The COVID-19 pandemic has provided ample evidence that cybercriminals are willing and able to capitalize on major events that disrupt our lives. Indeed, the fact that healthcare has been one of the most targeted sectors during the Covid era illustrates the ruthlessness of the modern cybercriminal.
It should perhaps come as no surprise, therefore, that natural disasters might also provide a fertile environment for cybercriminals to operate in, especially if climate change is going to make the frequency of such events more common. It’s a scenario that officials in the American city of Indiana are trying to prepare for via a scenario exercise that was played out over three days.
At the heart of the exercise was an earthquake that had hit the city and caused widespread chaos and disruption, with emergency services scrambling to try and respond to the situation as best they can. In the midst of the disaster, the city’s water system goes down, and while it’s natural to assume this was the fault of the earthquake, it was actually caused by a ransomware attack.
The exercise, which was attended by around 500 professionals from across the city, including healthcare providers, National Guard members, and officials from state, local, and federal agencies. The scenario was produced to illustrate the likelihood of cybercriminals looking to capitalize on an already major situation, and how people who are already stretched to their limits can effectively respond to ensure that critical infrastructure isn’t any more affected than the natural disaster already makes it.
Such exercises are increasingly common, with the US federal government creating the Multi-State Information Sharing and Analysis Center to help state and local governments effectively prepare for and respond to a range of digital threats. They’ve conducted numerous virtual exercises, like that conducted in Indiana, around the country, with many coupling a natural disaster with a targeted cyberattack.
Capitalizing on chaos
The group argues that natural disasters are a perfect example of the kind of major event that creates sufficient chaos to allow cybercriminals to thrive as it weakens the system and resources enough to provide an easier way in for the hackers.
The exercises provide an invaluable starting point by illustrating the very potential for cyberattacks at a time in which officials may be preoccupied with other things and cyber defence being the last thing on their minds. From here, it’s vital that agencies have policies and plans in place that are updated on a regular basis to effectively account for the ever-evolving threat landscape. These plans should also detail who is responsible for what and who will play what role should a cyberattack unfold.
One of the more famous such exercises was done in Houston in 2018, where a three-day drill was undertaken between city officials and the US Army Cyber Institute. The exercise simulated a cyberattack occurring at the same time as a hurricane had hit the city, and was done with the Cat 4 Hurricane Harvey fresh in mind from the previous year.
“Our city is the ideal location to conduct this research to prevent, protect, mitigate, respond, and recover from threats and hazards that can affect not only our community but the impacts they have on the nation’s critical infrastructure.” Mayor Sylvester Turner said. “Houston has a long-standing partnership with our public and private sectors to identify and ensure a thorough understanding of risks and determining capabilities in order to address those risks for the sake of keeping public safety a main priority and minimize disruption for our city’s massive economic contributions.”
A coordinated response
Such exercises are useful because they bring together stakeholders who may ordinarily never speak with one another. For instance, in the Houston exercise, officials from healthcare, emergency response, water, and port authorities all worked together to get the city back up and running.
As a result of the scenario exercise, the city now ensures that cybersecurity is factored into any training programs that are designed to help regions respond to a natural disaster. A key takeaway from the exercise was the need for effective communication and improved cooperation between agencies.
While there haven’t been any known cyberattacks timed to coincide with a natural disaster, many cybersecurity experts believe it is only a matter of time before one happens, both due to the higher frequency of disasters in a world beset by climate change and the willingness of attackers to capitalize on whatever uncertainty they can.
Cyberattacks have been shown to be highly disruptive to key pieces of infrastructure, and can therefore significantly hamper attempts by officials to effectively respond to a natural disaster. Indeed, officials believe that a cyberattack could easily create a domino effect whereby key infrastructure, such as water, telecoms, and power topple one after another.
Scenario exercises are already common in areas where natural disasters are a frequent occurrence, and it’s pleasing to see a growing number of these exercises having cybersecurity at the heart as making up a response on the hoof is a recipe for further disaster.