model and state data security laws obligate insurers to document and implement information security programs, conduct complete risk assessments, and establish incidence response plans. They also require insurers to notify state insurance commissioners of cybersecurity events within the specified notification period (e.g., 72 hours or 10 business days).
  • To prevent unauthorized remote access to their information systems, insurers are required to adopt multi-factor authentication. Other security measures stated in the NAIC model law include non-public information encryption on portable devices and during transit, audit trails, intrusion detection mechanisms, disaster recovery plans, business continuity plans, data retention plans, and data disposal plans.

Emergence of AI-Enabled Cybersecurity Solutions

  • Cybersecurity solutions that are enabled by artificial intelligence or machine learning are emerging in the country's insurance industry.
  • Current applications of these solutions include predictive analytics for the detection of suspicious network behavior and malware, advanced visualizations for incoming threats and network cybersecurity, and anomaly detection.
  • Aetna is one example of an insurer that has implemented a machine learning-enabled security system for its mobile and web apps. By examining how and where users use devices, the behavior-based security system provides another layer of protection apart from passwords and fingerprints.
  • AXA, a global insurer with operations in the United States, has partnered with Darktrace, a cybersecurity firm whose products are largely enabled by machine learning.
  • Forty percent of insurers in the country are investing in artificial intelligence, machine learning, and automation technologies, while 80% of insurers believe that advanced technologies are crucial in ensuring cybersecurity.

Emergence of Data Breaches as Most Important Risk

  • The prevention of cyber attacks and data breaches has become the most top-of-mind emerging risk among insurers in the country. Focus has shifted from natural catastrophes and climate change to cybersecurity and data breach.
  • Sixty percent of insurers have identified cybersecurity and data breach as the most important emerging risk. Only 20% of CEOs in the industry consider their companies prepared in case of a cybersecurity event.
  • The key cyber risks that insurers currently face include infrastructure vulnerabilities, identity theft, automated threats (e.g., credential cracking, denial of service, and vulnerability scanning), systemic infection due to a malicious code, and lawsuits. Typical threats relate to data theft, resource availability, and resilience, while less common threats include ransomware attacks and account takeovers.
  • Given the massive amounts of financial and personal data that insurers handle, insurers are unsurprisingly viewing data breaches as the top emerging risk or threat.
  • There is now increasing pressure on insurers to deliver both security and privacy by design, digitize, and leverage cloud and insurtech innovations.

Research Strategy

To identify notable trends in the country's insurance industry that are related to cybersecurity or cloud cybersecurity computing, we browsed through numerous articles and reports covering cybersecurity in the United States insurance industry, and took note of common topics or themes. We focused on topics such as the solutions and technologies insurers currently use to protect themselves from cyber attacks, new laws that insurers should comply with when they design or modify cybersecurity systems, and shifts in insurer priorities as far as cybersecurity is concerned.
Part
07
of 56
Part
07

Cybersecurity Breaches - Insurance Industry

The data breaches of First American Title Company, Premera Blue Cross, Ameritas, and Anthem Inc. are four examples of recent cybersecurity breaches in the insurance industry.

First American Title Company

  • First American Financial Corporation accidentally exposed personal data of its customers by failing to secure unique URLs to the data properly, allowing anyone to access the information by entering the right URL into a web browser.
  • The world's second-largest reported data breach exposed 885 million customer records, including financial and tax records, Social Security numbers, bank account numbers, and drivers’ license photos.
  • A study conducted by the Ponemon Institute in 2018 estimated the average cost to the company per stolen record to be about $150, so this breach is likely to cost First American as much as $132.75 billion ($150 * 885 million = $132.75 billion) in the coming years.
  • First American appeared to severely downplay the severity of the security breach, first saying that only 484 customer files have been affected by the breach, and stating a few months later that it "identified just 32 consumers whose non-public personal information likely was accessed without authorization."

Premera Blue Cross

  • An attack on Premera Blue Cross, which began in May 2014 and was reported by the company in March 2015, exposed data on customer claims, including clinical information, banking account numbers, social security numbers, birth dates and other personal information.
  • The attack exposed private records of over 11 million customers, who were mostly Washington state residents.
  • In 2019, Premera agreed to pay $74 million to settle a consolidated class action lawsuit related to the breach.
  • Premera first reacted by admitting that the breach occurred, but stating that it did not find "evidence that the stolen information has been used for malicious purposes".

Ameritas

  • Ameritas announced in 2019 that a phishing scam has affected several of its employees, exposing the personal information of some customers.
  • The company did not disclose how many customers were impacted by the breach, nor the financial cost incurred, only saying that it would disclose the information in the final notification to authorities.
  • Ameritas responded by immediately disabling access, deploying a company-wide password reset, and hiring Kroll Associates, a risk-consulting firm, to investigate the incident.

Anthem Inc.

  • Health insurance company Anthem Inc. was affected by a data breach in which hackers stole customers' personal data, including names, birthdays, medical IDs, social security numbers, street addresses, e-mail addresses and employment information,
  • The affected database contained up to 80 million customer records, but it did not contain credit card or medical information, according to the company.
  • One estimate suggested that the cost of the breach would very likely surpass $100 million, the amount covered by Anthem's cyber-crime insurance policy.
  • The company publicly apologized to customers, hired a top cybersecurity firm to investigate the breach, and said it would focus on improving security policies.
Part
08
of 56
Part
08

Executive Summary - Cybersecurity in the Insurance Industry

Using the previously completed request we have completed an executive summary of the cybersecurity analysis of the Insurance Industry. Including the importance, data protection, vulnerabilities, compliance standards, meeting standards, trends, and breaches.

Executive Summary

  • Following is an Executive Summary of the Cybersecurity Analysis of the Insurance Industry;
In the insurance industry, cybersecurity is important due to the massive amounts of identity data that insurers collect on their customers, the widespread use of third party vendors and business partners, and the heightened regulatory requirements for security of insurance firms. In a survey of insurers, 62% reported that "data leakage or data loss prevention" was a high priority for their firm.
Insurance companies collect an enormous amount of data on each potentially-insured person and each insured person. This includes personal demographic data, personal financial data, health information, home and property information, and others. The most important pieces of this information to protect are the birth dates, social security numbers, driver’s license numbers, and financial data — as those are most vulnerable to becoming fodder for identity theft and fraud.

According to a 2019 report by EIOPA, malware is among the most common cybersecurity incidents that are affecting insurers. DDoS attacks are among the most common cybersecurity incidents that are affecting insurers.

The New York Cybersecurity Regulations, The NAIC Insurance Data Security Model Law, The South Carolina Data Security Act, The Ohio Insurance Data Security Law, and The Michigan House Bill 6491 are five examples of compliance standards currently required/practiced in the insurance industry. In 2017, the National Association of Insurance Commissioners (NAIC) also approved the Insurance Data Security Model Law, dubbed as "the Model Law," which establishes compliance standards for data security, investigation, and reporting to the insurance.

As of August 2019, eight US states have adopted the NAIC Insurance Data Security Model Law. Technical providers like OneSpan, a multi-factor authentication system, are already being used by insurance companies to comply with the NYDFS Cybersecurity Regulation.
Notable cybersecurity-related trends in the United States insurance industry include the emergence of new state-level laws that insurers should comply with when they design cybersecurity systems, the emergence of cybersecurity solutions that are enabled by artificial intelligence or machine learning, and the emergence of data breaches and cyber attacks as the most important risk insurers face.  60% of insurers have identified cybersecurity and data breach as the most important emerging risk. Only 20% of CEOs in the industry consider their companies prepared in case of a cybersecurity event.
The data breaches of First American Title Company, Premera Blue Cross, Ameritas, and Anthem Inc. are four examples of recent cybersecurity breaches in the insurance industry.





Part
09
of 56
Part
09

Cybersecurity Importance - Energy & Utilities Industry

Three of the top reasons why cybersecurity is important for energy and utility companies are that the industry is a critical industry that supports many other sectors, the industry is the most vulnerable to attacks due to the complex supply chains and the increasing grid modernization, and cybersecurity's ability to cut down on data breaches cost.

The Energy and Utilities Industry is a Critical industry

  • The energy and utilities sector is considered to be one of the "most critical infrastructure in the world" and extremely pivotal to a well-functioning economy, especially in advanced countries.
  • According to the United States government, the energy and utilities sector is one of the 16 vital infrastructure sectors whose destruction or incapacitation will have adverse effects on national security and public health and safety.
  • The power sector of the energy industry is considered to be the single most critical sector that enables functions across all important infrastructure sectors. If the power grid system is subjected to cyberattacks, power will go out, bringing many critical day-to-day operations to a total standstill.

The Industry is the Most Vulnerable Sector to Cyber Attacks

  • The energy and utilities industry is also vulnerable to cybersecurity attacks. According to a UK survey, 75% of utility companies have experienced cyber attacks, with every single attack requiring an average of $156,000 to clean up.
  • Being a critical sector opens this sector to frequent attacks with far-reaching impacts even beyond the energy sector.
  • In the US, the energy sector is among the three industries highly susceptible to cyberattacks, with the sector accounting for 20% of cyber breach incidents in 2016. According to the US Energy Secretary, attempted cyber intrusions in electric companies happen hundreds of thousands of times a day, with cyberattacks on the North America electric grid increasing in early 2018.
  • The vulnerabilities stem from the sector's reliance on complex supply chains that are difficult to manage. The utility workforce is also massive and mostly works remotely or on-site, giving cybercriminals an avenue of impersonating them, gaining access to sensitive customer data, and sending phishing emails to customers.
  • Another factor accelerating the energy sector's vulnerability to cyberattacks is grid modernization. While grid modernization and digitization has immense benefits to the industry, smart grids open up the attack surface to give attackers quite a number of routes to enter the grid system.
  • Smart grids also introduce commonly used applications and software and also automate functions at the interconnected grid system. This makes the grid more vulnerable and presents many entry points for hackers.
  • The energy and utilities sector is a critical industry whose compromise has far-reaching consequences. Coupled with the increasing vulnerabilities to cyber and phishing attacks, these are top reasons why cybersecurity is important to energy and utilities industry firms.

Cybersecurity Reduces the Cost of Data Breaches

  • The financial costs of cyber attacks are astronomical. According to Jason Staggs, from the University of Tulsa, it only takes a single attack on a single system that is transmitted throughout the larger power infrastructure to bring all operations to a stop.
  • In the case of a wind farm, hackers only need entry from one single point to spread a malicious attack throughout the wind farm.
  • Staggs, from his prior ethical hacking experience into wind farms, noticed that when a wind farm ceases to work due to cyberattacks, it will cost the utility company between $10,000 to $35, 000 per hour.
  • The costs of a data breach on energy companies are directly proportional to the market size of the firms, i.e., the more significant the market size, the more losses a firm makes due to malicious attacks.
  • According to a detailed analysis of the cost of cybercrime in the US by Accenture, the utilities industries has the second-highest annual costs of cybercrimes of all 16 analyzed sectors at $17.84 million in 2018, representing a 16% increase from 2017.
  • The cybercrime costs in the energy industry are also relatively high, standing at $13.77 million in 2018 from $13.21 million in 2017.
  • Given the massive losses the energy and utilities sector can incur in the event of cybercrime, this is a top reason why cybersecurity is important for energy and utilities industry firms.
Part
10
of 56
Part
10

Data Protection - Energy and Utilities Industry

Some types of data that energy and utility industry firms are trying to protect are consumer payment information, data related to cyber-physical systems (e.g. industrial control systems), data that may help facilitate future attacks (e.g. information network structure), proprietary information, and user credentials. A deep dive into these findings has been provided below.

1: Consumer Payment Information

Description of Data:

  • According to information management expert, Gorkem Sevik, energy companies hold a lot of customer data, including payment information.
  • This type of data is often stored in multiple locations, such as CRM systems, operational systems, and big data environments.

Why Protection of this Data is Vital:

  • A breach of customer payment information can potentially enable hackers to gain access to a customer's bank account and can also be very costly for a company to rectify as well as damaging to their reputation.
  • For example, in 2013, Central Hudson Gas & Electric experienced a data breach that may have allowed hackers to access customers' auto-pay bank account data. The breach affected about 110,000 customers and subsequently required the company to provide each of them a "full year of complimentary credit monitoring."

2: Data Related to Cyber-Physical Systems

Description of Data:

  • According to a report published by the U.S. government, cyber-physical systems related to the U.S. energy sector are "engineered systems that are built from, and depend upon, the seamless integration of computational algorithms and physical components to generate, move, and distribute electricity efficiently."
  • An industrial control system (ISO) is one example of a cyber-physical system that the U.S. energy industry depends on. ISOs allow equipment to be physically operated through the use of digital controls.

Why Protection of this Data is Vital:

  • Cyber-physical systems have replaced systems that were once operated manually, which has made these systems increasingly vulnerable to attack, according to the U.S. government.
  • Additionally, because of the way ICS integrates with information and operational technologies, these networks "can become less secure over time," the government report states.
  • When hackers infiltrate cyber-physical systems, they can deposit viruses and malware that can disrupt the operations of these highly critical systems, which ultimately may lead to very costly consequences.

3: Data That May Help Facilitate Future Attacks

Description of Data:

  • According to industry experts, hackers who target energy companies are rarely doing so for the purposes of data theft (which is instead the primary goal of hackers who target retailers). Instead, utility and energy hackers are primarily focused on reconnaissance.
  • In this case, reconnaissance means that "the hackers are checking to see what systems they can breach, the type of information they could access, and where the vulnerabilities are; they can then store away the knowledge for an attack at a later date."
  • According to Ankura, during the reconnaissance stage, hackers aim to compile as much information as they can about their target. The types of information they are looking for include personnel lists, information about the network structure, and identifying system vulnerabilities that can potentially be exploited.

Why Protection of this Data is Vital:

  • Ankura notes that attackers use the information gathered at the reconnaissance stage of the attack to help them decide on the best method of compromising their target.
  • A logical assumption can be made that protecting this type of data is important when it comes to warding off and defending against future attacks.

4: Proprietary Information

Description of Data:

Why Protection of this Data is Vital:

  • A 2018 article published in the New York Times notes that energy companies tend to have a lot of proprietary information, including data about their exploration and production technologies, which makes energy companies a key target for hackers looking to take advantage of this type of information. Exposure of these types of details can subsequently lead to a compromise of vital equipment such as control valves and pressure monitors, which can have drastic consequences which as "explosions, spills, or fires," according to cybersecurity expert, Andrew R. Lee.
  • A logical assumption can be made that theft of a company's proprietary information can also hurt a company's ability to compete in a market by exposing secret information that is critical to the company's growth and success.
  • While most data breaches and cyber attacks go unreported, there has been at least one reported case of a U.S. energy company (name undisclosed) that has had proprietary information stolen.
  • Another example is that of Tevent Canada (a close neighbor of the U.S.), in which hackers stole proprietary information about one of the company's products under development. It can be logically assumed that this was quite a costly loss given that the product focused on highly advanced technologies (smart-grid system integrations).

5: Credentials of System Users

Description of Data:

  • According to Technopedia, 'credentials' are used for identity verification and authentication. They confirm a user's identity as it relates to the system or network they are using.
  • IBM defines a 'user credential' as a "user name and password authentication token that is bound to a particular user."

Why Protection of this Data is Vital:

  • According to a 2019 report published by Ankura, most cyber attacks involve the hacker compromising user credentials during the initial system compromise. This is done after the attacker has vetted the most vulnerable system they want to attack (which they do during the reconnaissance stage, discussed above). Therefore, user credential data protection is vital because this data is the primary method used by hackers to initially compromise, or break into, a system.
  • In 2017, the Department of Homeland Security and FBI sent an alert to the energy industry warning that "‘advanced, persistent threat actors,’ a euphemism for sophisticated foreign hackers, were stealing network login and password information to gain a foothold in company networks."
  • According to a 2018 survey of utility companies, 84% said they "believe employee actions to be the most common reason for cyber attacks."

Research Strategy

This research was conducted through an analysis of industry and government reports, articles written by topical experts, and case studies. To determine the kinds of data that energy and utility industry firms are trying to protect, we first identified the type of data that energy and utility companies typically have a lot of or that are considered to be very critical to the company's operations, as this type of data can be logically assumed to be the most 'valuable' and therefore, worth protecting.

We also cross-referenced this understanding with an analysis of the types of data that energy and utility hackers are known to target or see as valuable. Next, for each type of data identified, we conducted research to understand why it's vital for energy and utility companies to protect that data. In doing so, we analyzed the potential consequences that can occur if this type of data is breached and further highlighted some of these consequences by including real-world case studies of situations where the energy/utility industry was impacted due to a breach of the data type.

This research has relied on some resources that were published as far back as 2016. This is primarily because there was a lot of buzz around this particular topic between 2016 and 2017, as there appears to have been some significantly major incidents in the industry, with a lot of investigations taking place and reports being published. However, the content of these resources still seems logically relevant, as the technologies and methods being discussed within them are still widely used in the industry.
Part
11
of 56
Part
11

Cybersecurity Vulnerabilities - Energy & Utilities Industry

Three examples of unique vulnerabilities for firms in the energy and utilities industry include electric grid modernization, supply chains and third parties, and industrial control systems. Information regarding these vulnerabilities has been provided below.

Electric Grid Modernization

  • There are many benefits of modernizing the grid; however, modernization gives hackers more routes they can use to attack utility systems.
  • Grids are becoming smart due to the devices and information and communication technologies that are embedded in them. As a result, the systems become complex and access points increase in number.
  • Utilities today are now adding information technologies, software, and automated functions in their operations. Consequently, the accessibility of their systems to adversaries has increased as modern electric grids utilize the internet for various functions.

Supply Chains and Third Parties

  • Power companies buy information, software, hardware, and services from various third parties around the world. As a result, threat actors can add compromised components in a network or systems. These inclusions could be done by design or unintentionally.
  • For instance, “backdoors” that provide access to devices or software could be created either intentionally or unintentionally.
  • The addition of such components could be done through software updates or firmware that can be exploited to include malicious codes. Moreover, the hardware installed in operating systems can also be compromised by adversaries.
  • According to the Department of Energy (DOE), several prominent vendors fail to acknowledge and address the vulnerabilities in their software.

Industrial Control Systems (ICS)

  • According to the DOE, industry professionals and cyber researchers have always identified ICS-related equipment vulnerabilities as being a threat to utility systems.
  • Devices that function or communicate with utility control systems pose threats to the electric grid.
  • A lot of automation components such as programmable logic controllers that function through microprocessors have specific software programming and management capabilities of network paths. These devices continue to be a target of cyber-attacks since they give access to control systems.
  • Public tools such as SHODAN, a search engine that identifies internet-connected devices such as industrial control system components, makes these devices discoverable, which gives attackers an upper hand in finding and remotely probing a utility’s supervisory control and data acquisition system for weaknesses.
Part
12
of 56
Part
12

Cybersecurity Compliance Standards - Energy & Utilities Industry

The energy and utilities industry in the United States is working on two important aspects in the domain of cybersecurity — rising threats from external entities and meeting the compliance requirements of the Critical Infrastructure Protection (CIP) standards set in place by the North American Electric Reliability Corporation (NERC). The CIP standards consist of 11 standards, over 40 rules, and about 100 sub-requirements that cover the security protection of critical cyber assets, the security of electronic perimeters, security management, disaster recovery planning, and training of personnel in the energy sector.

Energy Policy Act

  • In 2005, the Energy Policy Act authorized the Federal Energy Regulatory Commission (FERC) to oversee the dependability of the nation’s power grid or bulk power system. The FERC is also responsible for approving cybersecurity and reliability standards.
  • The FERC certified the North American Electric Reliability Corporation (NERC) with the task of developing the Critical Infrastructure Protection (CIP) standards that focus on cybersecurity reliability requirements.

NERC's CIP Standards for Cybersecurity

  • Approved in January 2008 by the FERC, NERC’s CIP standards are set in place to be complied with by all cybersecurity professionals and firms that work within the energy and utilities industry in the United States.
  • With the rise in cybersecurity attacks on the nation’s electrical power grid over the years, NERC has been continually revising the CIP compliance standards to curb sophisticated external threats. In response to cyber-attack campaigns such as Dragonfly 2.0, Triton, and Industroyer, the NERC introduced new versions (version 5 and version 6) of the CIP standards that classify cyber assets by low, medium, and high impact. It was found that most of the nation’s generating power stations are classified as low impact assets.
  • The CIP compliance standards, as of November 2018, that are currently required in the energy and utilities industry in the United States are listed below.

CIP-002-5.1a: BES Cyber System Categorization

  • This compliance standard requires professionals in the energy and utilities industry to categorize and identify Bulk Electric Systems (BES) cyber systems along with the BES cyber assets associated with the systems "for the application of cybersecurity requirements commensurate with the adverse impact that loss, compromise, or misuse of those BES cyber systems could have on the reliable operation of the BES".
  • The compliance also states that the categorization and identification of BES systems are found to support suitable protection against threats that could result in causing instability or misoperation in the BES.

CIP-003-6: Security Management Controls

  • According to this compliance standard, all professionals working within the energy sector would have to specify sustainable and consistent security management controls that initiate accountability and responsibility to safeguard BES cyber systems against threats that could result in causing instability or misoperation in the BES.
  • Cybersecurity leadership, policy, access control, exceptions, information protection, configuration management, and change control are aspects that are included in CIP-003-6. However, it was found that adherence to the sub-requirements in place under this compliance varies by impact rating, the criticality of cyber assets, and organization.

CIP-004-6: Personnel and Training

  • This compliance standard states that each entity working within the energy and utilities industry in the United States must ensure a suitable degree of personnel training, security awareness, and risk assessment in the support of securing BES cyber systems.
  • The CIP-004-6 necessitates that every professional having access to critical cyber assets must have an appropriate level of personnel assessments in terms of risk and awareness. The compliance also requires organizations to update, review, and document any/all training programs every year.

CIP-005-5: Electronic Security Perimeters

  • This compliance standard requires organizations/companies/professionals within the energy sector to manage BES cyber systems' electronic access by identifying a controlled Electronic Security Perimeter in order to protect BES cyber systems against threats that could result in causing instability or misoperation in the BES.
  • This standard focuses primarily on the efforts to curb vulnerabilities that are experienced during remote access. The electronic security perimeter includes components such as multi-factor authentication, patch updates, remote session encryption, anti-malware updates, and the use of EAP (extensible authentication protocol).

CIP-006-6: Physical Security of BES Cyber-Systems

  • In compliance with the CIP-006-6, all entities within the energy sector are required to specify their physical security plan to manage the physical access to any/all BES cyber systems. The goal of this compliance standard is to develop preventive controls that target the protection of access to cyber assets.
  • Requirements under the CIP-006-6 include a security plan (physical), maintenance, testing, log retention access, physical access logging, physical access monitoring, physical access controls, the security of electronic access control units, and protection of physical access control units.

CIP-007-6: System Security Management

  • This compliance standard entails all organizations within the energy sector to identify select operational, procedural, and technical requirements in the support of managing BES cyber systems. Under this compliance, organizations are required to develop, execute, and maintain procedures and processes for securing systems for non-critical and critical cyber assets.
  • Entities working within the energy and utilities industry must also document all security measures such as records of ports and services, test procedures, malicious software prevention, and security patch management.

CIP-008-5: Incident Reporting and Response Planning

  • The CIP-008-5 necessitates "mitigation of the risk to the reliable operation of the BES as the result of a cybersecurity incident by specifying incident response requirements". According to this standard, every security incident that is related to critical cyber assets must be determined, categorized, responded to, and reported in an appropriate form required by the NERC.

CIP-009-6: Recovery Plans for BES Cyber-Systems

  • This compliance standard requires the reliability functions that are executed by BES cyber systems to be specified via a recovery plan in the "support of the continued stability, operability, and reliability of the BES".
  • According to this standard, all critical cyber assets must include recovery plans that line up with the operations of the energy organizations and are coherent with the best practices of disaster recovery. Aspects such as recovery plan, backup process, change control, restoration processes, and media testing are the requirements of this standard.

CIP-010-2: Configuration Change Management and Vulnerability Assessments

  • The CIP-010-2 standard states the requirement of detecting and preventing unauthorized system changes to BES cyber units by identifying vulnerability assessment and configuration change management requirements.

CIP-011-2: Information Protection

  • This compliance standard essentially requires organizations to avert unauthorized access to any BES cyber systems data by identifying information protection requirements. Applicable systems under this standard include high impact BES cyber systems, medium impact BES cyber systems, electronic access control systems, physical access control systems, and protected cyber assets.

CIP-014-2: Physical Security

  • This compliance's purpose is to determine and protect transmission stations, substations, and all their corresponding primary control centers when they have been damaged or rendered inoperable from a physical attack. These attacks may result in cascading within a certain interconnection, uncontrolled separation, and instability of the system.
  • According to this standard, every transmission station/sub-station owner must perform initial risk assessments such as a transmission analysis and subsequent risk assessments on a monthly and bi-monthly basis.
Part
13
of 56
Part
13

Meeting Compliance Standards - Energy & Utilities Industry

Eleven cybersecurity compliance standards subject to enforcement have been identified in the energy and utilities industries by previous research. The North American Electric Reliability Corporation (NERC) is the regulator charged with enforcing them. In 2019, NERC has reported 136 standard violations, including 83 from one single entity. Most of these standard violations were classified as medium risk.

North American Electric Reliability Corporation (NERC)

Critical Infrastructure Protection (CIP) standards

  • 11 cybersecurity compliance standards have been developed by NERC to be applied to the Energy & Utilities Industry.
  • These standards are all subject to enforcement by the NERC, and sanctions can be issued in case of non-compliance.

CIP standards violations

  • Despite these cybersecurity standards being subject to enforcement, some of the largest companies in the U.S. energy and utility sector have been found to repeatedly violate them.
  • These companies include Duke Energy, PG&E, and DTE Energy.
  • They have recently been sanctioned by NERC for non-compliance to the CIP standards.
  • Duke Energy agreed a $10 million fine in February to the NERC, which was the largest sanction given by the regulator for cybersecurity standards breaches.
  • The previous record was a $2.7 million fine handed to California's Pacific Gas & Electric in 2018.
  • Duke Energy was identified as the guilty entity by news reports despite not being named by the regulator.
  • The company has been found guilty of 127 violations that took place between 2015 and 2018.
  • These included a majority that was self-reported and 16 uncovered by NERC CIP audits.
  • CIP violations by Duke Energy were deemed to have increased cybersecurity risks, due to their repetition, length, and scale.
  • The company and its subsidiaries were found to have violated at least three types of CIP standards, including CIP-010-2: Configuration Change Management and Vulnerability Assessments, CIP-011-2: Information Protection, and CIP-014-2: Physical Security.

New Measures to Force Compliance

  • Following poor compliance by energy and utility companies, the regulator is currently considering making the names of violators public to discourage violations.
  • Currently, they are kept confidential to encourage self-disclosure.
  • Utilities and their trade associations are strongly opposed to the naming system, arguing that it would contribute to exposing grid vulnerabilities.

Conflicts of Interests

  • According to Tyson Slocum, director of advocacy group Public Citizen's Energy Program, NERC's committees and boards include people with close ties to utilities, creating a potential conflict of interest, and influencing the way utilities are supervised by the regulator.
  • The advocacy group is pushing for a change in oversight policy by NERC, including naming the violators, moving away from self-regulation, and increasing funding to boost oversight and compliance.

Reasons for Non-Compliance

  • According to Slocum, the first reason for non-compliance is due to costs, and companies that need to maximize shareholder return do not consider cybersecurity protection as a priority.

NERC Enforcement Actions 2019

  • In 2019, NERC has enforced actions on 18 occasions between the 25th of January and the 31rst of October.
  • All violations come under the following 11 CIP standards.
  • A total of 136 CIP standard violations have been recorded by NERC in 2019, including 83 from an unnamed entity reported to be Duke Energy.
  • 6 of these violations were deemed high-risk, 125 as medium risk, and 5 as low risk.

CIP-002-5.1a: BES Cyber System Categorization

CIP-003-6: Security Management Controls

CIP-004-6: Personnel and Training

CIP-005-5: Electronic Security Perimeters

  • 13 medium risk violations of this standard have been found in 2019 including 9 violations by an unnamed entity reported to be Duke Energy.

CIP-006-6: Physical Security of BES Cyber-Systems

  • 17 medium risk violations of this standard have been found in 2019 including 12 violations by an unnamed entity reported to be Duke Energy.

CIP-007-6: System Security Management

  • 28 medium risk violations of this standard have been found in 2019 including 12 violations by an unnamed entity reported to be Duke Energy.

CIP-008-5: Incident Reporting and Response Planning

CIP-009-6: Recovery Plans for BES Cyber-Systems

  • 1 medium risk and 2 lower risk violations of this standard have been found in 2019, all of them by an unnamed entity reported to be Duke Energy.

CIP-010-2: Configuration Change Management and Vulnerability Assessments

  • 33 medium risk violations of this standard have been found in 2019, including 21 by an unnamed entity reported to be Duke Energy.

CIP-011-2: Information Protection

  • 10 medium risk and 1 lower risk violations of this standard have been found in 2019, including 5 by an unnamed entity reported to be Duke Energy.

CIP-014-2: Physical Security




Part
14
of 56
Part
14

Cybersecurity Trends - Energy & Utilities Industry

Notable cybersecurity trends in the U.S. energy and utility industry include increasingly sophisticated energy and utility hackers, and an increasing number of utility companies hiring a CISO (chief information security officer), and in increasing adoption of end-to-end defense and response systems which focus on training every employee in the organization on how to identify potential threats. A deep dive into these trends has been provided below.

#1: Rapidly Increasing Sophistication Among Energy & Utility Hackers

  • In recent years, hackers have been motivated by political ideologies to focus on disrupting the electric grid in the United States, according to energy industry research expert, Jason Rodriguez of Zpryme, an energy industry research firm. Deloitte corroborates these findings by noting that the power sector is "one of the most frequently targeted" and that these attacks are evolving to become more invasive and complex.
  • According to a 2018 survey of over 1,735 utility operatives, 58% said they had recently suffered a "significant cyber attack," and 84% said they "believe employee actions to be the most common reason for cyber attacks."
  • To combat this, the United States energy industry has created a public-private partnership in an effort for the industry to adopt the Cyber Security Capability Maturity Model (C2M2) which aims to help organizations "evaluate, prioritize and improve their own cyber security capabilities" and provides a "common language and appropriate initiatives that non-technical decision makers can readily use to combat the issue."

#2: An Increasing Number of Energy and Utility Companies are hiring CISO's.

  • Jason Rodriguez says that it's becoming more common for energy companies to hire a chief information security officer (CISO), whose responsibilities are to "defend and respond rapidly to cyber attacks."
  • This trend makes sense given that a recent survey of utility companies found that 53% of utility companies now have a security operations center and 35% say that a lack of awareness among their executive team inhibits the organization's cyber security effectiveness.
  • Deloitte notes that one critical area where CISOs will need to establish control is in the area of reducing risk in supply chains, as currently, most CISOs have zero control in this area, and yet, this is an area favorited by sophisticated attackers.

#3: Increasing Adoption of End-to-End Detection and Response Systems

  • Jason Rodriguez notes how in recent years, there is a proliferation of the concept that cybersecurity threat detection and response should be a company-wide effort, wherein all employees will play a role in defining and responding to cyber attacks.
  • This trend aligns with recent survey findings which reveal that 89% of utilities feel that their "existing cyber security solutions are not fully effective" and 39% say that their organization lacks a sufficient communication plan when it comes to dealing with cyber attacks.
  • This trend appears likely to continue developing into the foreseeable future as cybersecurity expert, Ray Rothrock, notes, "Hackers are already likely sitting in various U.S. utility systems and reconnoitering, in what the Department of Homeland Security calls an Advanced Persistent Threat mode" and while most utility systems are pretty simple, they have become more complex over time as utility organizations have grown and "probably not kept up to date in terms of the latest thinking and architecture." Rothrock believes that these organizations will need to develop a "true culture of basic cyber hygiene" which will involve continuously training staff on how to be aware of and manage threats.

Research Strategy

To identify notable cyber security trends in the energy and utility sector of the United States, research was conducted across a number of reports and trusted media articles written by industry experts on this specific topic, as well as sourcing survey data which further help to support the notability of these trends. Overall, priority was given to trends which where being widely discussed by experts and that were supported by quantitative data. Only information relevant to the United States was provided.

Part
15
of 56
Part
15

Cybersecurity Breaches - Energy & Utilities Industry

The cybersecurity breaches of sPower, Duke Energy Corp, Onslow Water and Sewer Authority (Onwasa) and Dragonfly Energy Sector Cyberattack are four examples of recent cybersecurity breaches in the Energy & Utilities industry.

Cybersecurity Breaches — Energy & Utilities Industry

#1. Salt Lake City-based sPower "Denial of Service" Attacks

  • On March 5, there was a hack in Utah Wyoming and California when power grid control systems were attacked through a "denial-of-service" attack which disabled Cisco Adaptive Security Appliance devices.
  • The breach caused the utility's supervisory control and data acquisition (SCADA) system to temporarily lose visibility of generation sites totaling 500 megawatts.
  • The firm reported no financial loss since the hackers did not cause any blackouts or generation outages after it reviewed log files and found no evidence of breach beyond the denial-of-service attack.
  • The Department of Energy (DOE) issued a statement showing that sPower reported the breach but did not provide any information on how it reacted to the breach since the incident did not have any impact on its operations.

#2. Dragonfly Energy Sector Cyberattack

  • Dragonfly aka Energetic bear cyberattack happened when hackers breached Utility Industrial Controls System (ICS) firewall in the United States, Turkey, and Switzerland and copied configuration information and interface screens.
  • The impact of the breach was that the hackers conducted reconnaissance in the systems and assessed the control system design vulnerabilities and capabilities.
  • There was no financial loss reported since the hackers only copied configuration information and interface screens.
  • Investigators into the attack were made to believe this was an information-gathering phase that could potentially be laying the groundwork for future attacks.

#3. Onslow Water and Sewer Authority (Onwasa) RansomWare Attack

  • In October 2018 there was a cyberattack on Onslow Water and Sewer Authority (Onwasa) where Hackers encrypted several ONWASA systems in a ransomware attack as the company was recovering from Hurricane Florence and thus causing a loss of data.
  • The breach by the ransomware forced the company to disconnect from the internet and resort to using single utility services computer. This has made service orders to be printed and distributed to workers before they leave for the day.
  • The firm is reported to have spent an estimated $277,000 on recovery and changing of its defense systems including billings, new service orders, and other office functions that are done manually.
  • The firm responded by disconnecting from the internet and reached out to cybersecurity and the military to help in its investigations and restoration of services.

#4. Duke Energy Corp Cyber Attack

  • In March 2018 there was a cyberattack at Duke Energy Corp that affected the operations of at least four natural gas pipeline companies with digital connections to Energy Services Group (ESG) when the electronic data interchanges (EDI) provided by ESG subsidiary Latitude Technologies was hacked.
  • The breach of the cyberattack forced the companies to cut off digital connections to Energy Services Group (ESG), based in Massachusetts which affected billing, scheduling, and sharing of documents by the oil companies, electric utilities and gas pipeline operators.
  • The firm is reported to have agreed to pay $10 million in regard to fines for lapses and violations of security standards since the year 2015.
  • The firm responded by disconnecting from the digital connections to Energy Services Group (ESG) and had contracted a "leading cyber forensics firm" to help in restoring operations.

Part
16
of 56
Part
16

Executive Summary - Cybersecurity in the Energy & Utilities Industry

Using the previously completed request we have completed an executive summary of the cybersecurity analysis of the Energy & Utilities Industry. Including the importance, data protection, vulnerabilities, compliance standards, meeting standards, trends, and breaches.

Executive Summary

  • Following is an Executive Summary of the Cybersecurity Analysis of the Energy & Utilities Industry;
Due to the impact and financial cost to the industry cybersecurity is a major concern to the energy and utilities sector. The sector is considered to be one of the "most critical infrastructure in the world" and extremely pivotal to a well-functioning economy. The energy and utilities sector is one of the 16 vital infrastructure sectors whose destruction or incapacitation will have adverse effects on national security and public health and safety.
Electrical grids are becoming smarter due to the devices and information and communication technologies that are embedded in them. As a result, the systems becoming complex and access points increase in number. Power companies buy information, software, hardware, and services from various third parties around the world, threat actors can add compromised components in a network or systems.
Energy and utility companies are trying to protect consumer payment information, data related to cyber-physical systems, data that may help facilitate future attacks, proprietary information, and user credentials.
The energy and utilities industry is concerned with the rising threats from external entities and meeting the compliance requirements of the Critical Infrastructure Protection (CIP) standards set in place by the North American Electric Reliability Corporation (NERC). There are 11 standards, over 40 rules, and about 100 sub-requirements that include the security protection of critical cyber assets, disaster recovery planning, and training of personnel in the energy sector.

In 2019, NERC has reported 136 standard violations, most of these violations were classified as medium risk. The standards are all subject to enforcement by the NERC, and sanctions can be issued in case of non-compliance. Due to poor compliance in the industry, the regulator is currently considering making the names of violators public to discourage violations. Utilities and their trade associations are strongly opposed to the naming system, arguing that it would contribute to exposing grid vulnerabilities.
In response to increase in sophisticated hackers, companies are increasingly hiring chief information security officers, and adopting an end-to-end defense and response system which focuses on training employees on how to identify potential threats.

The cybersecurity breaches of sPower, Duke Energy Corp, Onslow Water and Sewer Authority (Onwasa) and Dragonfly Energy Sector Cyberattack are recent cybersecurity breaches in the Energy & Utilities industry. The breach at Duke Energy forced the companies to cut off digital connections to Energy Services Group (ESG), which affected billing, scheduling, electric utilities and gas pipeline operators.



Part
17
of 56
Part
17

Cybersecurity Importance - Healthcare Industry

The top three reasons cybersecurity is important to the healthcare industry: loss of credibility and the financial impact from patient data leaks, the increased reliance on data owing efficiency gains and cost savings achieved from it (therefore, the need for greater data protection), and the greater need for efficient care to manage a growing population.

To Avoid Losses from Patient Data Leaks

  • A large proportion of consumers (88%) "trust their physicians or other healthcare providers to keep digital healthcare data secure".
  • One in two data breaches in the healthcare industry is related to identity theft. Hackers sell the data in the black market, which is later used by identity thieves, or for medicare fraud, or other financial gains.
  • In 2016, one in four consumers had their healthcare information stolen. Individuals who experience identity theft lost an average of $2,528 per incident.
  • Other than a loss of credibility, leaked patient data can result in costly legal proceedings or even the death of a healthcare enterprise.
  • The cost of a data breach in healthcare is the highest across all organizations. The per record cost of a data breach by industry: Healthcare ($408), financial ($206), technology ($170), education ($166), and communication ($128).
  • However, the spend on cybersecurity in healthcare is only 4-7% of the total IT budget, compared to 10-14% across industries.
  • The healthcare system in the United States lost $6.2 billion owing to data breaches; the average cost of a data breach to a healthcare organization is $2.2 million.

IT Saves the Industry Millions

  • The use of technology has brought about great efficiency in the healthcare system. Medical professionals can do more in 8 hours than they did in 12 hours 20 years ago. Technology has made it easier to exchange information with peers.
  • The digitization of health records has led to better patient care, an easier and more efficient workflow -- computerized systems consume lesser time than paper-based ones -- and 3% lower healthcare costs for outpatient care. Further, EHR data can be analyzed to bring about greater cost and labor efficiency.
  • As documents are saved over the network or cloud (instead of paper), more space has opened up for equipment and beds.
  • Ambulatory EHRs result in savings of $44 billion a year and the increased adoption of AI in healthcare saves $150 billion a year by 2026. The increased reliance on EHR systems, big data, and the increased adoption of artificial intelligence require safer storage and more robust cybersecurity.

Efficient Care is Key to Meeting the Needs of a Growing Population

  • As patient data is now stored in networks, doctors spend lesser time on paperwork and more time understanding patient concerns. However, despite efficient practices, doctors struggle to keep up.
  • Managing a larger population will require more efficient practices. Efficiency can be brought about by greater technology adoption (such as artificial intelligence) and lesser disruptions at work from cyberattacks. Cyberattacks affect healthcare providers to provide care and exchange information with other healthcare entities.
  • The senior (65+) population in the United States is expected to grow from 52 million in 2018 to 95 million in 2060; the proportion of the senior population will rise from 16% to 23% in the same period.
  • Operational downtime is the most common impact of a cyberattack. Not only does the downtime result in lost time, it compromises the safety of patients in critical care.

Research Strategy

We used multiple sources that list the top reasons (or the major reason) cybersecurity is important to healthcare providers and based on the frequency of occurrence, we listed the top three reasons. For this purpose, we used sources such as Healthworks Collective, Healthcare Dive, Info Guard Security, Core PHP, Absolute, and Healthcare and Public Sector Coordination Councils. Some sources --Healthworks Collective, Info Guard Security, and Core PHP-- list the same key three or four reasons for healthcare organizations to use cybersecurity. Given that there were multiple credible sources listing the same reasons (in the same words or differently), we have provided the same as the top reasons. Other sources such as Absolute, Healthcare Dive, and Healthcare and Public Sector Coordination Councils focus mainly on the loss of credibility and money from patient data leaks being the major reason cybersecurity is important in healthcare. Sources older than two years (from Feb 2017) have been used to corroborate findings that are already supported by more recent publications.
Part
18
of 56
Part
18

Data Protection - Healthcare Industry

A huge variety of data is collected by healthcare organizations on patients/users. This includes personal demographic data, the most important of which are name/address/birthdate; personal financial data, the most important of which are social security number and debit/credit information; personal health data, for which any piece could be considered most important depending on who is stealing it; sociological / psychographic data, the most important of which are privacy-related concerns like serious disease information or addiction-related data; and a person’s shadow health record, all of which could be seen as highly vital to protect, depending on how the stolen information could be used. It is vital to protect these main pieces of data to ensure identity theft and subsequent fraud does not occur.

General Data Collection & Use by Healthcare Organizations

  • Healthcare providers and insurers collect huge amounts of personal data on patients and users of their programs/systems/plans. Insurance providers use this data in modeling scenarios to determine which of their insured are likely to need which services. In this way, they monetize the data toward increasing rates in areas most likely to be used most often.
  • Additionally, healthcare organizations use this vast amount of data to identify patients who may be at greater risk for an illness or disease, and take steps to enable preventive care.
  • Some of these firms, like UnitedHealth Group for example, are empowered to legally sell portions of that data (that which isn’t protected under HIPAA and other data privacy laws) to companies who use the information for everything from “designing new drugs to pricing your insurance rates to developing highly-targeted advertising.”
  • In addition to specific data, healthcare organizations can sell off (and buy) anonymized data sets, though alarmingly, “even when personal health data is formally anonymized in accordance with privacy rules, research has shown that such data can still be de-anonymized and linked” back to individual patients.

Importance of Protecting the Data

  • The primary reason for protecting patient/user personal data is to avoid identity theft or other types of fraud against the person. Hackers steal personal information and either use it to open fraudulent accounts, take out loans, file fake tax returns, or make exorbitant purchases all of which can haunt the person whose information was stolen for the rest of their lives.
  • Protecting your medical identity is a burden that falls on the victim,” and is vital since identity theft leads to a lifetime of monitoring and credit issues.

Personal Demographic Data

  • Healthcare organizations collect a variety of personal data from patients/users, including gender, ethnicity/race, language(s) spoken, age, height, weight, etc. They also collect a person’s address, phone number, birthdate, and next of kin information.
  • Other organizations collect information on patient beneficiaries’ demographic (and other personal data), as well.

Personal Financial Data

  • Medical providers, insurance companies, and various other healthcare organizations typically collect a patient’s social security number and personal financial data either through a credit/debit card, personal checks, or through direct connections with a person’s bank. This information can lead directly to a person’s credit history and connections.
  • Some healthcare organizations collect information on health-related insurance claims, Medicare or Medicaid claims, hospital claims, and other related information, like appeals, if any.

Personal Health Data

  • Medical histories are collected by doctors and insurance companies (and even by some apps!). This includes past and current surgeries, illnesses, injuries, and conditions, as well as allergies and test results, among other data.
  • Lab tests or imaging results for patients is also kept and tracked by some health organizations (like medical providers and insurers).
  • Additionally, some organizations (or even products, like FitBits) collect real-time biometric data from patients/users, especially those who are on disease- or illness-management programs.
  • If a person has ever had cancer or some other long-term or chronic illness, there are collections of data on that person’s treatment plans, drug regimens, and recovery rates.

Personal Sociological / Psychographic Data

  • Other data often collected through various means by healthcare organizations include sociological and psychographic data, like addiction (and treatment) histories, incidences of sexual assault and violence, and others.
  • Data collected can also include “cultural lifestyle patterns,” which includes things like “food choices and smoking habits.”
  • Some organizations, apps, etc collect geospatial data on their patients/users; this is often used to geo-target marketing materials to particular audiences based on their current locations.

Shadow Health Record”

  • Data that falls outside of HIPAA protections, but is often collected by healthcare organizations includes “alternative data” that is sometimes called the “shadow health record.” This data includes things like “credit scores, court documents, smartphone locations, sub-prime auto loans, search histories, app activity, and social media posts,” among other data.
  • A person’s shadow health record can be drawn from myriad sources, including things like a person’s transactions at their gym, local vape shop, health food stores, as well as “interactions with websites, sleep trackers, medical devices, internet-connected exercise bikes, smartwatches, wearable fitness trackers, blood glucose monitors, pacemakers, and the wide, wide world of wellness apps.”

Research Strategy

We identified the types of data collected by various healthcare and healthcare-related organizations. From this collection, we identified which of these would be most vital to protect based on the worst-case scenarios, which involve identity theft and fraud.

Part
19
of 56
Part
19

Cybersecurity Vulnerabilities - Healthcare Industry

Cybersecurity poses unique challenges to each industry with varying levels of intensity, where the healthcare sector is probably the most affected. Details of some of the vulnerabilities that are specific to healthcare are given below.

1. EHR Theft

  • Electronic Health Records (EHRs) are sold for as much as $50 in the black market as opposed to financial data (e.g. credit card and social security numbers), which are sold for only $1; this makes EHR theft a notable cybersecurity vulnerability.
  • Since EHRs have all the patients' information (e.g. ID, credit card number, insurance, etc) and their health record (e.g. medical reports and prescription), this can lead to the misuse of such information by filing medical insurance claims through the insurance provider or purchasing equipment and/or medication and then reselling them.
  • EHR theft is more serious than credit card theft, or any other data breach, since tracking them takes more time as compared to other forms of data and this provides cybercriminals the opportunity and the time they need to leverage and misuse that information for their sinister purposes.

2. IoT Exploitation

  • The Internet of Things has a long list of benefits to offer, but it offers a number of cybersecurity vulnerabilities at the same time, e.g. data privacy and security.
  • Implantable and wearable IoT devices used in healthcare, e.g. insulin pumps, monitors, pacemakers, etc., are always at risk of cyberattacks.
  • The real vulnerability of these devices is their inability to support an endpoint security agent, which leaves them at an open risk of being attacked by malicious behaviors/attacks.

3. Mobile Devices

  • Mobile devices add to the vulnerability of a healthcare firm and make them prone to data breaches.
  • As per a recent BMC Medicine study, 66% of mobile "health apps that send identifying information over the Internet don’t use encryption while 20 percent don’t have a privacy policy."
  • This falls under BYOD (Bring Your Own Device) policies set by healthcare organizations, and these policies need to be made more strict.

