Image

Beyond CIP Compliance: Managing Cyber and Physical Security Risk

Nov. 16, 2015
CIP standards do not eliminate the risk of highly damaging or catastrophic cyberattack for electric utilities.

Although the Critical Infrastructure Protection standards are improving the electric industry’s defenses against damaging cyberattacks (in spite of what certain “experts” in this area continue to claim), they do not eliminate the risk of highly damaging or catastrophic cyberattack for electric utilities. Indeed, even the Federal Energy Regulatory Commission, the North American Electric Reliability Corporation, and the Regional Entities recognize that the CIP must continually evolve to keep up with new threats and will leave gaps in protection while they are in the process of being updated.

Furthermore, the CIP standards enshrine, and therefore promote, a largely reactive defensive posture, an outcome that is reinforced by the FERC/NERC enforcement regime and its emphasis on proving compliance and avoiding compliance penalties.  This outcome presents a striking contrast with the more proactive, dynamic, and expansive approach to cybersecurity reflected in the National Institute of Standards and Technology’s (“NIST”) Cybersecurity Framework and the Department of Energy’s Electricity Subsector Cybersecurity Capability Maturity Model (“C2M2”).  Therefore, even with full CIP compliance, traditional electric utilities and other electric industry participants, as well as the vendors that provide such companies with information technology (“IT”) and cybersecurity infrastructure, face residual cybersecurity risks, and associated liability concerns.

The purpose of this paper is to highlight a little-known statute, the Support Anti-Terrorism by Fostering Effective Technologies or SAFETY Act, and the ways in which electric utilities and their IT and cybersecurity vendors can leverage that statute to manage their risks of liability arising out of cyber threats.  As described below, the SAFETY Act provides a mechanism for electric utilities and their vendors to limit their potential liability for the consequences of a cyberattack.  In contrast to the regulatory stick presented by the CIP standards, the SAFETY Act provides electric utilities and their vendors with the opportunity to obtain a significant and highly-valuable carrot, liability limitations, in exchange for enhanced cybersecurity practices and protections.  These liability limitations, which are valuable in their own right, offer substantial secondary benefits, including reduced insurance costs and more robust insurance coverage.  The following discussion explains what the SAFETY Act is, and how it applies to electric utilities and their vendors.

What is the SAFETY Act?

Congress passed the SAFETY Act as part of the Homeland Security Act of 2002 in order to encourage the development and deployment of anti-terrorism products and services (referred to in the statute as “technologies”) by granting various risk management protections.  The statute protects sellers of new, as well as established, technologies that are needed to combat terrorism and remove impediments to bringing such technologies to and/or maintaining their place in the market.  It accomplishes this by establishing two levels of protection from third-party liability – Designation and Certification – that may arise from injury, loss of life, or damage to property or businesses arising out of an “Act of Terrorism” where the applicable “technology” is deployed in defense against, response to, or recovery from such an act.[1]

For a technology that has been granted Designation, third party liability for damages arising out of an act of terrorism is capped at the level of the applicant’s insurance coverage, which the Department of Homeland Security’s Office of SAFETY Act Implementation (“OSAI”) determines as part of the application process.  A grant of Designation[2] by OSAI also carries with it a series of additional risk mitigation measures, including:

  • Exclusive jurisdiction in Federal Court for all lawsuits;
  • A bar against punitive damages and pre-judgment interest;
  • A limitation on non-economic damages;  and
  • Liability only in proportion to the responsibility of the seller of the technology;

Certification provides the same protections as those provided by Designation, with the important addition of complete immunization from liability via the Government Contractor Defense.[3]  The assertion of this defense can only be rebutted by proving with clear and convincing evidence that fraud or willful misconduct occurred by the seller in submitting information to DHS.  Each certified technology also is designated as an “Approved Product for Homeland Security” by the Department of Homeland Security.[4]

Finally, but just as importantly, for an entity that has received either Designation or Certification for its technology, the Act provides that the only proper party defendant to a lawsuit arising out of an act of terrorism is the seller of that technology.  Thus, customers, clients, subcontractors and vendors that either consume the technology or support the seller in deploying the technology are immune from liability.  Thus, both upstream vendors to the seller, and downstream recipients of services from the vendor, are not proper defendants in a lawsuit over damages from an act of terrorism in which the failure of the seller’s technology is alleged to have played a role in failing to prevent the attack.

How Does the SAFETY Act Apply to Electric Utilities?

The answer to this question involves two separate but related points.  First, there is a real risk of liability for electric utilities, their vendors, and the officers and directors of both electric utilities and vendors, arising out of a widespread electric outage caused by a cyberattack.  Although utilities enjoy certain common law and tariff protections against outage liability, those protections evolved in an earlier era, when the threat of widespread, multi-state outages resulting from terrorist attacks was largely non-existent.  The extent of those protections against claims arising out of a catastrophic outage due to an inadequate cybersecurity program is uncertain.  Indeed, history suggests that in instances where there is a particularly dramatic or widespread outage, traditional tariff and common law liability protections granted to electric utilities are less than foolproof in defending against lawsuits.  Indeed, in major outages during the past 40 years, utilities have often been subject to some degree of outage liability, in spite of their applicable common law and tariff protections.

Thus, a utility suffering from a cyberattack that causes a widespread and/or widely-publicized outage is likely to spend years fending off resulting litigation, and there is a better than average chance that it (or its insurer) ultimately will have to pay some form of damages, either as a result of jury trial or settlement of claims.  To the extent that a vendor’s product or services are implicated in the cyberattack and outage, such vendors are even less protected by traditional liability limitations, and they therefore bear even higher levels of liability risk than the utilities to which they provide services.

In addition to claims against the company and its vendors for outage-related liability, such entities and their directors and officers can be expected to be the target of derivative suits or shareholder suits for fraud and other securities law violations.  The allegations in such cases can be expected to range from failing to adequately protect the company against cyberattack (or, in the case of vendors, failing to take steps to ensure that their product or service adequately protect against cyberattack) to failing to make adequate disclosures about the state of the company’s cybersecurity practices.  Such lawsuits also can be time-consuming and expensive to defend against, and – as with outage liability claims – often result in substantial payments by the target company and/or its officers (or their insurers) in order to resolve them.

The second key point is that the “technologies” covered by the SAFETY Act are not limited to devices.  The term “technology” under the SAFETY Act is defined as any “product, equipment, service (including support services), device, or technology (including information technology) designed, developed, modified, or procured for the specific purpose of preventing, detecting, identifying, or deterring acts of terrorism or limiting the harm such acts might otherwise cause, that is designated as such by the Secretary [of Homeland Security].”  By including “services,” including “support services,” within the definition of “technology,” the SAFETY Act allows for coverage for cybersecurity programs, or portions of cybersecurity programs, including cybersecurity programs that a company provides to itself.

In its implementation of the SAFETY Act, OSAI has granted coverage for protection programs, and not just devices or technologies.  Indeed, we have had experience in helping providers of security services obtain SAFETY Act coverage for their physical security programs; and OSAI has granted SAFETY Act coverage to certain organizations for their internal physical security programs  Furthermore, in conjunction with the development of the Cybersecurity Framework and the C2M2, OSAI has indicated (in discussions that we have had with the agency) that it is willing to grant SAFETY Act coverage to critical infrastructure owners and operators for part or all of their internal cybersecurity programs.

The breadth of the definition of “technology” under the SAFETY Act, and the manner in which OSAI has implemented the statute, have very important ramifications for electric utilities and their vendors, and their potential liability for widespread outages caused by a cyberattack.  An easy way for utilities to increase their liability protections is to purchase goods and services – particularly those involving physical and cyber security – from vendors that have obtained SAFETY Act coverage for their products.  That way, the utility can avail itself of the liability protections that attach to the use of those products.

More significantly, and as indicated above, a utility also can seek to invoke SAFETY Act protections for its internal cybersecurity program, either in whole or in part.  Obtaining SAFETY Act coverage for a utility’s entire program would involve making the necessary showings to OSAI on all aspects of the company’s cybersecurity program, from identification of Critical Cyber Assets and other protected Cyber Assets, to protection mechanisms and recovery and restoration plans.  A simpler, and likely more achievable, approach would be to seek SAFETY Act coverage for portions of a utility’s cybersecurity program.  This could include all cybersecurity practices related to a limited set of sub-networks on the company’s IT system, or could involve seeking Designation or Certification for discrete parts of the company’s cybersecurity program (for example, access management, patching practices, configuration management, and other, similar tasks).

In this way, the SAFETY Act offers a mechanism for electric utilities to translate the regulatory push for a robust cybersecurity program into the Designation or Certification liability protections outlined above.  Given the nature of the SAFETY Act and the application process, those protections operate on at least two levels.  First, as long as a cyberattack is ruled by the Secretary of Homeland Security to be an Act of Terrorism, the specific protections specified in the SAFETY Act apply.  However, even if an Act of Terrorism is not declared, the fact that a company’s cybersecurity program, or a portion of it, has been approved for SAFETY Act coverage by OSAI – and been designated as an “Approved Product for Homeland Security” by the Department of Homeland Security – provides strong evidence that the company acted in accordance with applicable standards, and therefore can mitigate liability risks.

One final, but no less substantial, benefit of obtaining SAFETY Act Designation or Certification is the impact that such a ruling has on a covered company’s insurance costs.  Cyber insurance is still a nascent and complex area that has been characterized by wide variations in premiums and coverage levels.  However, it has been our experience that, in other areas, companies able to obtain SAFETY Act Certification generally are able to obtain more expansive insurance coverage while at the same time reducing their insurance premiums by amounts that can reach well into six-figures.  SAFETY Act coverage could provide additional certainty in cyber insurance by demonstrating to underwriters that a utility has less risk and allow it to obtain better coverage at a more advantageous price.

How Does a Company Obtain SAFETY Act Designation or Certification?

SAFETY Act protections are sought through an application process.  Designation must first be achieved to receive Certification, although applicants may seek both protections simultaneously as part of the same application submission.  To receive Designation, applicants must demonstrate that the product or service meets various criteria, including:

  • That it has utility and is effective;
  • That the seller of the product or service has large or unquantifiable potential third-party liability risk exposure;
  • That it is likely that without the SAFETY Act’s protections, the liability associated with the product or service would prevent or curtail its deployment;
  • That there be a substantial potential risk exposure to the public should the product or service not be deployed; and
  • Any other factors DHS deems relevant to the security of the United States.

For Certification, applicants must satisfy all of the criteria of Designation, as well as provide information evidencing that the technology can meet three additional criteria, that the technology:  1) performs as intended; 2) conforms to specifications; and 3) is safe for use.

The most important showing for an electric utility or vendor is to demonstrate to OSAI that the product or service that it seeks to cover is effective at preventing cyberattacks.  OSAI has indicated to us that for any Cyber Assets currently subject to the CIP standards, it would look for evidence to show that the utility’s compliance program is at a “compliance plus” level – that is, that the compliance program not only meets the minimum requirements of the CIP standards, but also goes beyond those minimum requirements to adopt more robust practices than FERC, NERC, and the Regional Entities require.  Although this sounds like it would involve substantial additional work, in our experience many electric utilities already go beyond the bare minimum requirements imposed by the CIP standards, and adopt more robust cybersecurity practices for their protected Cyber Assets.

Under the SAFETY Act, OSAI has 120 days from the completion of an application to render a decision.  The period between the submission of the application and the final ruling is usually characterized by requests for additional information from, and ongoing dialogue with, OSAI.  A grant of Designation or Certification is good for five years, after which the company must re-apply for SAFETY Act coverage.

Conclusion

The regulatory landscape for cybersecurity is constantly evolving, but for electric utilities (even more so than most other companies owning and operating critical infrastructure), that landscape has involved mandatory regulation and constantly-changing standards.  The utility industry already has devoted vast resources to achieving compliance with the CIP standards.  Ironically, such compliance is not a foolproof defense against either a cyberattack or the liability risks associated with such an attack.

The SAFETY Act allows utilities and their vendors to capitalize on all the work that they have performed in upgrading cybersecurity processes and practices.  Rather than simply allow a utility to defend against regulatory penalties, SAFETY Act coverage – particularly for all or a part of a utility’s cybersecurity program – allows that utility to better manage and minimize its liability risks associated with a cyberattack.  Equally as importantly, it could allow utilities to obtain more robust cyber insurance coverage for a lower cost than most cyber insurance policies currently on the market.

Venable partner Dismas Locaria represents government contractors in all aspects of working with the Federal government and in handling the peculiarities of the Homeland Security Act.  Mr. Locaria has assisted several clients in receiving SAFETY Act Certification, the highest level of protection afforded under the Act.  Mr. Locaria has published on the topic of the SAFETY Act and is a co-author and contributor to Venable's Homeland Security Desk Book.

Venable partner Brian Zimmet focuses on regulation and restructuring issues for electric utilities. He was a primary drafter of the Retail Electric Competition and Consumer Protection Act of 1999.

[1] The Secretary of the Department of Homeland Security must declare an attack to be an “Act of Terrorism” for the protections to apply.  The statute defines an Act of Terrorism as an act that “(i) is unlawful; (ii) causes harm to a person, property, or entity, in the United States, or in the case of a domestic United States air carrier or a United States-flag vessel (or a vessel based principally in the United States on which United States income tax is paid and whose insurance coverage is subject to regulation in the United States), in or outside the United States; and (iii) uses or attempts to use instrumentalities, weapons or other methods designed or intended to cause mass destruction, injury or other loss to citizens or institutions of the United States.”  6 U.S.C. § 444(2).

[2] The Designation option also provides a process whereby technologies in development may be afforded SAFETY Act Designation.  This type of Designation is referred to as Developmental Testing and Evaluation (“DT&E”) Designation.

[3] The Government Contractor Defense arose out of a landmark case, Boyle v. United Technologies Corporation, 487 U.S. 500 (1988), whereby the U.S. Supreme Court determined that a defense contractor manufacturing a military product in accordance with precise government specifications may not be held liable for claims resulting from use of the manufactured product.

[4] A number of amendments to the SAFETY Act have been introduced in Congress that would broaden the applicability of the SAFETY Act beyond Acts of Terrorism to include most cyberattacks (defined in the amendments as “Qualifying Cyber Incidents

Voice your opinion!

To join the conversation, and become an exclusive member of T&D World, create an account today!