By Rich Heidorn Jr.
WASHINGTON — They may not know how to design firewalls or recognize malware, but lawyers are nonetheless essential to companies’ cybersecurity protections, says Paul Tiao, co-chair of Hunton Andrews Kurth’s energy sector security team.
“Lawyers have an incredibly important role when it comes to cybersecurity. That’s becoming increasingly understood,” Tiao told the Energy Bar Association Mid-Year Energy Forum on Wednesday. “Whether you’re trying to help your company develop the right governance structure, or trying to make sure you have the right information security policies; helping your IT folks to identify sensitive systems where your crown jewels are; whether you’re developing an incident response plan, that has an important role for lawyers.”
Tiao said lawyers still face challenges in winning the trust of their technology and information security teams, however. “The perception still among folks from IT … is that lawyers are to be avoided, that lawyers are a problem and that lawyers just say ‘no.’ And the reality here is that lawyers can help make the lives of our IT and information security folks much better.”
But Laura Schepis, senior director of security policy for the Edison Electric Institute, said utility security professionals can find themselves torn between “two masters.”
“One is this ethic that’s come up since Y2K about information sharing. We are prompted by good … organizations like our Electricity [Information Sharing and Analysis Center] to share about threats and vulnerabilities. ‘Share until it hurts’ is often heard in security conferences. And so, when you detect that a thing on your system is bad, one angel on your shoulder says, ‘Share until it hurts.’
“On the other shoulder is the general counsel saying ‘but don’t use the name.’ And the other angel says, ‘If I can say the name, then my peers across the country would know … what component [I’m] talking about.”
Contracts
One of lawyers’ key roles is negotiating contracts with cybersecurity vendors or other service providers, Hunton partner Andrew Geyer said.
Disputes can arise over everything from the definition of a “security event” to the speed at which notices of such events are made. Audit rights to ensure “the vendor is actually doing what they’ve contractually agreed to do” can also be challenging, he said.
“It’s probably going to be more of a records-type audit. It’s not going to be what you’re probably looking for, which is more of an on-site audit to look behind the curtain and say: I want to verify the integrity of my data. I want to verify the policies and procedures and controls that you have in place.”
As an alternative, companies can rely on third-party audits or certifications, such as system and organization controls (SOC) audits, Geyer said.
Strict liability for breaches is “almost impossible,” Geyer said, but companies can protect themselves by adding a negligence standard.
Geyer used the example of hiring someone to protect your car from being stolen. “I say you need to lock the doors; you need to roll up the windows. You need to park it in a safe area. Those are your obligations to keep my car safe. And then my car gets stolen and, lo and behold, we find out they left the sunroof open. Well, common sense would say I didn’t have to write ‘shut the sunroof’ [into the contract]. It’s pretty obvious. So that’s why you try to get that negligence standard built in with the breach of contract to bridge that gap between the more strict liability and the breach of agreement that the vendors always look for.”
It’s also essential to ensure the vendor faces financial consequences for failures, Geyer said.
“If your normal damages are ‘x,’ the vendor may be willing to go to 2x, 3x, 4x if it relates to a security event. Sometimes that formula works fairly well. If you’re doing a large outsourcing deal where there’s a lot of money on the table, 2x can be a lot of money. If you’re doing a small [software as a service] deal and you’re not paying the vendor a lot — but yet what they’re providing to you is critical to your operation … 10x may not even be close to what the potential damages could be. So, what you try to do is get some sort of bounds: What is enough skin in the game for the vendor that this will incentivize them to comply with the terms of the agreement?”
Several speakers discussed supply chain concerns during the conference, which happened to fall on the same week that responses to NERC’s data request on the “the nature and number” of low-impact bulk electric system cyber systems. The data request was a recommendation of the staff supply chain report approved by the board in May. (See “Supply Chain Report Recommends Expanding Standards,” NERC Standards News Briefs: May 8-9, 2019.)
Hunton partner Ted Murphy said entities should expect additional obligations regarding supply chain issues.
“NERC staff reports … are recommending that responsible entities go beyond the strict letter of the standards and … trying to protect low-impact systems on a best-efforts basis. … That’s not a mandatory and enforceable requirement, but it’s something that’s a current issue. Whenever you have NERC encouraging something, it can become a de facto kind of compliance obligation.”
Tobias Whitney, a cybersecurity specialist for the Electric Power Research Institute, said entities face questions over the security of hardware deliveries — ensuring that what they receive is what the vendor sent — and the provenance of equipment. “Who are the suppliers’ suppliers?” he asked.
“One of the biggest challenges that we see in the industry today is not necessarily your tried-and-true, highly recognizable third-party vendors. … They’re going to provide you evidence of what they’re doing from a compliance … and security perspective. But there’s so many new players now at the grid edge when we’re talking about distributed energy resources, solar PV, electric vehicles [and] the distribution side. So how do we bring them into the loop?”
One solution is “threat modeling,” Whitney said, noting that not every supplier provides the same level of risk.
“I know we have high-, medium- and low-[risk], but I think we need to think … with a little bit more granularity,” he said. “Which systems have direct command and control capability on the grid?
Whitney agreed that third-party accreditation can be one tool. “But how do we get there? … You look at a SOC 2 audit. What does that tell you about a relay at one of your most critical substations? … We need to get from vendor accreditation to a product-level, or a system-level accreditation. … At the end of the day, we’re managing products and systems on the grid — that’s what keeps our lights on.”