4. Ransomware

  • Ransomware is a problem for every industry, however, healthcare is probably the most affected by ransomware as its effects are far-reaching and can cause severe financial damage to the affected organization.
  • If a retail store was to be hacked and its Point of Sale (POS) system locked up, the company may lose money to the order of millions of dollars, however, if hackers could figure out the process of locking down medical devices, its effects will be far worse.
  • "Citrix Chief Security Strategist Kurt Roemer said that ransomware has been “extremely pervasive” within healthcare, and that it really speaks to the model in which most healthcare providers are operating."

Research Strategy

Although cybersecurity issues are common across all industries, its implications are specific to each industry. We have identified cybersecurity vulnerabilities that may be considered vulnerabilities in industries other than healthcare as well, however, the implications are specific to healthcare. The insights identified may not be specific to the US, however, these are generic insights and are applicable to the US and may be applicable to other countries/regions as well.
Part
20
of 56
Part
20

Cybersecurity Compliance Standards - Healthcare Industry

To determine the current compliance standards for cybersecurity in the US, we went to the source, the US Department of Health & Human Services, which has provided an excellent overview of the requirements of the so-called HIPAA Security Rule, of which an overview (supplemented by commentary from other sources) can be found below.

The HIPAA Security Rule Overview

  • The primary guiding rule for cybersecurity in healthcare is the HIPAA Security Rule, aka the Security Standards for the Protection of Electronic Protected Health Information.
  • One of the major goals of the Security Rule is to enable healthcare organizations "to adopt new technologies to improve the quality and efficiency of patient care" while still safeguarding the privacy of individuals.
  • Covered entities must ensure that any e-PHI (electronic protected health information) that they create
  • "Confidentiality," in this context, means that e-PHI must not be available or disclosed to unauthorized persons.
  • "Integrity" means that "e-PHI is not altered or destroyed in an unauthorized manner."
  • At the same time, e-PHI must be available and usable on demand by an authorized person.
  • The Security Rule is scalable, which means that healthcare entities must continue to review and modify their policies and procedures as they continue to grow.

Risk Analysis

  • Covered entities are required "to perform risk analysis as part of their security management processes... to determine which security measures are reasonable and appropriate."
  • Proper risk analysis includes (but is not limited to) the following (quoted verbatim):
    • Evaluate the likelihood and impact of potential risks to e-PHI;
    • Implement appropriate security measures to address the risks identified in the risk analysis;
    • Document the chosen security measures and, where required, the rationale for adopting those measures; and
    • Maintain continuous, reasonable, and appropriate security protections.
  • More complete guidance on conducting a proper risk analysis can be found here.

Administrative Safeguards

  • Administrative Safeguards are defined by HIPAA as, "Administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information."
  • Administrative Safeguards must be put into place in the following areas:
    • Security Management Process
    • Security Personnel
    • Information Access Management
    • Workforce Training and Management
    • Evaluation

Physical Safeguards

  • Physical safeguards, which "involve access both to the physical structures of a covered entity and its electronic equipment," are also key to the Security Rule.
  • Physical safeguards can be divided into two key areas:
    • Facility Access and Control
    • Workstation and Device Security

Technical Safeguards

  • Technical Safeguards, which encompass the policies and procedures surrounding the healthcare organization's use of technology as well as the technology itself, must be established in the following areas:
    • Access Control
    • Audit Controls
    • Integrity Controls
    • Transmission Security

Organizational Requirements


Documented Policies and Procedures

  • Policies and Procedures and Documentation Requirements essentially state that a covered entity must maintain for up to six years after the creation date or last effective date, "written security policies and procedures and written records of required actions, activities or assessments."
  • To quote the AMA, "Policies may be changed at any time, so long as the accompanying documentation is also updated. Regulations require periodic review of policies and responses to changes in the ePHI environment."

Part
21
of 56
Part
21

Meeting Compliance Standards - Healthcare Industry

According to one cybersecurity expert, 2019 saw a 300% increase in cyberattacks on healthcare systems, incentivized in great part by the fact that healthcare records are among the most valuable on the black market, worth up to $500 per record. Despite this, the healthcare industry has proven woefully behind in implementing all aspects of the HIPAA Security Rule, as detailed below.

Most Common HIPAA Violations

According to a recent presentation by the HHS Cybersecurity Program, of the ten most typical HIPAA violations, the overwhelming majority involve Security Rule violations (quoted verbatim):
  • Risk Analysis was not thorough
  • Lack of safeguards
  • Failure to report a breach
  • Use and disclosure issues
  • Missing or deficient policies and procedures
  • Outdated or insufficient training
  • Inconsistent access monitoring
  • 3rd party disclosure
  • Lost or stolen device — laptop, USB, smartphone
  • Lack of encryption

Risk Analysis

  • Most healthcare organizations conduct regular risk assessments:
    • 14.6% every two or more years
    • 45.5% annually
    • 5.6% biannually
    • 10.7% quarterly
    • 9% monthly
    • 9.6% daily
    • 5.1% did not perform risk assessments at all
  • However, not all test all aspects of their security:
    • 74.7% assess the network
    • 73.5% assess security awareness and training programs
    • 71.1% assess physical security
    • 69.3% perform asset inventories
  • As a result of these risk assessments:
    • 83.1% adopted new or improved security measures
    • 65.1% replaced or upgraded security solutions
    • 56.6% replaced outdated hardware, software, and/or devices
    • 2.4% deemed no further actions were necessary

Administrative Safeguards

  • While IT incidents were the leading cause of data breaches in 2018 (45.9%), unauthorized access and disclosure (35.9%), along with loss or theft (15.5%) were the other two leading factors, suggesting that the requisite training of individuals to avoid cybersecurity breaches is lagging.
  • In addition, 22.5% of healthcare companies report having no budget allocated specifically to data privacy management, though 91.3% report having "a data privacy and awareness program in place."

Physical Safeguards

  • A 2017 survey found that "65% of doctors and 41% of nurses admitted they use personal devices despite explicit policy prohibiting such use."
  • However, the same survey found that 71% of hospitals do have some manner of bring-your-own-device policy in place, up from 58% in 2016.
  • The lapses in cybersecurity due to mobile device use prompted the National Institute of Standards and Technology (NIST) to issue a guide titled, "Securing Electronic Health Records on Mobile Devices" in 2018.

Technical Safeguards

  • While "nearly all" US healthcare organizations are making use of the cloud to collect, store, and share e-PHI (electronic protected health information), less than 40% are encrypting their data in those environments.
  • Only 60% of organizations have an automated means to determine when a data breach has occurred.
  • Despite this, 73% of healthcare organizations rate their security in implementing new tech deployments as "very" or "extremely" secure, suggesting that they are "overconfident in their ability to thwart security lapses."

Organizational Requirements

  • Half of healthcare organizations have over 50 data-sharing agreements, 20% more than businesses in any other industry.
  • 61% say they are "more confident" that they were compliant with privacy regulations than they were confident in their partners.

Documented Policies and Procedures


Additional Reading

  • The aforementioned Horizon Report contains some alarming statistics regarding cybersecurity penetration tests (page 8). These statistics were gathered from 2015 to 2017 and consequently, we are uncertain whether they are still valid and have not included them in the body of this brief. Nevertheless, they may be of interest.
Part
22
of 56
Part
22

Cybersecurity Trends - Healthcare Industry

Based on a combination of surveys of healthcare IT and administrative professionals and the observations of experts in healthcare cybersecurity, the three most important trends in this sector are the out-of-control acceleration of cybercrime, the overconfidence of the healthcare organizations, and the growth of cybersecurity budgets despite that overconfidence.

Healthcare Cybercrime is Out of Control

  • 2019 saw a 300% increase in cyberattacks on healthcare systems, and the HIMSS estimates that 80% of healthcare organizations have had a significant cybersecurity issue (not necessarily a breach) in the last 12 months.
  • Healthcare records are among the most valuable on the black market, worth up to $500 per record.
  • One-third of hospitals will experience a cybersecurity incident within the next two years.
  • The HIMSS estimates that 80% of healthcare organizations have had a significant cybersecurity issue (not necessarily a breach) in the last 12 months.
  • Supply chain or other 3rd party vendors experienced a 78% increase in attacks in 2018.
  • FBI Director Christopher Wray states, "Today’s cyberthreat is bigger than any one government agency — in fact it’s bigger than the government itself. The scope, breadth, depth, sophistication and diversity of the threat we face now is unlike anything we’ve had in our lifetimes."

Healthcare Organizations Are Overconfident and Falling Behind


However, Healthcare Organizations Are Investing More into Cybersecurity

  • Healthcare organizations most commonly cite a lack of cybersecurity personnel (52.4%) or financial resources (46.6%) as their primary reasons for being inadequately prepared for cybersecurity attacks; however, nearly four-fifths (79.5%) or more (86% in a separate survey) expected increased resource allocation in 2019.
  • Roughly half of healthcare organizations have already invested $100,000 to $500,000 in their data privacy budgets, putting them at a level higher than other industries.
  • The largest driver for these increased budgets is regulatory concerns (76%), "including enforcing data retention and classification policies and rapid response to data breaches (61% for both)."
Part
23
of 56
Part
23

Cybersecurity Breaches - Healthcare Industry

Recent cybersecurity breaches in the healthcare sector include Coplin Health Systems, Banner Health, Newkirk Products, and Premier Family Medical. Details around each breach are given below.

Coplin Health Systems

  • An employee of Coplin Health Systems in West Virginia left an unencrypted laptop in a car that was stolen and subsequently the data of 43,000 patients was also stolen.
  • Luckily, no one has attempted to use the data from the stolen laptop, as per Derek Snyder, CEO at Coplin Health Systems.
  • The organization has since been working with law enforcement agencies about the incident and their systems are being monitored for unauthorized access.
  • The data breach has costed the company a total of over $60 million in direct costs in terms of lawsuits, penalties, and fines.

Banner Health

  • A cyber attack on Banner Health compromised the data of as many as 3.7 million people in 2016.
  • The matter is being investigated by the Office of Civil Rights at the US Health and Human Services and the investigation is still active, and the initial report suggests that the security arrangements at Banner are inadequate.
  • Banner informed that they are cooperating with OCR in the investigation and they have made changes to their security systems post the breach.
  • The costs associated with the breach were not available; however, as per the 2016 cost of a data breach report, the average of costs of healthcare data breach resolution stood at $355 per record, which could cost Banner Health as much as $1.3 billion (3.7 million * $355) in total direct costs.

Newkirk Products

  • Newkirk Products, a healthcare ID card issuer, was involved in a data breach that compromised the records of 3.47 million patients.
  • As a result of the breach, one of the largest insurance provider, Blue Cross Blue Shield, was also affected and patients' sensitive information, including "Medicaid ID numbers, names (including those of dependents), dates of birth, premium invoice information, and group ID numbers" were also compromised; however, no misuse of data has yet been reported.
  • The company has taken steps to notify all affected individuals by mail and is offering them complimentary identity theft monitoring and resolution services.
  • The costs associated with the breach were not available; however, as per the 2016 cost of a data breach report, the average of costs of healthcare data breach resolution stood at $355 per record, which could cost Newkirk as much as $1.2 billion (3.47 million * $355) in total direct costs.

Premier Family Medical

  • In one of the more recent cyberattacks, Premier Family Medical in Utah experienced a ransomware attack in July this year, which involved 320,000 patients who were being notified by the healthcare provider.
  • As a result of the attack, the provider's access to patient data and some other functions was blocked.
  • The provider is working to regain access to the data and investigating with technical consultants' assistance.
  • The costs associated with the breach were not available; however, as per the 2019 cost of a data breach report, the average of costs of healthcare data breach resolution stood at $429 per record, which could cost Premier as much as $137.28 million (320,000 * $429) in total direct costs.

Research Strategy

We have identified four cases of cybersecurity breaches in the healthcare sector. Although the costs of data breaches were not available in all cases, we have provided estimates of how much each data breach could cost the affected organization. The estimates are based on reports provided by IBM Ponemon Institute. Even in cases where we could find the costs, we were only able to find the direct costs.
Part
24
of 56
Part
24

Executive Summary - Cybersecurity in the Healthcare Industry

Using the previously completed request we have completed an executive summary of the cybersecurity analysis of the healthcare industry. Including the importance, data protection, vulnerabilities, compliance standards, meeting standards, trends, and breaches.

Executive Summary

  • Following is an Executive Summary of the Cybersecurity Analysis of the Healthcare Industry;

One in two data breaches in the healthcare industry is related to identity theft. Hackers sell the data in the black market, which is later used by identity thieves, or for medicare fraud, or other financial gains. The healthcare system in the United States loses $6.2 billion annually due to data breaches. Other than a loss of credibility, leaked patient data can result in costly legal proceedings.

Managing a larger population will require more efficient practices. Efficiency can be brought about by greater technology adoption. Electronic Health Records are sold for as much as $500 in the black market as opposed to financial data, which are sold for only $1, this makes EHR theft a notable cybersecurity vulnerability.
The primary guiding rule for cybersecurity in healthcare is the HIPAA Security Rule, aka the Security Standards for the Protection of Electronic Protected Health Information. One of the major goals of the Security Rule is to enable healthcare organizations "to adopt new technologies to improve the quality and efficiency of patient care" while still safeguarding the privacy of individuals.
According to one cybersecurity expert, 2019 has seen a 300% increase in cyberattacks on healthcare systems, incentivized in great part by the fact that healthcare records are among the most valuable on the black market. Despite this, the healthcare industry has proven woefully behind in implementing all aspects of the HIPAA Security Rule. 22.5% of healthcare companies report having no budget allocated specifically to data privacy management, though 91.3% report having "a data privacy and awareness program in place." While "nearly all" US healthcare organizations are making use of the cloud to collect, store, and share e-PHI, less than 40% are encrypting their data in those environments.
The HIMSS estimates that 80% of healthcare organizations have had a significant cybersecurity issue (not necessarily a breach) in the last 12 months.  70% of mid- to large-sized healthcare organizations are "very or extremely confident" in how they secure sensitive data, but only 50% "update their inventory of personal data once a year or less," leaving them vulnerable to ransomware attacks or even simple server crashes.
Recent cybersecurity breaches in the healthcare sector include Coplin Health Systems, Banner Health, Newkirk Products, and Premier Family Medical. Newkirk Products, a healthcare ID card issuer, was involved in a data breach that compromised the records of 3.47 million patients.
Part
25
of 56
Part
25

Cybersecurity Importance - Banking and Financial Markets Industry

Cybersecurity is very important for companies operating in the Banking and Financial Markets industry because the industry relies on consumer trust, which is easily shaken by data breaches. Additionally, due to the direct link between customer data and money, companies in the industry are especially lucrative targets for cyber-criminals. To protect consumers, regulators are putting pressure on financial services companies to protect customer data, so regulatory compliance is an additional reason for the importance of cybersecurity in the Banking and Financial Markets industry.

Importance of Trust in the Industry

  • The Banking and Financial Services industry relies on "nurturing trust and credibility" among its customers, and data breaches negatively impact consumer trust.
  • Banks and other financial institutions hold very sensitive personal data on their customers. Since the data is highly sensitive, additional care is needed to protect it, compared to other industries.
  • Cybersecurity breaches could lead to lost money and time for customers, which makes them highly risk-averse. Therefore, customers are likely to change banks if a major breach occurs.
  • Companies in the financial sector experience the highest rate of customer churn compared to all other industries, according to a report by the Identity Theft Resource Center.

Banks are Prime Targets for Cybersecurity Attackers

  • The number of data breaches in the Banking and Financial Markets industry is increasing every year. It increased by 44.7% from 2016 to 2017, and the financial sector accounted for 8.5% of all breaches in 2017.
  • Companies in the financial services industry are targeted by cybersecurity attackers 300 times more frequently than businesses in other industries.
  • According to a report by IBM, "financially-motivated threat actors pose the most significant threat to the financial services industry, with threats from nation state groups in this sector, increasing over the past three years and resulting in the direct theft of millions of dollars from banks around the globe."
  • Distributed Denial of Service (DDoS) attacks, one of the most common cybersecurity threats, increased by 56% in the industry in recent years, and 60% of financial services businesses have said that the attacks are becoming larger and more impactful each year.

