“The North American Electric Reliability Corporation (NERC) and the U.S. Department of Energy (DOE) released a report today that identifies a certain class of high-impact, low-frequency risk shown to have the potential to significantly affect the reliability of the North American bulk power system.
The report examines three high-impact, low-frequency risks in detail: coordinated cyber, physical, or blended attacks; pandemic illness; and Geomagnetic Disturbances (GMD) and Electromagnetic Pulse (EMP) events. These risks are rare, and in some cases have never occurred.”
The buzz about grid vulnerabilities from many experts includes speculation about the power grid cybersecurity responsibility being laid at the feet of the active duty military. This may take years to implement, but is not seen entirely as a bad solution.
What most businesses and IT managers can do best with this report is use it as a backbone for their own emergency planning scenarios. The effects from EMP and cyber attacks (nobody seems to really say cyberwarfare) alone will offer a challenge to the strongest CIOs contingency planning committee.
Extortion being what it is, I have a strong expectation that power grid zero-day vulnerabilities will be leveraged; if not by cybercriminals and disgruntled insiders with delusions of grandeur, then by smaller nation-state actors who need bargaining chips in other negotiation realms.
HILFs mean that simply having a Plan B in place is no longer adequate. Your company's Plan C must cover combined disasters. Wildfires combined with a DDoS attack and no cell phone coverage, for example, must be considered. The mixed threat is defined as a wildfire (one HILF) plus another attack possibly cyber-related or cyber-initiated.
The weakness of most plans is they tend to revolve around the skill set of the planners. Human nature dictates that disaster planners often assume that we, the disaster planner or IT guru, will be at the location or at our desk when bad things happen or that our peers or others will be able to carry out any required actions. The news flash is: savvy security planners must have a plan in place for mixed HILF threats.
Seven things I recommend:
- Create a Tiger Team around HILF threats. Assign a small IT, security and safety group to review the DOE report and report back with physical and cybersecurity risks involving long-term power outages.
- Examine the preparedness framework offered to businesses at no cost by Ready.gov – most action planning items for HILF preparedness can be covered or adapted from existing planning for other emergencies, such as hurricanes or southern California wildfires.
- Ensure your plans are clearly articulated. Defining emergency plans by a description of roles (server shutdown technician), rather than individuals (Bob, Susan, Troy) will properly address a ‘Murphy's Law' failure cascade. Each participant should be aware of their role and adequately trained to respond should there be a higher role that needs filling. Annual drills, as well as quarterly small-team meetings, often cover this requirement. Building a visual matrix for your checklist items will help. Include a ‘hard card' physical checklist to ensure compliance in any circumstance.
- Consider EMP, or ElectroMagnetic Pulses. Have a plan in place for the lights going out, staying out, and all unprotected hardware being irreparably damaged. As hard as this may be to consider, my military intelligence background and resources tell me that EMP is not a small threat for consideration. Your solution should include having encrypted backups onto zero-circuitry media (such as DVDs, not EMP-susceptible media, such as USB keys, portable hard drives or other Flash media, such as SD cards) in a safe and protected offsite location. I've never recommended tape backups and I'm doubly unsure what degaussing effects an EMP might include which could destroy data.
- Assume the worst-day scenario for your drills will begin with no ATMs or cell phones, and may or may not include power to the building – and proceed from there. The most lightweight scenario may be simply equipping employees to work securely from home or from nearby technology centers, with an emphasis on working SECURELY.
- The ounce of sweat spent planning and preparing will prevent a gallon of blood lost without it. Obtain key stakeholder participation (HR, decision-makers) for an inclusive plan.
- Take action now. Don't let this be forgotten and shuffled off to the side.
Keeping the flow of information and revenue to a company may seem impossible under these circumstances, but with a calm head and prior planning, your business will be prepared to survive an “Attack of the Killer HILF.”