Responding to a Third-Party Cyber Attack in Three Steps

Originally published in The Wall Street Journal

After a cyberattack hit natural gas industry communications system vendor Energy Services Group LLC this week, one of its customers was able to quickly shift over to an internal system to maintain operations. The incident offers a lesson in how companies can respond in three steps when a vendor or partner is compromised.

That process includes limiting access to a compromised vendor, executing a back-up plan and reviewing the vendor after the incident.

“We were able to successfully use an internal electronic system” to manage records, before going back online within 24 hours, said Vicki Granado, spokeswoman for customer Energy Transfer Partners LP. Energy Services Group did not respond to requests for comment.

Shut off Access. It’s important for companies to be able to shut off access to third parties affected by a cyberattack, said Bill Phelps, head of the U.S. commercial division for consulting firm Booz Allen Hamilton.

This can be achieved by creating connections to third-party providers that are segmented from other functions, so that problems don’t spread, he said. In some situations, the National Institute of Standards and Technology said, companies can direct malicious activity into a sandbox environment, or a safely cordoned-off system where security staff can research the attack.

Companies can choose to proactively shut-off third-party connections if they fear a cyber attack is imminent, said Jake Rubin, spokesman for the American Gas Association. The AGA recommends that its members segregate pipeline cyber assets from the rest of the network “using physical separations, firewalls and other protections,” Mr. Rubin said.

AGA partners in New Jersey proactively shut off all third-party computer access to natural gas pipelines near MetLife stadium in February 2014, said Mr. Rubin, because of rumors of a potential cyberattack on that year’s Superbowl. The pipelines continued running via a manual backup process and service was restored following the game, he said.

Continue In-house. Companies should have a plan for running services in-house in the event of an emergency, said Mr. Phelps. The plan should be saved on paper and the individuals accountable should know what is expected of them. The plans should not be stored on internal servers or collaboration websites, as a cyberattack may limit access to them, a problem that has plagued some companies affected by a hacked third party, Mr. Phelps said.

The plan can take many forms, depending on the role of a company’s third-party provider and the severity of the cyberattack, said Mr. Phelps. Some functions such as recordkeeping may be handled internally with back-up systems, as in the case of Transfer Partners, or they may have to be handled by hand, he said. More complex business processes, such as check processing, may need to be handled at a different facility or by a backup provider. Highly automated processes such as high-speed trading or machine reading may require more complex backup strategies, said Mr. Phelps.

Boards should ask their security teams whether they have plans to account for how business will run if a critical third-party provider is attacked, how they store them and who is in charge of them, he said. They should also ask which business processes can’t be done in-house, whether they are critical for day-to-day operations and how they are accounting for those systems, said Mr. Phelps.

Review the Third Party. Companies must ensure their security teams are ready to review a third-party provider that has experienced an attack, said Mr. Phelps. Sometimes outside organizations can help with this, said Mr. Rubin.

The North American Electric Reliability Corp. is reviewing the incident this week at Energy Services Group on behalf of its member companies, said Bill Lawrence, director of the Electricity Information Sharing and Analysis Center, an organization that supports cyber threat information sharing among companies in the energy sector. The AGA also provides its members with support for conducting reviews, said Mr. Rubin.

Benchmarks for a post-attack review can start with assessing how critical the vendor is to operations, said Phil Neray, vice president of industrial cybersecurity at industrial technology security company CyberX Inc. Companies should ask how the vendor plans to fully investigate the incident, and they should ask for a full report outlining how the vendor plans to ensure it won’t happen again, said Mr. Neray.

“What steps have you taken to clean up from the attack, and what evidence do you have that the attackers are no longer in your network?” Mr. Neray suggested asking. Boards should expect third parties to answer specifically how they have examined networks to identify any remaining instances of malware, and whether they have engaged an incident response team to perform cyber forensics or clean-up.