New analysis indicates that critical infrastructure operators are ill prepared to deal with cyber attacks. That reinforced the Government Accountability Office (GAO) report earlier this year that found Tennessee Valley Authority, the nation's largest public power company serving over 8.7 million people, is vulnerable to cyber attacks. One just released study asked respondents to indicate the state of readiness to defend against IT threats in eight different industries. The results showed that 50 percent of respondents said that utilities, oil and gas, transportation, telecommunications, chemical, emergency services and postal/shipping industries were not prepared. The energy sector emerged as the most vulnerable target. So it is no wonder the Department of Homeland Security (DHS) is once again moving to address the threat to our nation's critical infrastructure.
DHS is looking for public input as it prepares for next year's release of a revised version of the National Infrastructure Protection Plan (NIPP), thus updating the 2006 version of the plan. The federal government has sought to actively engage the private sector in a number of industries to address the threat of cyber attacks. Originally, the federal government identified seventeen critical infrastructure areas and designated federal agencies to be in charge of creating plans as well as overseeing collaborative efforts to protect those areas. It should be noted that earlier this year DHS announced that it also had designated critical manufacturing as an additional sector.
One industry insider speaking to me on the promise of anonymity said: "Utility executives are not going to spend money on defending their systems against cyber attacks. When they do, they decrease the financial performance of the company and that subtracts from the executives bonuses." So is this yet another group of businesses that are going to the Federal Government looking for a hand out?
Cyber attacks against utilities are just not theoretical, they are real. Earlier this year there were dozens of reports that stated CIA senior analyst Tom Donohue told a gathering of 300 US, UK, Swedish and Dutch government officials, engineers and security managers from electric, water, oil & gas and other critical industry asset owners that "Cyber Attack Caused Multi-City Power Outage." Cyber attacks against utilities are now a foreseeable risk.
Foreseeable Risk and Threats - (a legal term) - A danger which a reasonable person should anticipate. Foreseeable risk is a common affirmative complaint put up in lawsuits for negligence (a tort).
We sought out a legal opinion and got one.
"The significant media attention being given to the threat of cyber attacks, as well as the fact that a number of high ranking government officials have warned about this threat, suggest that corporations have a duty to assess their exposure to this risk and create a cyber risk mitigation strategy. Failure to do so could constitute negligence due to the fact that in this day and age, cyber attacks are reasonably foreseeable," said Attorney Fred Rice specializing in corporate legal issues.
FACT: Tort litigation costs have reach nearly $300 billion annually.
But how far could the legal action go? I posed the following scenario to Edward Maggio, professor of criminal justice at the New York Institute of Technology. Scenario: A cyber attack directed against an electrical utility causes a power spike and outage. The spike and outages damage a piece of life support equipment resulting in the death of a patient relying on the device.
Given the above scenario, if the electrical utility did not take appropriate action to protect against such attacks, could the utility be held accountable?
"While culpability for the impact resulting from cyber attacks is a somewhat uncharted area of law, legal action against a power utility will be based on negligence. It is likely that hackers who engage in successful cyber attack against a power utility have likely made previous attempts against a chosen target. Such previous attempts would serve as evidence that a power utility had a duty to mitigate and protect itself from cyber attacks," Maggio said.
It is clear that any utility that fails to appropriately plan for or respond to the increased threat of cyber attacks are failing in their duty to protect the general public. Anyone harmed as a result of a cyber attack against a utility may have cause of action (lawsuit) when they were harmed due to the power utility's failure to increase its cyber security he went on to explain.
Will it take a major cyber attack with litigation before the necessary steps are taken to protect our critical infrastructure? It sure looks that way.