Could a HVAC vulnerability leave you liable to a massive NIS fine?

News by Davey Winder

Supply-chain security risk: Who is liable when the vulnerability is in equipment from a third party supplier?Under NIS - unless your contract specifically says otherwise - its more likely to be you than your supplier.

The McAfee Labs Advanced Threat Research team has uncovered a zero-day vulnerability in an industrial control system (ICS) used for building management systems including heating, ventilation and air conditioning (HVAC.) This particular zero-day has now been patched, but the questions of who is liable for supply-chain security risk  exposure remains. SC Media UK has been getting the answers.
The McAfee researchers found that the "enteliBUS Manager" produced by Delta Controls was vulnerable to an unreported buffer overflow in the "main.so" library that could be exploited to achieve a remote code execution attack.
The zero-day, CVE-2019-9569, might enable an attacker to manipulate not only HVAC controls but access, alarms and even the air pressure of controlled environment rooms. Within a few weeks of the researchers reporting the vulnerability back in December 2018, Delta Controls started working with McAfee to ensure a fix could be found. That patch was finally rolled out towards the end of June 2019. Which feels like an awfully long time for a zero-day to be out there, but given the nature of the affected product it was essential that adequate testing was carried out to ensure the fix itself didn't cause unforeseen problems.
"As we see a rise in smart buildings and smart cities with greater connected smart devices and embedded IoT, the attack surface and exposure becomes much greater," Javvad Malik, security awareness advocate at KnowBe4, advising that "systems such as HVAC should be isolated from the main network and placed behind firewalls and other network security controls to prevent and detect unauthorised connection attempts."
Organisations need to consider the threats they open themselves up to when having internet-accessible devices, Malik warns. One of those "threats" that is perhaps overlooked a little too often, is the regulatory landscape. "Companies that engage third party suppliers need to ensure that adequate contractual protections are in place should a cyber-security incident caused by the actions of the supplier occur," Nina Lazic, senior associate at Osborne Clarke told SC Media UK.
The Network & Information Systems (NIS) Regulations 2018 is one area that there seems to be some confusion over where the liabilities fall should a third-party supplier be at the heart of such an incident. If your organisation falls under the direct scope of NIS then you will be liable for fines if breached. 
This is because your "responsibility extends to managing their supply chains and, if there is a breach as a result of a supplier breach then, just as under GDPR, it is the organisation that bears the liability," Alan Calder, chief executive of GRC International plc, parent company of IT Governance, warns. Indeed, the breached company could be liable to a maximum fine of  £17 million or four percent of turnover, but could any of that be claimed back from the supplier when a vulnerability was to blame? "They may have indemnity clauses in their supplier contracts but they won’t be able to pass on the impacts of regulatory action unless they can demonstrate that their suppliers are themselves in breach of the regulation," Calder says.
Michael Axe, senior associate in the Dispute Resolution Team at Gardner Leader solicitors, told SC Media UK that "even if a supplier has failed to comply with its obligations under the relevant contract," and so finds itself facing a claim from its customer for breach of contract, "the terms of that contract may still mean that the supplier can potentially exclude liability for certain types of losses suffered by the customer." Such terms may often seek to exclude liability for fines and penalties imposed by third parties on the customer, Axe advises.
Flipping this around, is the supplier safe from liability if such things as user misconfiguration are found to be at fault? "If there is an argument that a customer’s own actions (or inaction) caused or contributed to the loss that it suffered," Axe told SC Media UK, "then this may also limit the supplier’s liability."
Where possible, companies should seek to ensure that the costs of a cyber-security incident are specifically called out as direct losses, rather than being inadvertently excluded, Lazic adds. "For example, liability might be limited or excluded through broad exclusions of liability, which limit recovery for 'consequential' or 'indirect' losses," Lazic continues, concluding "the ability to allocate risk in this way will depend on the relative bargaining power of the parties to the contract, and most suppliers will resist strongly any clauses which might make them liable for regulatory fines."
Which brings us back nicely to the penalties imposed specifically under the NIS Regulations. "It’s important to remember that penalties are not simply imposed because an incident has occurred," Axe says, continuing "instead, penalties are imposed when an organisation has been served with an enforcement notice by the relevant regulator, but then fails to take the required steps to remedy the identified issues within the specified timeframe." 
In that situation, Axe concludes, it is likely to be difficult "for a customer to successfully argue that the supplier should be held liable for the fine imposed as a result of the customer’s own failure to comply with the regulator’s enforcement notice."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews