What is the Top Sector at Risk for Cyberattacks?

3D Electric powerlines over sunrise

According to this article in the Insurance Business America magazine, it’s the energy sector.  This is no surprise, even without the statistics provided in the article; although the statistics are pretty staggering.  The article states that according to DHS “more than 50% of investigated cyber incidents from October 2012 to May 2013 occurred within the energy sector”.  The advice in the article is pretty sound and coincides well with what I’ve suggested many times in this blog… be prepared!  Not only do power utilities need to have their own cybersecurity experts and the policies, plans, and infrastructure to prevent cyberattacks, they also need to be prepared for the potential success of the attackers.  They need to know who to notify (and how), and what actions to take.  Further, those that depend on electricity should have an alternate means of obtaining electricity to meet essential needs.

Threats to our infrastructure show just how interconnected we are and how interconnected our critical infrastructure is.  This is the primary reason why our energy infrastructure, which touches every other sector, is so essential.  We must ensure that we have in place prevention and protection plans, such as cybersecurity plans; hazard mitigation plans to lessen the impacts; response plans to address critical issues; and recovery plans to return to operations.  Business continuity is also an essential component of this – even if you are an NGO or government entity (continuity of government).

Along with proper planning, training, and exercises, we need to continue to promote legislation which requires measures for cybersecurity and protection of our critical infrastructure.

What are your major critical infrastructure concerns?

© 2015 – Timothy Riecker

EMERGENCY PREPAREDNESS SOLUTIONS, LLC

WWW.EPSLLC.BIZ

Cybersecurity – What is the Government’s Role with Business and Industry?

The National Institute of Standards and Technology was charged by the President with the creation of a framework for improving critical infrastructure cybersecurity, which they accomplished in February of 2014.  This framework and associated documents provides information on critical steps that business and industry, working with the federal government, should take in the protection, prevention, detection, response, investigation, and recovery from a cyberattack.  The importance of this is not only the theft of private information of customers, as occurred in the hacking of Target databases, but most importantly (and the intention of the NIST document) the protection of our nation’s critical infrastructure – most of which is owned and operated by private industry.  What about state governments?  Do they have a role?

Working with various states around the nation, it has been interesting to see how they perceive their role in cybersecurity.  Some are very hands-on, while others are far too comfortable in the back seat.  State governments, it seems, are working to protect the cyber infrastructure they control (their own computer systems and data), but the position they take in respect to the private sector covers the whole spectrum of proactive to wait-and-see.  One wait-and-see-er explains their position away saying that if they don’t own the cyber infrastructure they can’t do anything to protect it.  Interestingly enough, this particular argument came from a larger state which is the recipient of higher cuts of homeland security grant program (HSGP) funds than most and has a significant amount of critical infrastructure, including several nuclear power plants.  They seem to have little interest even working with business and industry to come to common understandings, discuss threat indicators, share ideas, and talk about procedures and priorities.

On the other hand, there are states, both large and small, who see benefit to working with their business and industry to protect critical infrastructure and data interests.  While they acknowledge some challenges with the state not owning the cyberinfrastructure of these companies (nor do they want to), they see nothing but benefits in the formation of cybersecurity working groups and conducting cyber preparedness activities, particularly exercises.  This is the smart approach.

Given the number of cyberattacks that occur every day, it seems inevitable, just like any disaster, that a successful cyberattack on a critical sector of our infrastructure will certainly occur sometime in the future.  Are we prepared?  What are your states doing to prevent, protect, and prepare for such occurrences?  What are we missing?

© 2015 – Timothy Riecker

Emergency Preparedness Solutions, LLC

WWW.EPSLLC.BIZ

Critical Infrastructure Dependencies

Homeland Security Today published an article recently on the FCC’s examination of wireless network issues post Hurricane Sandy.  While the article speaks mostly on the need to bolster the wireless telecom infrastructure, it does mention the obvious dependencies that wireless has on our energy infrastructure.  These types of dependencies can be seen throughout all our critical infrastructure, linking them intimately, and demonstrating how fragile we really are without proper preparedness efforts and redundancies.  The illustration below outlines eight (of eighteen) of our critical infrastructure sectors: Fuel, Communications, Water, Banking, Electric Power, Transportation, Emergency Services, and Government Services.  I take no credit for the graphic, which was simply found on Google Images, but it is a great example depicting a number of the linkages (i.e. dependencies) that each of these sectors has on one another.  Like dominos, multiple sectors can be made to topple by exploiting vulnerabilities in one or more of them.  We’re not just talking about terrorism here, although preventing the intentional interference with critical infrastructure is obviously a major concern, but we’re also looking at natural hazards.

