FTC Ruling Puts ICS Firms on Alert

Wednesday, August 26, 2015 @ 05:08 PM gHale

By Gregory Hale
An appellate court Monday ruled the Federal Trade Commission (FTC) has the legal right to sue companies that fail to protect their customers’ data with proper cyber security measures.

While the ruling was the result of a legal complaint and lawsuit by the FTC against Wyndham Hotels for failing to protect customer details, the affects could end up felt in the manufacturing automation sector along with other industries where companies blatantly ignore security safeguards.

FTC Can Sue for Bad Cyber Security
Complexity Halts Security: Report
Cyber Insurance Debate Heating Up
Oil Industry Under Attack

This decision from the Third U.S. Circuit Court of Appeals is a legal confirmation of the FTC’s power over cyber security issues, and not “government overreach” as Wyndham claimed.

Wyndham holdings suffered hacks three times in two years and the company failed to put security measures in place after each incident.

“I think this will be seen and acted upon by the corporate sector first, but I think it will eventually move into the ICS (Industrial Control System) space,” said Graham Speake, vice president and chief product architect at NexDefense, Inc. “I am seeing more and more companies actually performing assessments of the ICS environment. While some of this is due to NERC CIP and NRC regulation, I am seeing more and more companies using the NIST framework as a basis for good security practices in this space. As auditors come to grips with the FTC ruling, they will start to want to ensure that all parts of the business is adhering to it.”

The genesis of the NIST framework started in February 2013 when President Obama issued Executive Order 13636: Improving Critical Infrastructure Cybersecurity. The order calls for the development of a voluntary, risk-based Cybersecurity Framework — a set of existing standards, guidelines and practices to help organizations manage cyber risks. The resulting framework, created through public-private collaboration, provides a common language to address and manage cyber risk in a cost-effective way based on business needs, without placing additional regulatory requirements on businesses.

National Institute of Standards and Technology (NIST) ended up charged to put the framework together. The framework, released in February 2014, provides a structure that organizations, regulators and customers can use to create, guide, assess or improve comprehensive cyber security programs.

Security veteran John Cusimano, director of industrial cybersecurity at aeSolutions, said the court ruling allowing the FTC to investigate companies’ security measures could affect the industry down the road.

“I hadn’t thought about it much until I attended a presentation by Paula deWitte at the API IT Security conference last fall,” Cusimano said. “She talked about how the NIST Cybersecurity Framework, while voluntary, established a ‘duty of care.’ She explained that in tort law, a duty of care is a legal obligation which is imposed on an individual requiring adherence to a standard of reasonable care while performing any acts that could foreseeably harm others. It is the first element that must be established to proceed with an action in negligence.

“Based upon this I believe that if there is an industrial cyber security incident where someone gets injured or killed and the company blatantly ignored the NIST Framework and the referenced industry standards (e.g. ISA 62443) that the company may be sued for negligence.”

Dewan Chowdhury, founder and chief executive at security provider, MalCrawler, sees a time when regulators will get more involved.

“All the major hacks in the US have really affected the IT side of the house which in return have cause legal issues from customer data leakage to affecting stock prices,” Chowdhury said. “The day when a OT asset is hacked and it causes spills, power outages, dirty water, etc. then we will deftly see the regulators act.

“FTC has jurisdiction over the lost/theft of PII data, but in the world of ICS there is not one single entity/authority that has power over all the main ICS operators and their sectors. The lack of a single regulatory body that oversees all industry is what is delaying/stopping cyber regulations across the industry.”

Boards a Part of Discussion
On top of the court decision, and fearing legal repercussions, boards of directors are starting to get more involved and forcing a stronger security presence.

In an article that ran in the Harvard Law School Forum on Corporate Governance, David A. Katz, a partner at Wachtell, Lipton, Rosen & Katz, said the “board of directors always sets the ‘tone at the top.’ The board should clearly communicate to senior management its sense of the need to address cyber security issues and create a culture that views cyber security as ‘a corporate social responsibility.’ As Howard A. Schmidt, the nation’s first Cyber Security Coordinator (appointed by President Obama in 2009), stated recently, ‘[W]hile there is a cost to doing more to improve cyber security, there is a bigger cost if we do not and that cost is measured not only in dollars, but in national security and public safety.’ With this in mind, boards should foster an environment that respects the importance of cyber security, including heightening awareness of security risks and encouraging the reporting of security incidents.

“There is serious concern among those that serve on a board of directors that they may be held criminally liable for cyber security incidents,” Cusimano said.

“In fact, several of the ICS cyber security assessment projects we did this year were commissioned by the BoD (Board of Directors),” he said. “We have been fortunate that these companies recognize the need to have these studies performed by a company that specializes in ICS cyber security and not just general IT cyber security. Far too many companies rely on the Big Four auditing firms who claim to know how to perform an ICS cyber security audit but don’t have the necessary specialization or understanding of the OT environment.”

With a lack of Congressional mandates for cyber security coming out of Washington, agencies taking on security issues seems the next logical step. While the process may be slow, it could help foster more companies starting and then establishing an ongoing plan.

“As the lack of security in the ICS space is getting more and more attention,” Speake said, “I think this will push end users to look at their security programs in this space.”