Regulatory Compliance

  • To protect consumers, governments frequently impose more stringent cybersecurity regulations on companies in the Banking and Financial Markets industry. Therefore, companies in the space are forced to make cybersecurity a priority to be in compliance with the regulations.
  • One example of such regulations is the New York Department of Financial Services (NYDFS) Cybersecurity Regulation, also known as the 23 NYCRR Part 500. This regulation puts more accountability for cybersecurity breaches on senior executives of financial services companies operating in New York City.
  • Just this single regulation is estimated to affect around 1,900 businesses in the Banking and Financial Markets industry. Companies in the industry are required to perform regular audits and employee training activities to be in compliance with the regulation.
Part
26
of 56
Part
26

Data Protection - Banking and Financial Markets Industry

Three critical pieces of data that the Banking and Financial Markets industry tries to protect are the person's identity, their account information, and their credit or debit card.

1. Identity or Personal Identifiable Information

  • Personal Identifiable Information (PII) is any piece of data an institution receives, that can be directly used to identify/trace an individual, such as the person's name, date of birth, place of birth, social security number, mother‘s maiden name, biometric records, etc.
  • It also includes the information that can be linked or is linkable to the person, like home address, email address, passport number, telephone number, country, city, state, postcode, gender, race, age, age range, job position, workplace, etc.
  • With the advances in technology and internet communication, banks are concerned as they realize that PII is no longer secure, the information can be leaked, and it has become too easy for fraudsters to find it and use it.
  • Several banks in the US are already taking actions and finding alternative ways to identify their clients without the use of previous methods, like stop requesting their SSN, as it is no longer considered secure.
  • They're also working together to create a central system that helps banks and financial institutions prove a person's identity.
  • Bank of America also takes care of protecting their clients' identity by following different security procedures, including an annual mandatory training about fraud prevention and security for their employees, and creating resources to advise their customers about security practices, like notifying that their emails won't ask for personal information, and using mail certificates to make sure their emails are legit and don't go to the email spam.
  • The financial markets firms in the industry are also aware of the importance of identity protection, and implement methods like using secure and authenticated devices and computers for their work, secure networks prepared to face a cyberattack, third-party vendor services that help them increase their security levels, training and testing about cybersecurity for their employees, and plans to receive security breach reports from their customers.

2. Account Information

  • Bank account information and online bank account information include log-in details, customer number, bank account number, and financial information like transaction records, credit scores, credit limits, etc.
  • In July 2019, there was a security breach in Capital One, where 140,000 SSNs were stolen and over 80,000 bank account numbers, affecting 100 million customers in the US, and a cost of $150 million in damages for the bank.
  • To protect the customers' account information that is available online from intrusive access and cyberattacks, banks employ methods like anti-malware protection, antivirus protection, firewalls, SSL encryption, cookies, biometric authentication, and multi-factor authentication.
  • They also provide credential confidentiality by promising to protect the client's username and password information.
  • Additionally, they guarantee that a future device user won't have access to the information by enabling automatic log-out from the bank account sessions.
  • HSBC, for example, protects its customers' accounts from theft by using technology like decryption, encryption, firewalls, digital certificates, different authentication methods, and support through Secure BankMail.
  • Bank of America protects the client's bank account information from unauthorized access by maintaining different procedural safeguards for electronic and physical access.
  • Financial Markets also use encryption to manage the account access securely and train their employees in fraud prevention.

3. Credit and Debit Card Information

  • Banks use methods like a limited liability to make sure the customer is reported or asked when transactions above the limit are made or attempted.
  • HSBC prevents credit card theft and unauthorized transactions using a $0 liability online guarantee and offers 100% coverage for unauthorized charges caused by fraud, or account theft.
  • Bank of America also offer $0 liability for credit card theft and a direct phone number to report a stolen card at any time.
  • Additionally, Bank of America has implemented a geo-location security system that recognizes the place where an online purchase was made.
  • Lastly, most banks have ensured the credit and debit cards of their clients are safe by implementing EMV chips and requiring two verification methods to make physical use of it, like chip-and-signature, or chip-and-firm.

Research Strategy

To determine three examples of data that banking and financial markets firms try to protect, we examined the websites of different firms in the US, like the Bank of America, HSBC, Capital One, MasterCard, American Express, Visa, PayPal, Forex, etc., for the actions they've taken to guarantee the security of data and analyzed the data target for most actions.
We also reviewed different articles and news from the industry to recognize the actions taken more often by these entities.

Finally, through comparison across multiple sources, we noticed that the three items/data they often focus on are 1) the client's identity or PII because it can implicate identity theft, 2) the client's access to their account and the information in the account, 3) and their physical credit and debit cards to prevent fraud.
Part
27
of 56
Part
27

Cybersecurity Vulnerabilities - Banking and Financial Markets Industry

The unique vulnerabilities for firms in the banking and financial markets industry include web-based banking applications in the industry being the most vulnerable to attack of all the industries. Approximately 60% of banking apps run on Android OS are not obfuscated which means they are effectively putting intellectual property of the bank at risk as these apps can easily be reverse-engineered. Additionally, 80% of all banking apps running on iOS have sensitive values intercepted while proxying SSL and Transport Layer Security (TLS) app communications

Web-based XML external entity flaws and arbitrary file reading and modification flaws

  • Banks' and financial markets companies' web-based banking applications are reported to be the most vulnerable to attack of all the industries. According to security firm Positive Technologies, every financial web-based page tested in their review contained at least one high-severity vulnerability.
  • The specific vulnerability found in the banks and financial markets industry when it comes to cybersecurity are "XML external entity flaws and arbitrary file reading and modification flaws" in approximately 50% of the banking and financial sites tested. This means that, in the case of a cyberattack, the attacker can "remotely run code to compromise a vulnerable server — possibly leading to serious consequences for customers who expect their banks to keep their money safe."
  • Additionally, 80% of websites are vulnerable to cross-site scripting (XSS) attacks that allow an attacker to implement malicious code on a website.
  • Both of these flaws are often usually not considered high-severity are therefore treated with lower priority. This leads to attackers being able to "manipulate how sites look, tricking users into handing over sensitive information that gets silently forwarded to an attacker."

Mobile app software gaps for Android

  • Banking and other financial apps run on Android OS allow for the creation of worldwritable files which pose a unique security risk for banks and financial services apps as it allows "other apps to have written access to files, leading to potential security gaps."
  • Currently around 33% of banking apps that run on Android OS "created or modified a file such that the file has permissions that allow other apps to write to it."
  • Approximately 60% of banking apps run on Android OS are not obfuscated which means they are effectively putting intellectual property of the bank at risk as these apps can easily be reverse-engineered.

Mobile app software gaps for iOS

  • The cookie secure tag is not properly set up for 54% of all banking apps running on iOS devices. When set to true, the "secure flag tells the browser to only send the cookie if the request is sent using a secure channel, which prevents the cookie from being transmitted over unencrypted requests."
  • Additionally, 80% of all banking apps running on iOS have sensitive values intercepted while proxying SSL and Transport Layer Security (TLS) app communications, which include the username, password, GPS coordinates, WiFi mac (media access control) address, IMEI (International Mobile Equipment Identity), serial number, and phone number.
  • When iOS sends sensitive data without certificate pinning, it allows for the creation of a cyberattack with network privileges, just by accessing the same network the iOS is operating from.
Part
28
of 56
Part
28

Cybersecurity Compliance Standards - Banking and Financial Markets Industry

Some compliance standards that are currently in effect in the banking and financial services industry in the US include the Bank Secrecy Act, the Gramm-Leach-Bliley Act, the Electronic Funds Transfer Act, the USA PATRIOT Act, and cybersecurity requirements for financial services companies. Details for each of these standards are outlined below.

Bank Secrecy Act

  • Through the Bank Secrecy Act (aka BSA/Anti Money Laundering), the OCC (Office of the Comptroller of the Currency) supervises the financial institutions in the US and enforces laws to prevent terrorist financing, money laundering, and other criminal activities that may involve the misuse of the nation's financial institutions.
  • BSA compliance is ensured by the OCC by regular examinations of agencies of foreign banks in the country, federal branches, national banks, and federal savings associations.
  • As per an MoU, the OCC also notifies the U.S. Department of Treasury's Financial Crimes Enforcement Network (FinCEN) and the Office of Foreign Assets Control (OFAC) about BSA violations and/or deficiencies.

Gramm-Leach-Bliley Act

  • The Gramm-Leach-Bliley Act (aka GLBA) is a federal law in the United States that mandates financial institutions in the country to publicize their process of sharing and protection of the private information of their customers.
  • Financial institutions are expected to follow certain requirements in order for them to be GLBA-compliant. These requirements include communication of the process of sharing the customers' private information, informing customers about their right to opt-out if they do not want their data reaching the hands of third parties, and implement specific data protection techniques to keep customer information safe.

Regulation E

  • Regulation E compliance, also known as the Electronic Funds Transfer Act (EFTA), is a regulation implemented by the Federal Reserve and regulates Electronic Funds Transfers (EFTs).
  • The regulation "provides guidelines for issuers and sellers of electronic debit cards" and guides customers as well as financial institutions/banks when it comes to electronic funds transfers, including transfers generated using Point of Sale (POS) transactions, Automated Clearing House (ACH) systems, and Automated Teller Machines (ATMs).
  • This regulation also encompasses rules that relate to consumer liability when it comes to unauthorized card usage.

USA PATRIOT Act

  • The USA PATRIOT Act resulted from the September 11 terrorist attacks and gives law enforcement agencies the power to "investigate, indict and bring terrorists to justice."
  • USA PATRIOT is an acronym for "Uniting And Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism".
  • While the act applies broadly to security institutions, it also impacts financial institutions that are engaged in cross-border transactions "with a goal of thwarting the exploitation of the American financial system by parties suspected of terrorism, terrorist financing, and money laundering".

Cybersecurity Requirements for Financial Services Companies

  • As many as 1,500 banks and financial institutions are regulated by the New York Department of Financial Services, including international institutions that have operations in New York.
  • These institutions are subject to the cybersecurity requirements published by the NYDFS. There are 22 provisions that constitute these requirements, each relating to data protection.
  • As per the requirements, financial institutions must perform risk assessments in order to identify loopholes and ensure that nonpublic information and information systems are safe from unauthorized access. These may include risk-based authentication, multifactor authentication, and biometric authentication.

Research Strategy

We have outlined five compliance standards that are currently in effect in the banking and financial services industry in the United States. It should be noted that this list is not exhaustive and there exist other standards in the industry as well. Some other standards can be found listed here.
Part
29
of 56
Part
29

Meeting Compliance Standards - Banking and Financial Markets Industry

The Bank Secrecy Act, the Gramm-Leach-Bliley Act, the Electronic Funds Transfer Act, the USA PATRIOT Act, and the NYDFS Cybersecurity Requirements for financial services companies, are being observed diligently by US banking and financial markets companies like Bank of America, J.P. Morgan, Citibank, Capital One, HSBC, PayPal, WiseWage, and NerdWallet, among others.

Bank Secrecy Act

  • To comply with the Bank Secrecy Act, different banks and financial services companies in the country, like J.P. Morgan Chase & Co., Bank of America, Deutsche Bank, Citibank, U.S. Bank, Capital One Financial Corp, HSBC, and PricewaterhouseCoopers have created the Bank Secrecy Act-Anti-Money Laundering (BSA/AML) Officer role within their companies and hiring for that position.
  • In 2019, seven of the largest banks in the US declared to the House Financial Services Committee that they had spent over $1 billion guaranteeing their compliance with the Bank Secrecy and the Anti-Money Laundering Acts and following up on the reports.
  • Financial institutions like PayPal are also implementing the same roles to comply with Bank Secrecy Act and AML.

Gramm-Leach-Bliley Act

  • Bank of America created a Cyber Threat Operation Center which allows it to control cyberattacks as part of their Information Security Policy to comply with the Gramm-Leach-Bliley Act.
  • JP Morgan has also incorporated the JPMC Information Security Program that includes physical, administrative, and technical safeguards to guarantee the bank's compliance with the Gramm-Leach-Bliley Act.
  • The Federal Reserve makes regular publications about the different actions that the financial holding companies are taking to comply with GLBA.

Electronic Funds Transfer Act (EFTA)

  • Financial companies like PayPal reduced the funds' transfer time to one day and created real-time payment systems to comply with the Electronic Funds Transfer Act.
  • Other online financial institutions like WiseWage and NerdWallet added details of the EFTA as part of their Terms and Conditions, to educate their clients on their rights under this regulation.
  • The JP Morgan & Chase bank created a job position in charge of monitoring the company's compliance with EFTA.
  • Sullivan & Cromwell’s Banking Enforcement Actions Tracker helps US citizens and organizations to report and review violations of this act.

USA PATRIOT Act

  • The US banks and financial services institutions use the figure of Bank Secrecy Act-Anti-Money Laundering (BSA/AML) Officer to regulate their compliance with the USA PATRIOT Act.
  • Goldman Sachs and Bank of America declared in their annual report the commitment they have to ensure their processes and services comply with the USA PATRIOT Act.
  • According to David Schwartz, president and CEO of the Florida International Bankers Association, the banks of the US have implemented actions and regulation departments to ensure their compliance with the USA PATRIOT Act since 2001.

NYDFS Cybersecurity Requirements for Financial Services Companies

Research Strategy

Based on the "Cybersecurity Compliance Standards — Banking and Financial Markets Industry" analysis, the compliance standards we're focusing on are the Bank Secrecy Act, the Gramm-Leach-Bliley Act, the Electronic Funds Transfer Act, the USA PATRIOT Act, and the NYDFS Cybersecurity Requirements for financial services companies.
As indicated, we reviewed each standard and provided examples of how banks and financial markets to confirm they are complying with the standards.
Part
30
of 56
Part
30

Cybersecurity Trends - Banking and Financial Markets Industry

Some cyber-security trends in the banking and financial markets industry include the growth of the financial cyber-security market, sophisticated cybercriminals targeting banks, outsourced cyber-security services, and investment in state-of-the-art cyber-security technologies.

Growth of the Financial Cybersecurity Market

  • Trends published by MarketWatch relative to the United States financial services cyber-security market predicts the growth of the market between 2016 and 2020.
  • The cumulative market size of the financial cyber-security market is forecasted to exceed $68 billion between 2016 and 2020.
  • Financial firms are spending about $3,000 per employee to boost cyber-security. Some of the most significant banks have tripled their cyber-defense budgets within the last three to four years to combat the surge of attacks on the information of their clients, accounts, and other data.
  • The financial cyber-security market continues to grow due to a surge in the number of attacks targeting financial services and their client information, accounts as well as other data. The financial sector is the focus of 19% of all cyber attacks. Firms are increasing their spending on cyber security to combat rising threats.

Sophisticated Cybercriminals Target Banks

  • MarketWatch trends reveal that sophisticated cybercriminals are targeting banks.
  • By targeting financial/banking services institutions, cybercriminals steal sensitive details that often get used to open "fake accounts and lines of credit."
  • A recent report by the US financial services organization known as Capital One reveals that a breach recently affected 106 million customers within North America. The sophisticated hack of Capital One exposed the personal details of more than 106 million financial customers (such as their names, addresses, and phone numbers) across the United States and Canada. The data breach is considered to be sophisticated because experts believe it is "one of the largest in banking history."
  • According to Merchant Fraud Journal, about €1.5 million was recently stolen from financial/banking services-related accounts of consumers linked to MasterCard following an EMV Card Hack. MasterCard (formerly Interbank Card Association) is an American company that offers payment processing products and services.
  • Some banks in America, including Chase Bank, have recently refunded the amount stolen from consumer bank accounts, which might have compromised chip cards issued by the banks. Chase bank recently paid a consumer that encountered a bank fraud suspected to originate from a hacked chip, but controversially stated that its "chip cards can't be hacked." Experts argue that bank-issued chip cards may be sophisticated, but they are vulnerable.
  • Apart from the Capital One cyber-security challenge/hack of 2019, JP Morgan had about 76 million consumer details breached by hackers in 2014. Hackers had successfully breached the details of 130 million customers of Heartland Payment System as of 2009.

Outsourced Cyber-Security and Related Services

  • According to trends published by MarketWatch, financial institutions are outsourcing cyber-security services.
  • The recent hack witnessed by Capital One affected its reputation of being a "tech-savvy bank." That ethos inspired Capital One to seek cloud computing services about five years ago.
  • Capital One became "one of the first big banks to migrate" much of its customer and corporate data as well as applications from its own data centers onto Amazon's cloud services to enhance data security. According to the Wall Street Journal, several big banks, along with Capital One, are outsourcing "more of their tech processes" as measures to address cyber-security gaps.
  • JP Morgan recently admitted that many financial firms are outsourcing a "variety of functions to third-parties, including information technology," payroll, accounting as well as other financial services. The company further stated that although this outsourcing is convenient, it raises cyber-security risks.

State-Of-The-Art Cyber-Security Technologies

  • Trends published by MarketWatch relative to the United States financial services cyber-security market predicts the use of state-of-the-art cyber-security technologies.
  • To benefit from the state-of-the-art cyber-security technology, some banking and financial institutions such as Capital One are migrating to Amazon cloud for cyber-security services. Amazon claims that cyber-security governance is at the top of AWS, and it is implemented using a comprehensive "variety of state-of-the-art technical mechanisms," as well as robust organizational mechanisms that drive ethical behavior.
  • Amazons AWS's security and compliance services give several banks and other financial institutions the chance to operate within IT environments at scale and utilize "state-of-the-art technology" that is traditionally available only to the most significant large financial institutions. For some of the largest financial organizations, AWS's security, as well as compliance services, helps to protect, simplify, and transform complex, legacy infrastructure to achieve equal or "better levels of assurance with a smaller amount of effort."
  • AWS offers cloud security services.

Research Strategy

The research investigated notable cyber-security/cloud cyber-security computing trends in the banking and financial markets industry. This strategy examined trends published by MarketWatch, Computer Weekly, and other resources. MarketWatch offers the latest stock market, as well as financial and business news, while Computer Weekly provides the most recent information technology (IT) news. Only cyber-security/cloud cyber-security computing trends affecting the financial markets that appeared across a plethora of resources and were also verified as affecting several financial institutions or banks are in the study.

Part
31
of 56
Part
31

Cybersecurity Breaches - Banking and Financial Markets Industry

Four examples of cybersecurity breaches in the banking and financial markets industry include National Bank of Blacksburg's cyber theft, an Equifax data breach, ATM theft, and an HSBC Bank USA data breach.

National Bank of Blacksburg

  • The National Bank of Blacksburg, located in Virginia, was "hit by phishing emails that enabled intruders to install malware and pivot into the Star Network, a U.S. bank card processing service."
  • In two separate events, one in May 2016 and the other in January 2017, hackers were able to "disable and alter anti-theft and anti-fraud protections, such as 4-digit personal identification numbers (PINs), daily withdrawal limits, daily debit card usage limits, and fraud score protections" that allowed them to steal $569,000 during the first incident and $1,833,984 during the second breach.
  • The total loss to the bank was over $2.4 million.
  • The organization reacted to the first breach by implementing additional security protocols that would help the bank "flag specific types of repeated transaction patterns that happen within a short period of time."
  • Following the second breach, the bank expanded cyber protection "through a combination of technology such as firewalls and antivirus software, policies and procedures, and employee training."
  • The bank also sued its insurer, Everest National Insurance Co, after the insurance company only wanted to pay $50,000 toward the bank's financial losses. The case was settled for an undisclosed amount in January 2019.

Equifax

  • In May 2017, Equifax, a major credit reporting agency in the United States, was attacked by unknown hackers who exploited a vulnerability in an Apache Struts web application that resulted in the unauthorized release of more than 150 million customer records, including birth dates and social security numbers.
  • About 56% of all American adults were impacted by the data breach and the exposure led to "Congressional probes, probes by privacy authorities in the U.K. and Canada, and dozens of lawsuits and formal investigations by state attorneys general." In addition, the company's CEO and its two top information security personnel were forced to resign.
  • As of 2019, Equifax has recorded $1.35 billion in costs associated with the data breach, which includes $82.8 million in technology and data security costs, $12.5 million in quarterly legal and investigative fees, $1.5 million for product liability, and $690 million in "losses associated with certain legal proceedings and investigations."
  • Equifax has stated the total financial impact will not be known for years, as it faces more than 1,000 individual and class-action lawsuits from victims.
  • In response to the breach, Equifax transformed its technology infrastructure; improved its application, network, and data security; launched Lock and Alert, which allows customers to "lock and unlock their credit report with Equifax;" and offered victims "12 months of prepaid access to the TrustedID identity theft monitoring service from rival credit bureau Experian."

ATM Theft

  • In 2017 and 2018, seven men from Venezuela launched a coordinated attack on U.S. ATM machines by installing "malicious software or hardware on ATMs to force the machines to dispense huge volumes of cash on demand."
  • The impact of the breach was that the thieves were able to empty six ATM machines in Washington and Utah of all cash, leaving the banks with a financial loss and real customers with out-of-order ATMs.
  • The total financial loss was $306,200, including $88,000 from Sound Credit Union in Washington, $8,000 from iQ Credit Union in Washington, $16,000 from Umpqua Bank in Washington, $91,000 from Columbia Credit Union in Washington, $64,400 from Heritage Bank in Washington, and $38,800 from Deseret First Credit Union in Utah.
  • The ATM manufacturers responded to the breach by upgrading the Windows version running the machines and installing "security software that actively searches out and denies any malware from going to work inside the ATM machine."

HSBC

  • In October 2018, HSBC Bank USA "reported that hackers had gained access to customer data including names, addresses, phone numbers, and account details," possibly through "credential stuffing using logins gleaned from readily available databases of data from unrelated breaches."
  • While the bank did not disclose how many customers were affected by the breach, claims estimates show that less than 1% of HSBC's U.S. online accounts were compromised. With approximately 1.4 million customers in the United States, this would mean that about 14,000 accounts were impacted.
  • The financial impact related to the HSBC Bank USA breach is not yet known, but will include the cost of providing free credit monitoring to the victims and any settlements or awards from "private and class action lawsuits" that are filed against the bank.
  • In response to the breach, HSBC suspended online access to affected customer accounts, enhanced its authentication process for HSBC Personal Internet Banking, "implemented additional layers of security for digital and mobile access," and offered impacted customers a "free 12 month subscription to a credit monitoring and suspicious activity alerting product."
Part
32
of 56
Part
32

Executive Summary - Cybersecurity in the Banking and Financial Markets Industry

  • Following is an executive summary of the cybersecurity analysis of the Banking and Financial Markets Industry.

Cybersecurity Importance

The financial services industry relies on consumer trust, which is easily shaken by data breaches. Companies in the industry experience the highest rate of customer churn due to data breaches out of all industries. Financial institutions are attacked by cyber-criminals 300 times more frequently than businesses in other industries. Additionally, banks have a greater need for regulatory compliance, because some regulations like the New York Department of Financial Services (NYDFS) Cybersecurity Regulation are specifically designed to protect sensitive customer data collected by financial institutions.

Cybersecurity Trends

The size of the financial cybersecurity market is growing at a rapid pace and is projected to exceed $68 billion by 2020, as companies are spending about $3,000 per employee on cybersecurity. Cyber-criminals targeting banks are getting increasingly sophisticated, stealing sensitive customer data to open fraudulent accounts. Another noticeable trend is the increased outsourcing of cybersecurity services, because it represents the fastest way to implement state-of-the-art technology.

Data Protection

Three critical pieces of data that the Banking and Financial Markets industry tries to protect are the customer's identity, account information, and credit card information. Several banks in the US have started finding alternative ways to identify their clients, without using personally identifiable information. Financial services companies are resorting to encryption for securing account information, and are using mutli-factor authentication to prevent credit card fraud.

Cybersecurity Vulnerabilities

Web-based banking applications are especially vulnerable, with as much as 80% of them being vulnerable to cross-site scripting (XSS) attacks. About 60% of mobile banking applications running on Android are not obfuscated, meaning that they can easily be reverse-engineered, while 80% of apps running on iOS expose sensitive data to interception while proxying SSL and TLS communications.

Cybersecurity Breaches

Four examples of cybersecurity breaches in the financial services industry include the attack on the National Bank of Blacksburg that caused losses of over $2.4 million, the Equifax breach that exposed data of 150 million customers, a coordinated ATM theft, and the HSBC Bank hack.

Cybersecurity Standards & Compliance

The Bank Secrecy Act is an important cybersecurity standard in the industry and major banks have started hiring employees for the Bank Secrecy Act-Anti-Money Laundering (BSA/AML) Officer role. Financial institutions created specialized programs to comply with the Gramm-Leach-Bliley Act. The Electronic Funds Transfer Act forced companies in the industry to expedite electronic transfers, while the USA PATRIOT Act lead to the creation of new roles and departments within the institutions. Industry players are contracting technology providers like Duo to ensure compliance with the newly-enacted NYDFS Cybersecurity Regulation.
Part
33
of 56
Part
33

Cybersecurity Importance - Aviation Industry

Cybersecurity is important for firms in the United States aviation industry because the likelihood of a catastrophic disaster is higher with airborne vehicles, aircraft are increasingly becoming connected to the Internet of Things (IoT) and are therefore becoming more vulnerable to cyber attacks, and air transportation infrastructure is considered part of the nation's critical infrastructure.

Higher Likelihood of a Catastrophe

  • According to Pacific Northwest National Laboratory, a research laboratory at the U.S. Department of Energy, aviation cybersecurity is important because the likelihood of a catastrophic disaster is intrinsically higher with an airborne vehicle than with a land vehicle.
  • Human lives are at stake. There is also a difference between the cyber defense of a moving vehicle and the cyber defense of a fixed facility.
  • Threats such as terrorists, hostile nation-states, criminals, insiders, and foreign intelligence entities can use cyber space to infiltrate or damage the country's aviation ecosystem.
  • Andrea Carcano, co-founder at California-based cybersecurity company Nozomi Networks, says cyber attacks on commercial aircraft could be devastating and could put human lives in danger, so she believes vulnerabilities should be tracked and minimized immediately and continuously.

Growing Aircraft Connectivity and Vulnerability

  • As aircraft, particularly commercial aircraft, become more connected to the Internet of Things (IoT) through onboard Wi-Fi services, in-seat power systems, and satellite communications, they become more vulnerable to cyber attacks as well. This was the sentiment raised by Alan Pellegrini, the president and chief executive officer of Thales USA, a manufacturer of electronic systems and cybersecurity solutions designed specifically for aircraft cabins and cockpits.
  • According to Pellegrini, there have already been hacks of aviation-related systems such as in-flight entertainment systems, data communication systems, and airline operation systems.
  • In fact, a team at the U.S. Department of Homeland Security (DHS) was able to demonstrate that a parked commercial aircraft can be remotely hacked.
  • As far as the interconnectivity of aircraft systems, ground-based systems, and satellites is concerned, what used to be incremental changes have now become exponential changes, and as a result, safety risks have increased.
  • The emergence of unmanned aircraft systems also brings about additional vulnerabilities, as unmanned aircraft systems can be used to infiltrate in-range computer networks.

Criticality of Air Transportation Infrastructure

  • According to a research laboratory at the U.S. Department of Energy, the cyber defense or protection of the country's critical infrastructure and services, including air transportation, is of vital importance. It is considered a national imperative to protect critical infrastructure from cyber attacks.
  • Aviation assets are considered part of the nation's critical infrastructure. Critical infrastructure, as defined by the government, pertains to "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters."
  • A cyber attack could easily paralyze critical air transport infrastructure. Even one system failure in the airline ecosystem could result in mass flight cancellations and airplane grounding, serious financial implications, and loss of customer confidence.
  • The five-hour outage that Delta Airlines experienced in August 2017 cost the airline $150 million and 2,000 flight cancellations.
  • The criticality of transportation infrastructure and the apparent lack of implementation of uniform cybersecurity standards have prompted Michael Stephens, general counsel and executive vice president for information technology at Tampa International Airport, to propose mandatory compliance to Congress, the Federal Aviation Administration (FAA), and the Transportation Security Administration.

Research Strategy

To determine why cybersecurity is important for firms in the country's aviation industry, we read through articles and reports covering the topic and took note of what aviation experts are saying about the importance or relevance of cybersecurity. We tried to gather as many viewpoints as possible, so we paid attention to the perspectives of government agencies, airlines, airports, cybersecurity system developers, and aviation system developers. With these viewpoints, we were able to identify that the top reasons behind the importance of cybersecurity in aviation center on the possible consequences of cyber attacks, the growing vulnerability of connected aircraft, and the criticality of air transport infrastructure.
Part
34
of 56
Part
34

Data Protection - Aviation Industry

Three examples of specific data that the aviation industry firms are trying to protect is credit card information data to prevent fraudsters from accessing it and fraudulently obtaining airline tickets, airline trade secrets data to prevent other companies from stealing the information and using it to gain a trading advantage, and passport information data to prevent fraudsters from using the information to commit fraud. Protection of the data is also important to prevent passengers from losing faith in the commitment of airlines to safeguard their data and in turn stop using the airlines, leading to losses. Detailed information is in the next section.

Credit Card Information

  • Aviation industry firms try to protect the credit card information of passengers booking airline tickets. The protection of the data is important to prevent fraudsters from accessing this information and using stolen credit card numbers to fraudulently acquire airline tickets through the internet. The protection of this data is also important to prevent passengers from losing faith in the commitment of airlines to safeguard their data and in turn stop using the airline, leading to a slump in the company's stock value as a result of the negative effects of data breaches.
  • Criminals use fraudulent tickets to commit crimes such as drug trafficking, terrorism, human trafficking, and illegal immigration. Estimates show that fraudsters steal billions of dollars from the travel industry each year, with online card fraud costing airlines more than $1 billion annually.
  • According to the International Air Transport Association, payment fraud costs the aviation industry around $858 million per year, with airlines losing $639 million.

Passport Information

  • The aviation industry firms are also trying to protect passport information data for its passengers. This includes passport numbers, names, and dates of birth.
  • The protection of the data is important to prevent the information being accessed by fraudsters who may hack into the airline systems to steal it and sell the information to be used for fraud. The protection of this data is also important to prevent passengers from losing faith in the commitment of airlines to safeguard their data and in turn stop using the airlines, leading to losses and a slump in the company's stock value as a result of the negative effects of data breaches.
  • The passport names, numbers, and dates of birth can be used to make counterfeit passports which can be used by criminals to gain entry into countries as illegal immigrants or to commit a crime such as terrorism, human trafficking, and drug trafficking.

Airline Trade Secrets Data

Part
35
of 56
Part
35

Cybersecurity Vulnerabilities - Aviation Industry

Three unique cybersecurity vulnerabilities for companies in the aviation industry are the open Wi-Fi networks on aircraft, the unencrypted and openly transmitted ACARS network and the particularly complex aircraft supply chain.

Aircraft Network

  • According to defense trade RealClearDefence, one of the newest ways in which aviation companies are experiencing cyber-attacks is through the open Wi-Fi networks on aircraft, which enable all communications or operations using the aircraft’s network to be hacked or otherwise disrupted.
  • Specifically, airline trade Aviation International News highlighted how this unique presence of unsecured networks amid highly sensitive customer and commercial operations leaves airlines and customers particularly vulnerable to both malicious as well as unintentional cyber threats.
  • For example, Satcom Direct's threat-monitoring system recently detected and addressed an infected computer, which nearly compromised an entire aircraft's network through the unintentional transfer of malware, while in a separate instance, hackers attempted to steal passwords and usernames for banking websites from fellow passengers during a commercial aviation trip.

ACARS Network

  • Aviation trade Aerospace America recently also highlighted the unencrypted and openly transmitted Aircraft Communications Addressing and Reporting System (ACARS) as another major and unique cybersecurity concern within the aviation industry.
  • Recognizing that the ACARS system is 40 years old and wasn’t designed to prevent cyber threats, it has been deemed possible by researchers that forged flight plan updates, false weather information and other fake messages could be sent through this messaging system.
  • Moreover, according to RealClearDefence, many aircraft connect ACARS to the Flight Management System, which could therefore expose sensitive information including navigation routes, databases and airfield details to hacking.

Aircraft Supply Chain

  • Meanwhile, transportation consultancy SAE International as well as RealClearDefence also prioritized the increasingly complex and vital supply chain networks underpinning aircraft and other aviation systems as a particularly vulnerable given the unique level of complexity involved in constructing products across numerous countries, industries and firms.
  • Specifically, aircraft and aviation systems are often outsourced to multiple companies and belong to multiple stakeholders, which makes them more interconnected and therefore more vulnerable to cyber risks.
  • For example, the 3D-printed parts that are widely used on aircraft today could in and of themselves be compromised by the disruption or deletion of firmware, software or product designs, and in a manner that is hidden by the fact that many parties are often involved in constructing a single aviation product.


Part
36
of 56
Part
36

Cybersecurity Compliance Standards - Aviation Industry

Some Cybersecurity compliance standards that are currently in effect in the Aviation Industry in the US include the Cybersecurity Framework by National Institute of Standards and Technology (NIST), 2) Federal Aviation Administration Reauthorization Act of 2018, Federal Aviation Administration Safety, and Security Act 2016 Section 2111, National Strategy for Aviation Security (NSAS), Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure and Transportation Security Administration (TSA) Cybersecurity Roadmap. Details for each of these standards are outlined below.

1. Cybersecurity Framework by the National Institute of Standards and Technology (NIST)

  • The aviation Industry uses the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST), which was released on February 12, 2013, after a US Executive Order 13636 to improve cybersecurity.
  • The framework consists of five core functions which are to identify, protect, detect, respond, and recover. They form the backbone of the framework core that all other elements are organized around.
  • The framework's five core functions help organizations in having a successful and holistic cybersecurity program management a high level and enabling risk management decisions.

2. Federal Aviation Administration Reauthorization Act of 2018

  • This Federal Aviation Administration, which was passed in October 2018, required the Federal Aviation Administration to invest in technologies and infrastructure that provide national security and cybersecurity for travelers through better-connected airports.
  • The Act also addressed the cybersecurity issues affecting aircraft avionics systems, including software components.
  • It also brought into perspective the initiation of a Federal Aviation Administration strategic cybersecurity plan in the US.

3. Federal Aviation Administration Safety, and Security Act 2016 Section 2111

  • This Federal Aviation Administration, which was passed in 2016, required the Federal Aviation Administration to reduce cybersecurity risks to the national airspace system, civil aviation, and agency information systems by the development of a comprehensive and strategic framework of policies and principles.
  • The Act brings into consideration the interactions and interdependence of different components of aircraft systems and the national airspace system and thus a need for cybersecurity.
  • This Act also strengthens the cybersecurity of agency systems across the Federal Aviation Administration.

4. National Strategy for Aviation Security (NSAS)

  • The National Strategy for Aviation Security (NSAS) gives a framework for implementing a comprehensive and integrated approach towards provisions of cybersecurity protection within the aviation domain other aviation-related activities within the USA.
  • The National Strategy for Aviation Security (NSAS) also focuses on cybersecurity considerations for Radio Frequency (RF), given the increased use of computer and RF spectrum-dependent systems in the Aviation Ecosystem.
  • The National Strategy for Aviation Security supports cybersecurity risk management in the aviation infrastructure by owners and operators of the nation's critical infrastructure.

5. Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

  • On May 11, 2017, President Trump issued Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure to improve the nation's cyber posture and capabilities in the face of intensifying cybersecurity threats to its digital and physical security which included the aviation Industry.
  • The Executive Order secures the Federal networks that operate on behalf of the American people and encourages collaboration with industry to protect critical infrastructure that maintains the American way of life, which includes the aviation industry.
  • It also places a much-needed focus on building a stronger cybersecurity workforce that is key and critical in the nation's long term ability to strengthen its cyber protections and capabilities, which include the aviation Industry.

6. Transportation Security Administration (TSA) Cybersecurity Roadmap

  • The Transportation Security Administration (TSA) Cybersecurity Roadmap provides a robust framework for how TSA can operate within the cyber environment, ensuring the security of its data and information technology systems, and ensure the protection and resilience of the Transportation Systems Sector (TSS) which includes the aviation Industry.
  • The Transportation Security Administration (TSA) oversees and assesses the cyber posture of the aviation industry, conducts risk assessments of the industry, and focuses on the aviation industry's reporting of cybersecurity attacks.
  • The agency uses all statutory and regulatory authorities "... to ensure the resilience of the Transportation Systems Sector (TSS)," which includes aviation, both passenger and cargo.

RESEARCH STRATEGY

To provide information on cybersecurity standards currently required or practiced by the Aviation Industry in the US, we relied on government sources like the websites of the US Senate, Office of the President of the United States, Federal Aviation Administration, Transportation Security Administration, and NIST as some of the most credible resources. We then presented the required information in our findings section.
Part
37
of 56
Part
37

Meeting Compliance Standards - Aviation Industry

The aviation companies Boeing, Airbus, American Airlines, Honeywell, and others are taking actions and initiatives like improving their security mapping, hiring regulation and cybersecurity auditors, creating cybersecurity teams, and more, to meet the current aviation cybersecurity standards.

Cybersecurity Framework by National Institute of Standards and Technology (NIST)

  • The aviation firm Boeing supports the NIST regulation by complying with improving cyberthreat security through sharing best practices on recovery from attacks, detection, removal, prevention, creating forums to share cyber information that can help minimize the risk, giving voluntary support to the government, and implementing cybersecurity standards in their company.
  • The Aerospace Industry Association is working with Airbus and Boeing to implement cybersecurity measures that comply with NIST, like making analysis of the vulnerabilities each aircraft has regarding cybersecurity, and developing frameworks that provide a holistic view of the cybersecurity in the airplanes and business operations.
  • Airbus is redesigning its Industrial Control System (ICS) to make sure they cover the standards the NIST requires, including keeping the assets inventory updated.
  • American Airlines has created a job position to have a person in charge of guaranteeing the complying with NIST and PCI of the company.

Federal Aviation Administration Reauthorization Act of 2018

  • The FAA Reauthorization Act of 2018 is already being taken in place by companies in the airline industry like American Airlines.
  • At the airports, the US Department of Transportation, is already making sure that each airline provides public information of the number of motorized scooters and wheelchairs they lose, mishandle, or damage.
  • According to the New York times, although the act has already been signed, its implementation has been delayed by the lobbyists, but American Airlines has already launched a customer accessibility division that will make sure the requirements are met and customers with disabilities have a better experience.

Federal Aviation Administration Safety and Security Act 2016 Section 2111

  • The aviation firm Boeing is abiding to this regulation by keeping control of the flight deck automation, creating a process that allows to verify that the crew's training programs for air carrier flight include information about monitoring automated systems and manual flying skills.
  • They've also implemented metrics to measure the proficiency of their pilots and enhanced their training on operational mode awareness, and manual recoveries of unintended autoflight.
  • The act is being followed even by international airline companies that operate in the US, like the Latam Airlines Group, who has made sure to supervise and audit their maintenance operations by international entities and local authorities like the Federal Aviation Administration in the United States.

National Strategy for Aviation Security (NSAS)

  • To comply with the regulation, aviation companies are taking defense initiatives that guarantee their response to threats in the aviation ecosystem.
  • The partners of the Air Force, which are the aviation companies and manufacturers, are aware of the role they play in cybersecurity; however, over 10,000 senior executives revealed that the adoption of cybersecurity practices in their companies has been slow.
  • By 2916, only 40% of the companies in the aviation and defense industry had designed a new security strategy.
  • However, different to the executives, 85% of the aviation CEOs have shown concern for cyberattacks.
  • Some measures that are being taken to comply with the regulation include training and evaluating the staff members on cybersecurity practices, monitoring the activities, mapping a data flow, and creating a plan to react when facing an attack.

Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks

  • This executive order was integrated in the NSAS regulations, calling all the aviation industry to review their risk management effort s regarding cybersecurity and create frameworks that protect and are ready for speed recovery.
  • Part of the actions they are implementing include maximizing the awareness of their domain, anticipating threats, assessing vulnerabilities, strengthening the aviation security, promoting resilience, ensuring continuity, and enhancing the international cooperation.
  • Additionally, they are providing training about cyberthreats and criminal awareness to their employees, making sure they remind them of this on a daily basis.
  • They are also integrating the required standards with the ones of the company, creating cybersecurity teams, and investing in cybersecurity products.

Critical Infrastructure and Transportation Security Administration (TSA) Cybersecurity Roadmap

  • To follow up on the roadmap designed to improve cybersecurity in the transportation industries, the Aerospace Industries Association has created the Civil Aviation Cybersecurity Industry Assessment.
  • During the assessment they cover the actions, compliance, and recommendations that the different associate companies, like Boeing, Honeywell, Airbus, GE Aviation, and others are adopting to be compliant with the regulations, including the one from TSA for cybersecurity.
  • The actions they've taken include giving priority to fixing the identified gaps in cybersecurity, engaging with the government for improvement, and reaching out to international governments and industry leaders to negotiate their support on the implemented cybersecurity measures.

Research Strategy

Based on the "Cybersecurity Compliance Standards — Aviation Industry" analysis, the standards we are focusing on are the Cybersecurity Framework by National Institute of Standards and Technology (NIST), the Federal Aviation Administration Reauthorization Act of 2018, Federal Aviation Administration Safety, and Security Act 2016 Section 2111, National Strategy for Aviation Security (NSAS), Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure and Transportation Security Administration (TSA) Cybersecurity Roadmap.

To determine if the companies are meeting today's compliance standards, we looked for evidence of how they're applying them through the websites of the largest aviation firms in the country like Airbus, Boeing, General Dynamics Corporation, Honeywell International, Inc., Lockheed Martin, and United Technologies, and its subset, airline firms like American Airlines, Delta Airlines, Southwest Airlines, JetBlue Airlines, and United Airlines. We also searched through news, articles, and press releases.
Part
38
of 56
Part
38

Cybersecurity Trends - Aviation Industry

The increasing demand for aviation cybersecurity, the usage of various strategies to strengthen the cybersecurity defense, and the numerous cybercrime attacks are the notable cybersecurity trends in the aviation industry. A more detailed explanation related to the aforementioned trends is attached below.

Increasing Demand

  • Many experts are concerned with the current cybersecurity in the US aviation industry. They believe that the cybersecurity defense in the United States needs to be improved.
  • The budget for Presiden Trump's aviation cybersecurity reached $15 billion in 2019. Whereas the United States Airport and Airway Trust Fund's budget for cybersecurity-related activities reached $32.4 million in 2019.
  • According to the Market Watch report, the aviation cybersecurity market is projected to register a CAGR of approximately 7.5% in 2019.
  • According to the reports of Business Wire, Mordor Intelligence, and PR Newswire, the aviation cybersecurity market is predicted to register a CAGR of 11% between 2019 to 2024.
  • The most commonly sought solutions for cybersecurity threats include the detection and the prevention of cyber-attack threats.

Strategies Used in Enhancing Aviation Cybersecurity System

Cybercrime Attacks in The Aviation Industry

Research Strategy

To determine the trends around cybersecurity or cloud cybersecurity in the aviation industry, we first reviewed the latest market reports and expert blogs from reputable sources, including Business Wire, Market Watch, Mordor Intelligence, and Veriato. We found that the market size of cybersecurity for the aviation industry increased over the year. From the same reports, we also managed to gather several insights related to the contributing factors in the rise of cybersecurity market size as well as the strategies used to increase the cybersecurity defense in the aviation industry. Using these insights, our research team was able to find more related information through articles, news, government reports, and studies from respected sources, such as White House, NCBI, Computer Weekly, and Information Security Buzz. We also utilized advanced search engines to collect relevant data, including News Lookup, Google News, Millie Northern Lights. Our research team specifically included information that was related to the United States aviation sector. The selection strategy of these trends were based on the current issues that were widely discussed by the experts, as well as trusted news journalists and researchers.
Part
39
of 56
Part
39

Cybersecurity Breaches - Aviation Industry

Delta Airlines, British Airways, American Airlines, and United Airlines are some examples of cybersecurity breaches in the aviation industry that dealt with data breach/data theft.

Breach #1: Online Chat Services For Delta Was Involved In A Cyber Incident.

  • Delta Airlines was notified by [24]7.ai, a company that provides online chat services for Delta that [24]7.ai was involved in a cyber incident from September 26 to October 12, 2017.

Impact Of The Breach:

  • Reportedly “the hacker could have scraped the names, addresses, and full credit card details of up to 825,000 U.S. customers,” and the airline is still not aware of any misuse of its customers' data.
  • During the time of the breach, the customer payment information for all [24]7.ai clients, including Delta's was vulnerable and accessible.
  • The breach was only limited to the financial information, and no other customer personal information, such as passport, the government ID, security, or SkyMiles information was impacted.

Financial Cost To The Organization Breached

  • The quarterly revenue fell from $11.061 billion on 30 September, 2017, to $10.229 billion on 31st December 2017.
  • The share price of the airlines during the period did not show much impact and was seen at $48.46 on September 26,2017, to $53.10 on 12th October 2017.
  • The vendor's failure to provide timely and complete information on the breach hindered Delta’s ability to proactively address the breach and communicate with its customers about the incident, thereby worsening Delta’s costs in responding to the Data Breach.
  • No details of the exact cost to the organization breached were mentioned in any reports, annual reports, and news articles published on the breach.

How The Organization Reacted To The Breach

  • Delta customers who were impacted were asked to visit the website and enroll in free protection services being offered.
  • The airline also contacted the affected customers by mail and also launched a phone line for them, apart from the free protection services being offered.

Breach #2: British Airways Customer Data Theft

  • The theft of customer data or data breach was seen at British Airways between 22:58 BST August 21, 2018, until 21:45 BST September 5, 2018, on their website, ba.com, and their mobile app.

Impact Of The Breach:

  • The data breach included personal and financial details of customers making bookings and changes on ba.com and the mobile app, but did not include travel or passport details.
  • The company released details that approximately 380,000 transactions had been affected.
  • An estimated 500,000 passengers who bought flights on the ba.com website or through the British Airways app, or made transactions involving Avios were impacted.

Financial Cost To The Organization Breached

  • The poor IT infrastructure that caused British Airway's 2018 data breach led to a steep fine of £183 million by the Information Commissioner's Office, which is equivalent to 1.5% of its global turnover.
  • It was also reported that the proposed penalty was a significant cost to British Airways, that is, approximately £4 for each passenger BA will carry in 2019 and airlines might lose business if they increase fares to compensate for the steep fine.

How The Organization Reacted To The Breach

  • British Airways announced the data breach within a day of discovery, and provided specific details of who had been affected, and the kind of data that could have been compromised.
  • After the breach, Alex Cruz, the airline head, says he was “surprised and disappointed” by the ICO’s findings and the BA responded quickly.

Breach #3: American Airlines Data Breach

  • American Airlines reported that unauthorized individuals hacked usernames and passwords from third-party sources to access the AAdvantage, the airline's frequent flier program.

Impact Of The Breach:

Financial Cost To The Organization Breached

  • In the U.S., the average organizational cost to a business after a data breach in 2019 is $8.19 million, an increase from $7.91 million in 2018 and the cost per breached record was $242.
  • The financial implications of American Airlines alone was not revealed by the company, as the airline is working with U.S. federal law enforcement to investigate the matter further.

How The Organization Reacted To The Breach

  • American Airlines notified the affected customers and locked the accounts that may have been accessed without their authorization.

Breach #4: United Airlines Customer Flight Records Breached

  • According to Bloomberg, the breach was detected in May or June 2015 and involved flight manifests.