Critical Infrastructure Dependencies

Critical Infrastructure Dependencies

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

We’ve seen from real life on multiple occasions what damages to our infrastructure can cause.  Our electrical infrastructure is perhaps the most fragile, but is also the one linked to every other sector – no wonder there is so much attention paid to preparedness and mitigation efforts to make this sector more resilient.  The above graphic shows, not accidentally, the electrical sector being in the middle of all others.

There has been further attention brought to the matter recently by the National Infrastructure Coordinating Center (NICC).  In this article by Homeland Security Today, it was announced that the National Infrastructure Coordinating Center will be hiring contractor support as a force multiplier in their monitoring activities.  Last week FEMA just released IS-913, their Independent Study course on Critical Infrastructure Protection: Achieving Results Through Partnership & Collaboration.  This course compliments other critical infrastructure protection-oriented training programs of FEMA’s.  FEMA Independent Study courses are free and open to all US citizens.  I would strongly encourage that you explore what they have to offer if you haven’t already.

Critical Infrastructure Protection (CIP) is an important topic spanning all of emergency management and homeland security.  Additional information on CIP can be found from the DHS CIP website and other sources.

Electric Grid Vulnerabilities

Government Security News (GSN) just published an article (http://www.gsnmagazine.com/node/27833?c=infrastructure_protection) about the recent declassification of documents identifying that our electric grid is still vulnerable to terrorist attacks.  Really?  I’m not sure there needed to be a classified document in the first place.  The vulnerability of our grid should be pretty obvious.

The report was focused on the vulnerabilities to terrorist attacks – but thankfully did at least acknowledge that impacts can be caused by natural disasters (by the way, the lights are still out on Long Island).  Terrorist vulnerabilities absolutely do exist, though.  Our energy infrastructure is very open, physically and virtually.  Generally, power generation facilities have decent security – particularly nuclear power plants.  Security does drop notably with other facilities, especially hydro-generation plants, which should have the same measure of security as nuclear power plants as most of them are associated with a dam, which, if breached not only knocks out power generation but also is bound to impact a population catastrophically.

Most energy sub-stations are not staffed, and while there is passive security in place, such as fencing, these can obviously be overcome easily.  Utility lines stretch across our nation above and below ground – generally accessible with little trouble to people with malicious intent.  Remember that acts interrupting our grid may not necessarily come from Al-Qaeda, but can come from disgruntled locals as well.  Take a look at the pictures below.  These were actually taken by my father who worked for a utility company in New York State.  Shortly after these high power transmission lines were put up over 25 years ago, a local, in protest over these lines going through their land, actually unbolted the tower from the base.  They never caught the person who did it – but this is a federal crime – and taken very seriously by prosecutors and law enforcement, including security personnel of the utility companies.  This same transmission line passes through my property and my family and I have made several calls through the years to the security office of the utility company when we see people loitering around and taking pictures or notes on these towers.

 

 

 

 

 

 

 

 

 

 

 

 

In consideration of cyber attacks – guess what – they happen EVERY DAY!  Most, fortunately, are pretty weak and stopped well short of their goal.  Some do have some measure of success, penetrating fire walls and other defenses.  Some come from individuals domestically, but many are known to come from the likes of China, North Korea, and Iran – all of which ‘officially’ deny sponsoring such acts of terrorism.  Practically everything is controlled by a computer, and practically every computer is networked and accessible from the outside world by people who know how to do so.  Energy plants can be shut down, overloaded, or have safety protocols circumvented.  Scary stuff.

So what’s the result of all this?  Much more than the inconvenience of a short-term power outage, I can assure you of that.  Our energy grid is the most critical of our infrastructure.  Without it nothing works.  We’ve only scratched the surface of examples from the areas that were hit by Hurricane Sandy and still don’t yet have power.  It impacts our other critical infrastructures such as communications, hospitals, the economy, and others.  It breaks beyond discomfort and inconvenience when it endangers lives during periods of temperature extremes.  All in all we have an aging infrastructure in our nation, but not only do we need to work on replacing and improving it, we need to protect it.