2024 Gartner® Market Guide for Managed Detection and Response
2024 Gartner® Market Guide for Managed Detection and Response Get the Report
Operation “Be Prepared”: Cyber Lessons Learned from Disaster Preparedness Drills
Pondurance
October 26, 2021
In August of this year, Pondurance partnered with the Indiana National Guard, the Indiana Executive Council on Cybersecurity (IECC), the State’s Office of Technology and Department of Homeland Security–among others–to conduct a disaster preparedness drill. This multi-agency effort revolved around an emergency response to an earthquake and included a cybersecurity exercise intended to help the state be well prepared for the cyberattacks that would likely come during an actual disaster.
I had an opportunity recently to contribute an article to Government Technology on the need for cyber preparedness during natural disasters, and the importance of having an incident response (IR) plan in order to be prepared for any resulting cyberattacks.
***
When natural disasters strike—hurricanes, wildfires, earthquakes, floods—communities are at their most vulnerable. People are alarmed and distracted. Sadly, cybercriminals see the opportunity in the chaos. They take advantage of the confusion to create more havoc by targeting physical infrastructure like electric grids, fuel pipelines and water systems with ransomware attacks.
Increasingly, when natural disasters happen, the number of attacks immediately spikes. Indeed, many cyber events are now directly linked to physical events. For example, states like Louisiana and Florida routinely see an exponential rise in cyberattacks following hurricanes.
But we aren’t sitting idly by, and the government and businesses are fighting back too. They’re organizing cybersecurity efforts like Operation Homeland Defender, a drill at Muscatatuck Urban Training Center in Indiana, to test preparedness and bolster defenses. The most recent event this summer included the Indiana National Guard, local first responders, Indiana Task Force One and others. I’m proud that our company was also invited to participate.
Muscatatuck is the Department of Defense’s largest urban training facility. It is a “real” city that includes a built physical infrastructure, including a water distribution and pump station with multiple active SCADA systems (supervisory control and data acquisition), 3G and 4G meshed network, IoT testing grounds, a hospital and even a U.S. “embassy.” It is an ideal place to run realistic training and testing scenarios in the event of a cyber event and see firsthand how defenses hold up. It’s a wargames facility built for the modern era of cyberattacks blending both physical and cyber into a common realm.
The Operation Homeland Defender drill involved a simulated earthquake followed by a cyberattack, with hackers swooping in amid the chaos. Specifically, the bad guys attacked the water system and tried to shut it down as the National Guard deployed its defense tools to protect networks, people and property.
During any natural disaster, there will be network outages and various other disruptions. Most will be the result of physical damage. But others may be caused by opportunistic hackers. For instance, if the water system goes down after an earthquake, it’s normal to assume that the outage is due to the quake, not a cyberattack. It is critical that IT and security personnel don’t miss the true cause of the outage amid the “noise” which could obviously lead to an extended outage which would, in the real world, result in hundreds if not thousands of lives lost.
In the Operation Homeland Defender drill, it was indeed the bad guys who attacked the water system, in an attempt to sow more chaos and demand a multimillion-dollar ransom to turn the system back on. The exercise was designed to help security personnel differentiate between cyber impacts and physical impacts. The objective was to introduce an unknown variable—i.e., a ransomware attack—and demonstrate how failing to identify that variable can have a prolonged and devastating impact.
Imagine, for instance, a major winter storm across the eastern U.S. burying communities under 5 feet of snow. And imagine, at the same time, a cyberattack on the power grid that leaves impacted communities without heat. It’s hard to comprehend the tremendous amount of hardship and even death that this kind of attack would cause. Cybercriminals know this—and they can force communities to pay a very high price to turn the power back on. This is the scenario, and many others, I outlined in Security 2020 when it was published by Wiley in 2010.
That’s why it is so important for every state in the nation to hold full-scale disaster drills like Indiana’s Operation Homeland Defender: to test and better prepare their response. The reality is that many of our systems—systems that are fragile to begin with—are even more vulnerable to attack during a natural disaster or other physical event.
There is a saying in sports: the best defense is a good offense. On the field of a cyber battle, the reverse is true. State and local governments must better prepare their defense by regularly running disaster drills and simulations that combine threats posed by physical and cyber events. The more they practice, the better their response will be and the fewer surprises they haven’t anticipated.
It is no longer good enough to rely on a manual or checklist that nobody ever reviews or tests. No response plan works well unless you’ve picked it up and practiced it. How should you respond to a request for ransom? How and when should you engage your cyber insurance group? How can you quickly mitigate any damage?
Ideally, your incident response plan should be reviewed and audited continuously. In addition, key stakeholders should be involved in the planning and execution process of the IR plan to ensure that they are prepared for a cybersecurity incident.
Also, assess your security team and determine if your internal security operations center (SOC) has enough analysts to monitor, detect and respond to threats on a 24/7 basis. This can help you determine whether you have enough staff on hand or need to implement a Managed Detection and Response (MDR) service to help fill the gaps, mitigate blind spots in your security posture and provide log activity of your digital landscape.
Our nation’s infrastructure systems are increasingly interconnected and linked to computer networks. As cyberattacks continue to evolve, there is a need for heightened vigilance and more effective response procedures. Drills like Indiana’s Operation Homeland Defender should serve as a reminder that we need to do everything in our power to keep pace with cyber threats and stay one step ahead of those who would do us harm.
Do you have an incident response plan in place? Learn how to best set up your plan in our eBook: Incident Response Planning.