Impact Of The Breach

Financial Cost To The Organization Breached

How The Organization Reacted To The Breach

Research Strategy

To provide examples of cybersecurity breaches in the aviation industry from the U.S. or the EU region, the research team explored the media publications/industry news from Forbes, Reuters, CNBC, Wired, Independent, among others as these sources are most likely to publish such breaches/news. We found a couple of articles and news reporting data theft/data breach in Cathay Pacific, Delta Airlines, British Airways, American Airlines, and United Airlines. We then used these examples, except Cathay Pacific, as it is based in Hong Kong and hence, was out of the regional scope required.

We later dug deep into the impact of each breach, the financial cost to the organization breached and how the organization reacted to the breach of Delta Airlines, British Airways, American Airlines, and United Airlines through their respective websites, annual reports, CEO letter, and the above-mentioned third-party sources. As the major breaches were initiated or hacked prior to 24 months, we have included sources older than 24 months to provide a comprehensive overview of the topic.

Also, as most breaches/theft did not implicate direct financial cost to the organization, we have included other metrics like its impact on the revenue, share price or the average country cost of a breach by any company as the financial cost to the organization breached along with substantial qualitative information on the cost or performance.
Part
40
of 56
Part
40

Executive Summary - Cybersecurity in the Aviation Industry

Using the previously completed request we have completed an executive summary of the cybersecurity analysis of the Aviation Industry. Including the importance, data protection, vulnerabilities, compliance standards, meeting standards, trends, and breaches.

Executive Summary

  • Following is an Executive Summary of the Cybersecurity Analysis of the Aviation Industry;
The aviation industry must address cybersecurity issues due to the potential for a catastrophic disaster. Aircrafts are increasingly becoming more connected to the Internet of Things and are becoming more vulnerable to cyber attacks. The air transportation infrastructure is considered part of the nation’s critical infrastructure. Threats such as terrorists, hostile nation-states, criminals, insiders, and foreign intelligence entities can use cyber space to infiltrate or damage the country's aviation ecosystem.
The aviation industry must protect the credit card data and passport information from possible cyber attacks. As a highly competitive industry, companies are looking to protect airline trade secrets' data to prevent other companies from stealing the information and using it to gain a trading advantage. Protection of the data is also important to prevent passengers from losing faith in the commitment of airlines to safeguard their data and in turn stop using the airlines, leading to losses.
Aviation companies are uniquely vulnerable to cyber attacks due to the open Wi-Fi networks on aircraft, the unencrypted and openly transmitted ACARS network and the particularly complex aircraft supply chain. According to defense trade RealClearDefence, one of the newest ways in which aviation companies are experiencing cyber-attacks is through the open Wi-Fi networks on aircraft, which enable all communications or operations using the aircraft’s network to be hacked or otherwise disrupted.
The aviation Industry uses the Cybersecurity Framework developed by the National Institute of Standards and Technology, which was released on February 12, 2013, after a US Executive Order 13636 to improve cybersecurity. The framework consists of five core functions which are to identify, protect, detect, respond, and recover. The aviation companies Boeing, Airbus, American Airlines, Honeywell, and others are taking actions and initiatives like improving their security mapping, hiring regulation and cybersecurity auditors, creating cybersecurity teams, and more, to meet the current aviation cybersecurity standards. Some measures that are being taken to comply with the regulation include training and evaluating the staff members on cybersecurity practices, monitoring the activities, mapping a data flow, and creating a plan to react when facing an attack. Delta Airlines, British Airways, American Airlines, and United Airlines have all recently dealt with cyber attacks.
The increasing demand for aviation cybersecurity, the usage of various strategies to strengthen the cybersecurity defense, and the numerous cybercrime attacks are notable cybersecurity trends in the aviation industry.
Part
41
of 56
Part
41

Cybersecurity Importance - Government Industry

Cybersecurity is important for players in the United States government because cybersecurity helps in the protection of critical operations and infrastructure, cybersecurity helps in the protection of sensitive and confidential information, and the number of cybersecurity incidents in government has increased. These are three of the top reasons behind the importance of cybersecurity in the public sector.

Protection of Critical Operations and Infrastructure

  • Cybersecurity in the public sector is important as it protects critical operations and infrastructure, such as energy systems, communications, transportation systems, and financial services, from being disrupted or jeopardized. It is important because malicious actors in cyberspace consider federal government networks prime targets.
  • The failure of the United States government to implement comprehensive and effective cybersecurity measures has rendered federal agencies and critical infrastructure vulnerable.
  • Vulnerabilities can result in cyber attacks or cybersecurity incidents that, in turn, can result in the disruption of critical operations. The country's economy and national security, and the health and safety of the public can also be threatened.
  • The protection of critical infrastructure is one of the cybersecurity goals of the United States Department of Homeland Security.

Protection of Sensitive and Confidential Information

  • Cybersecurity is vital in the protection of the massive amounts of sensitive, confidential, or highly personal information that government agencies hold.
  • The Department of Education, for example, holds the financial data of parents and students who have filed college loan applications, while the Department of Homeland Security collects and maintains information on citizens traveling overseas and returning to the country. If there are no appropriate controls, hackers can easily steal and use this information to their own advantage.
  • There are types of information that could be dangerous if they fall into the wrong hands. Information relating to national security is one example of such information.
  • To sustain public confidence, government agencies need to do a great job of protecting personally identifiable information (PII) such as medical records, taxpayer records, and social security numbers.

Increase in Cybersecurity Incidents

  • According to the Government Accountability Office (GAO), the country's watchdog agency, security threats have evolved and have become more sophisticated and destructive, and as a result, the number of cybersecurity risks has increased as well.
  • Government agencies should have cybersecurity systems in place to address this increasing number of cybersecurity risks.
  • In fiscal year 2017 alone, 35,277 cyber incidents were recorded by the country's federal civilian agencies. These cyber incidents included theft or loss of computing equipment, web-based attacks, and phishing. In fiscal year 2016, there were only 33,643 cyber incidents.
  • In March 2018, the Atlanta city government suffered a week-long sophisticated ransomware attack that demanded $51,000 in bitcoin in exchange for the decryption of the hostaged data. Days after, the 911 dispatch system of Baltimore was attacked by hackers, thus endangering the safety of the public.
  • New vulnerabilities can arise as a result of legacy or outdated information technology systems, the offensive cyber capabilities of threats such as China, Iran, North Korea, and China, or other factors.

Research Strategy

To determine why cybersecurity is important for players in the country's government, we examined what government agencies, media outlets, or organizations are saying about the topic. Government reports on cybersecurity, particularly those published by the Department of Homeland Security and the Senate Committee on Homeland Security and Governmental Affairs, turned out to be especially helpful because they provide some background information on the relevance of cybersecurity in the public sector. Articles published by organizations such as the Belfer Center, the Carnegie Endowment, and the AFCEA, offered some useful insights too. From these sources, we were able to identify that the most commonly mentioned reasons are to protect confidential information, protect critical infrastructure, and address the growing number of cybersecurity incidents in the public sector.

Part
42
of 56
Part
42

Data Protection - Government Industry

Specific data that government-industry firms are trying to protect include military data, Social Security number (SSN) data, and artificial intelligence (AI) data.

Military Data

  • Securing military data is an issue of national security. With the advancement in technology in every avenue including the military, risks of various degrees are possible for the nation's critical infrastructure that connects different networks.
  • Over the years, the American government has placed advanced protection systems to safeguard military information. However, with the continued transformation of the ultra-connected 5G nation, the government understands that continued changes must be made to protect various classes of military information, organizational networks, and communication systems.
  • President Trump, along with the Federal Government revealed that they are committed to protecting the technology community, civil society, the private sector, along with their allies and partners, to increase security and protection of information systems.
  • On May 15, 2019, President Trump signed a 'Securing the Information and Communications Technology and Services Supply Chain' order. Through this order, the Secretary of Commerce was given full authorization to oversee and review communications technology and information that may cause risks to the United States' National Security.
  • In an attempt to safeguard military information, the Pentagon offered Microsoft a 10-year contract with $10 billion to manage the country's military cloud computing services. The cloud contract, which is also referred to as the Joint Enterprise Defense Infrastructure (JEDI), was initially expected to go to Amazon Web Services which currently manages the Central Intelligence Agency's cloud computing services.
  • Microsoft is creating two highly secure data centers located 500 miles away from each other to conceal secret military information of the United States. According to Microsoft's Lily Kim, the two hosting centers will offer geographic resilience in any disaster recovery situations and will provide faster access to several services across the nation. The company revealed that its Azure Government Secret software can manage classified government information and "operates on secure, native connections to classified networks".

SSN or Social Security Number Data

  • A Social Security number (SSN) is a nine-digit number that is issued to every United States citizen and is the only proof of one's identity. According to the law, no one has access to one's SSN other than a person's employer, credit card companies, banking personnel, and other financial institutions.
  • Over recent years, high-profile information breaches have pushed countless SSNs into the online wilderness and the government, with the help of cybersecurity professionals, continues to explore new means of verifying people's identity.
  • To ensure that the SSNs of the country's citizens are well protected, the Social Security Administration began looking for firms to tokenize SSNs on official agency mail, earlier this year. This tokenization process will convert each SSN into a string of random characters that can later be decoded by government officials. This process is expected to protect citizens from social security fraud and identity theft.
  • According to the Social Security Number Fraud Prevention Act of 2017, federal agencies have been asked to stop printing SSNs on government mail after 2020. With the help of the proposed tool, the Social Security Administration can connect citizens' to government records without having to reveal their SSNs.
  • In June 2020, the Social Security Administration will launch its pilot program to allow electronic verification of SSNs by banks and other financial institutions. This was a requirement under the Economic Growth, Regulatory Relief, and Consumer Protection Act that was signed in 2018.
  • The act was portrayed in the legislation as an anti-fraud measure and requires individuals to provide signed documents giving consent to validate their Social Security number. The act also states that recent immigrants and minors are likely to be most susceptible to the fraudulent use of SSNs.

Artificial Intelligence Data

  • It is expected that artificial intelligence (AI) will have a large impact on the economy of the United States, national security, and various aspects of society. Thus, the Federal Government, agencies, and society need to stay focused on its protection. The nation's Department of Defense has been actively exploring an array of initiatives in this domain.
  • On February 11, 2019, President Trump issued an executive order that focuses primarily on artificial intelligence and the need to protect the assets of the nation and its allies. The order states the requirement for federal agencies to develop plans to protect AI assets through five specific principles. Objectives of the executive order include the protection of critical AI assets from acquisition by adversarial nations and strategic competitors, ensuring technical standards to minimize unique vulnerabilities, and the protection of AI assets from both, physical and cybersecurity threats.
  • The executive order also addresses the connection between big data and AI by stating that access to fully traceable and high-quality Federal data, computing resources, and models must be enhanced to increase their value for AI research and development while ensuring safety, privacy, confidentiality, and security with applicable policies.
  • The government is working toward ensuring its continued presence as a global leader in AI by developing the technology in a manner that is consistent with the country's policies, values, and priorities. The various regulatory agencies of the United States have been directed to establish guidelines for the development of AI technology and its proper use across industrial sectors and other technologies.
Part
43
of 56
Part
43

Cybersecurity Vulnerabilities - Government Industry

Limited agency situational awareness, lack of standardized IT capabilities, limited network visibility, and lack of accountability for managing risks are the four unique cybersecurity vulnerabilities for firms in the government-industry.

1. Limited Agency Situational Awareness

  • According to OMB’s assessment, federal agencies charged with defending networks often lack timely information regarding the tactics, techniques, and procedures that threat actors use to exploit government information systems.
  • In fact, the US government agency has only limited ability to see and understand what is going on across the agency, so limited that agencies could not identify the method of attack, or attack vector, in 11,802 of the 30,899 cyber incidents (38 percent).
  • In addition, OMB determined that only 59 percent of agencies had the capability to communicate cyber risks across their departments succinctly.

2. Lack of Standardized IT Capabilities

  • Another unique cybersecurity vulnerability of the US government firms is the lack of standardized cybersecurity processes and IT capabilities, which impacts their ability to gain visibility and effectively combat threats efficiently.
  • The lack of standardization and access to common capabilities means that these agencies cannot apply a single solution to address specific cybersecurity challenges and eventually reduce their overall attack surface.
  • OMB's report found that the US government agencies often operate numerous email services, increasing their susceptibility to phishing attacks, such as one agency that had 62 separate email services, making it virtually impossible to track and inspect inbound and outbound communications across the agency."

3. Limited Network Visibility

  • The OMB's report identified that US government agencies lack visibility into what is occurring on their networks, and especially lack the ability to detect data exfiltration.
  • The report also identifies that a large volume of US government data can be stolen since just 27% of the examined agencies reported that they could detect and investigate unauthorized attempts to access large volumes of data. Thus, 73% of the other agencies’ computer systems don’t have network visibility.
  • In addition, even agencies that can detect data breaches may not be able to respond adequately because only 30% of the agencies have predictable, enterprise-wide incident response processes.

4. Lack of Accountability for Managing Risks

  • The OMB's report found that US government agencies lack standardized and enterprise-wide processes for managing cybersecurity risks because CIOs often do not have the authority to make organization-wide information security decisions despite the authorities granted to CIOs in FISMA and FITARA.
  • OMB and the IGs have repeatedly found that senior-level visibility and authority are necessary to drive consistent improvement in agency cybersecurity. However, the agency risk assessments, OMB’s oversight processes, and IG and GAO reports all show that awareness and accountability for managing cyber risks are uneven across the Federal enterprise, thus resulting in a lack of senior accountability for cybersecurity risks.

Research Strategy:

In order to identify four unique cybersecurity vulnerabilities for firms in the government-industry of the US, the research team searched through government articles, reports, and studies through trusted resources such as United States Government Accountability Office, Whitehouse.gov, among others. We were able to identify a report of OMB's published Federal Cybersecurity Risk Determination Report and Action Plan in accordance with Executive Order 13800. After exhaustively examining the report, we were able to list four unique cybersecurity vulnerabilities. We then provided additional information for each unique cybersecurity vulnerabilities from trusted resources such as Tripwire.com, Infosec Institute, AND Splunk. The following cybersecurity vulnerabilities were then identified as unique because these were issued as primary findings based upon OMB’s risk assessment. In addition, the reports were based on the 96 US government agencies participating in the risk assessment process that have cybersecurity programs that are either at risk or high risk.
Part
44
of 56
Part
44

Cybersecurity Compliance Standards - Government Industry

The Federal Information Security Modernization Act of 2014 (FISMA), Cybersecurity Framework, Federal Risk and Authorization Management Program (FedRAMP), Federal Information Processing Standards 199 (FIPS 199), and Federal Information Processing Standards 200 (FIPS 200) are some of the compliance standards currently required or practiced by the US government and industry.

KEY FINDINGS

Cybersecurity Compliance Standards: Government Industry

1) The Federal Information Security Modernization Act of 2014 (FISMA)

  • In 2002, the US Congress passed the Federal Information Security Management Act of 2002 because it recognized the importance of protecting government information. The Federal Information Security Modernization Act of 2014 has since replaced the 2002 act.
  • The FISMA 2014 requires the head of each Federal agency to provide information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems.
  • FISMA 2014 puts the US Office of Management and Budget (OMB) in charge of federal cybersecurity, requires agencies to provide cybersecurity training for employees, and mandates agencies to develop procedures for identifying, reporting, and responding to cyber incidents.

2) The Cybersecurity Framework by the National Institute of Standards and Technology (NIST)

  • The Cybersecurity Framework was developed by the National Institute of Standards and Technology (NIST) through US Executive Order 13636, released on February 12, 2013, to build a set of current and successful approaches—a framework—for reducing risks to critical infrastructure.
  • The Cybersecurity Framework is a voluntary risk-based set of industry standards and best practices to help organizations manage cybersecurity risks.
  • The framework’s core has five functions that are simplified as identify, protect, detect, respond, and recover.

3) Federal Risk and Authorization Management Program (FedRAMP)

  • The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized government-wide approach to security assessment, authorization, and continuous monitoring of cloud services.
  • FedRAMP compliance standards help US government agencies to rapidly adapt from old, insecure legacy IT to mission-enabling, secure, and cost-effective cloud-based technologies.
  • They create a set of processes to provide successful and repeatable cloud security for the government.

4) Federal Information Processing Standards 199 (FIPS 199)