Coal Age

SEP 2018

Coal Age Magazine - For more than 100 years, Coal Age has been the magazine that readers can trust for guidance and insight on this important industry.

Issue link:

Contents of this Issue


Page 51 of 53

48 September 2018 legally speaking Mining is Critical Infrastructure by erik dullea There are two types of companies in America — those who have been hacked and those who don't know they've been hacked. The gravity of this statement is even more troubling for the mining industry and your role in the nation's critical infrastructure. The con- nection between coal and critical infra- structure should be obvious — imagine the chaos and panic that would arise if large American cities were deprived of electrical power for weeks on end. Run- ning water and transportation systems would fail, businesses would close, and food shortages would begin. Federal law defines critical infra- structure as the "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on se- curity, national economic security, na- tional public health or safety." Coal-fired electrical plants, the coal that supplies them, and the railroads that deliver the coal are part of our critical infrastruc- ture. Homeland Security is responsible for identifying those systems where a cybersecurity incident could reasonably have "catastrophic regional or national effects on public health or safety, eco- nomic security or national security." Although mining companies spend significant time and resources on physical safety and security, we need to address virtual safety and security. Industrial Control Systems (ICS) and Supervisory Control and Data Acquisi- tion (SCADA) systems enable modern industries to operate in a safe, reliable manner, but ICS and SCADA systems are increasingly targeted by cyberat- tacks because they are vital to critical infrastructure. ICS and SCADA attacks are worrisome because hacking those systems can cause physical damage to equipment and harm to personnel. Who is the Threat? The FBI categorizes cyber threats into three groups: organized crime rings; foreign governments stealing intellec- tual property and research and devel- opment data from manufacturers; and terrorist groups intent on causing harm. In recent years, criminal and terror- ist cyberattacks have shifted from fed- eral agencies and financial institutions, instead targeting city governments and hospitals. The impetus for the shift is that the former have invested in cyber protection while the latter have not, even though cities and hospitals are vulnerable due to their reliance on computers to function. Another form of cyberattack is business email compro- mise — scamming employees to send payments and fund transfers to crimi- nals' bank accounts. Most companies view preparing for cyberattacks as a drain on the balance sheet. However, corporate leaders have legal and fiduciary responsibilities to protect customer and employee data, payment card industry (PCI) data and shareholder value. Early planning can have a positive effect on the company's financial performance when the com- pany experiences its first cyberattack, and that attack will happen. How do we Prepare? By adopting a mindset that your company will experience a cyber incident, develop- ing a response plan and rehearsing that plan gives your company the best chance to limit the damage, resume production, and aid law enforcement in identifying the people involved. Consider applying the following checklist to design your plan or to review an existing plan. Identify the company's crown jewels — essentially the software, systems, and data that the company must have to con- tinue operations and survive. Separate your administrative (e.g., payroll) and operational (e.g., ICS/SCA- DA) networks from each other so a breach of one does not contaminate the other. Develop a plan that contains action- able items — This can mirror your acci- dent/emergency response plan. It will have detailed steps that include the names or titles of individuals who perform specif- ic tasks and when those tasks need to be performed. Invest in employee training to protect the company's networks, and obtain the required authorizations to monitor the networks. Employees must understand that they play a vital role in protecting the company from cyberattacks. Invest in network protection equipment to detect and limit the harm caused by a cyberattack, including intrusion detection systems and devices for email traffic filtering and scrubbing, off-site data backup loca- tions and data loss prevention techniques. Ensure your general counsel is familiar with your cyber incident response plan. Consider giving the company's infor- mation security expert a direct-line report not only to the chief information officer but also to the general counsel. This en- ables risk mitigation discussions and early response activities to be covered by attor- ney-client privilege. Align other company policies with the cyber incident response plan objectives, to include the notification requirements if a cyberattack is suspected. Verify your law enforcement points of contact well in advance of a real incident — these would likely be the closest FBI field office. Brief the plan to owners/board of directors who are responsible for risk management. Review the plan annually at a minimum. Rehearse the plan with simulated cy- ber incidents and data breaches. Companies think they can seamless- ly transition to their backup systems, but in most cases, they discover the recovery process is much harder than imagined. Husch Blackwell partner Erik Dullea is a retired military intelligence officer. He will complete his master's degree in cybersecu- rity law this year.

Articles in this issue

Links on this page

Archives of this issue

view archives of Coal Age - SEP 2018