2 November 2018

Why organizations need to plan for worst-case cyber scenarios

By: Michael Figueroa 

In this Tuesday, July 31, 2018, photo, an FBI employee works in a computer forensics lab at the FBI field office in New Orleans. More than 20 people working for the FBI headquarters in Louisiana are working on cybersecurity. They include experts working at forensics labs, doing forensics on computer hard drives and developing techniques for analyzing computer memories in efforts to fight and find intruders, according to the special agent in charge of the FBI's New Orleans field office. (Gerald Herbert/AP)

On Sept. 13, Massachusetts’ Merrimack Valley was rocked by a series of gas line explosions leaving one person dead and many injured. In the towns of Lawrence and Andover, houses were destroyed and thousands of people left without gas heading into the New England winter. As clean-up began from the tragedy, there was chatter in local cybersecurity circles that the devastation could have been the result of a cyberattack.

As it turned out, preliminary results from the National Transportation Safety Bureau investigation into the Merrimack Valley explosions suggests that faulty maintenance work triggered inaccurate pressure readings, which led to the explosions.

However, it’s still important for Columbia Gas — and every other utility — to have a risk management plan for worst-case scenarios. Organizations need to have cyber-risk mitigation plans in place just as they do for physical disasters.

Both Massachusetts Senators Elizabeth Warren and Ed Markey stated that they believe Columbia Gas did not have an adequate risk management plan for this type of potential disaster. Moving forward, evaluating cyber risk be given the same attention as replacing old iron pipes.

Too often, organizations approach cyber risk in isolation. The IT department is left to its own devices while the rest of the company evaluates risk assessment based on outdated criteria that ignores most — if not all — cyberthreats. Companies are concerned they will inadvertently share proprietary IP or personal information when they share technical indicators of threats or compromise.

The solution is to take a collaborative approach to mitigate cyber risk that benefits all parties. For utility providers, sector-specific information sharing like E-ISAO for power companies and WaterISAC for water, are available. Both offer organizations the ability to comfortably share information governed by safe harbor and compliance agreements. Regional organizations that cover cross-sector security information sharing and peer engagement provide additional opportunities to build stronger situational awareness for infrastructure companies. Utilities also should hold cross-functional crisis response drills, covering a range of potential events, to stress-test cyber readiness and help develop formal policies and processes for collaboration.

Ultimately, utilities need to prioritize on-going digital resilience as a business imperative. They should examine their existing preparedness plans and revisit them for potential cyber threats. A gas explosion is a gas explosion, but if there is a cyber trigger, the preventive strategies change substantially from flagging pressure gauges in the field to monitoring for malware on the system. An experienced set of eyes could save lives.

Securing the nation’s infrastructure

Protecting the nation’s critical infrastructure from cyber attack is complex, and many federal government efforts are improving our ability to understand the problem space. In its report in 2017, “Securing Cyber Assets: Addressing Urgent Cyber Threats to Critical Infrastructure,” the President’s National Infrastructure Advisory Council examined the complexities of the problem, such as improving information sharing functions and making cyberthreat information more available to utility operators. One of the key conclusions, though, was that there was no way to defend control systems from cyberattack without investing in completely new “separate, secure communications networks” for critical infrastructure.

The Defense Advanced Research Projects Agency launched the Rapid Attack Detection, Isolation, and Characterization Systems program in 2015 to explore solutions for resuming critical power grid functions following a cyberattack. One of the most interesting foundational objectives for the program was the ability to reconstitute the power grid within seven days. Regardless of how difficult it would be for people to live without power for a week, the objective was not based on the ability to resume power delivery, but on how difficult it would be to identify and remove a cyber infection as the root cause for grid failure. Researchers on the RADICS program are seeking to invent new ways to address that difficulty to ensure critical functions like the military, hospitals and, in the case of Columbia Gas, heat, resume in a high-integrity way as soon as possible.

While the Columbia Gas service disruption continues to be a modern infrastructure catastrophe, it presents a tragic benefit of demonstrating how an error related to just one small controller can cause great damage. Ensuring the integrity of the instructions to that controller is critical to ensuring that the whole system functions properly when reconstituted. Our critical infrastructure ecosystem is well-versed in planning for and responding to crisis events. Adding cybersecurity detection will improve the infrastructure, decrease risks across all systems and maintain continuity of services.

Michael Figueroa is executive director of the Advanced Cyber Security Center, a regional collaborative building a stronger community defense to solve common cybersecurity problems across Massachusetts and New England.

No comments: