Do You Really Know What Do When the Unthinkable Happens?

On September 11, 2001, at 8:00 AM EDT, no one was expecting that the air space over New York City would be invaded not once but twice. Not one person walking the streets of downtown New York thought they would be amid a crisis within the hour. Did the Pentagon at 9:00 AM EDT, with all its security measures and layers of defense, expect that what just happened in downtown New York was even remotely a possibility of happening to them? Not long after the Pentagon was hit, did the 44 souls on flight 93 understand what was happening and what was about to happen?

There was a period of denial when it was all over because we wanted to believe this couldn't happen in the U.S., Could it?

I remember one time, many years ago, driving north on an interstate on a clear sunny day, I saw a car ahead of me about 100 yards swerve onto the shoulder. What I saw next caused an internal battle between my eyes and brain. On an interstate, you only expect to see license plates, trunks, and rear bumpers ahead of you. That's what my brain was in the habit of processing. But instead, I see a front bumper, hood, and a person who appears to be facing me. For a moment, my brain was not changing the course of my action. It interpreted the car as going in the same direction I was going. All the while, my eyes were "screaming" "It's headed your way! This is wrong!" Fortunately, I moved over, and the person passed me without incident. After it was over, I paused to understand why I reacted the way I did. What was my hesitation? Why hadn't I just accepted what my eyes were trying to "tell" me?

What is denial?

For most people processing situations that are instantaneous and drastic sends the mind into denial. According to verywellmind.com, "Denial is a type of defense mechanism that involves ignoring the reality of a situation to avoid anxiety. Defense mechanisms are strategies that people use to cope with distressing feelings. In the case of denial, it can involve not acknowledging reality or denying the consequences of that reality". This also translates into the "If it happens" scenarios. For example, several experts gave us a foreshadowing of COVID and its effects. Not only did it do what some said it would, but it forever changed how we do business.

Because of denial, people tend to not plan or under plan. For example, the Colonial Pipeline hack caused ripples for which there had been no plan of action to compensate. The company was unable to bill customers through its billing system. This meant oil was consumed without a way to bill. It is also believed that they weren't 100% sure that the IT and OT systems were connected, and if so, they didn't know to what extent. This could have created physical safety issues. A decision was made, most likely on the fly, to stop the pipes. The ripple effect from that decision impacted the cost of getting around, the price of food, shipping, and services in general. It even affected the bad guys who did it. They sent communications to various agencies and news outlets, saying they only wanted money but didn't intend to stop the oil flow. It also brought the house down on them, so to speak, and today they are effectively out of business.

So how does this fit into cybersecurity for operational technology?

Since the early days of building control systems, most thought nobody would want to attack a control system. This is the same kind of thought we had as a country before 9/11. Surely no one would attack us inside our borders. Maybe a stray nut job acting alone, but not a highly planned, practiced attack that would kill thousands of people, put ALL planes on the ground, and shut down stock exchanges for six days. We know now that not only can it happen, but it could happen again.

Cybercriminals' motivation is equally hard to deter. These guys are in it for financial gain. Most people think that these groups are looking for that one big score. They are, but they are just happy to get hundreds of small scores from multiple sources.

Building control systems have been and continue to be a target of attack. The attackers range from curiosity seekers to full-on Nation States. Iran has a playbook that explains how to attack building control systems by the manufacturer. For Nation States' motivation is not something that can be easily deterred. They are well organized and have teams dedicated to causing distribution and theft. They are always looking for a "crack in the wall." Building control systems can offer a fairly sizeable crack. Cybercriminals' motivation is equally hard to deter. These guys are in it for financial gain. Most people think that these groups are looking for that one big score. They are, but they are just happy to get hundreds of small scores from multiple sources. Smaller companies tend to pay the ransom because they are not prepared. Why? Partly because funding security for OT is not in the budget, but in general, they don't believe they are a target. And they don't think that their building systems interest hackers.

Too often, we've been called in the midst or shortly after an event. At this point, the only focus is damage control; sometimes, the decisions and actions taken at this time cause more damage than they correct. According to Disaster Empire:

• Small companies make up 99.9% of all US businesses, but 2 in 3 say they don't have a documented plan (Source, Harris Poll for Nationwide Insurance, 2017)
• 40% of companies never recover from a disaster (Source, FEMA, 2017)
• 90% of businesses without a disaster recovery plan will experience IT failures after a catastrophe (source, Touche Ross 2017)

Bullet number three talks about IT failures but nothing about OT. So does that mean nothing is happening in OT? Yes, things are happening regularly. However, because reporting is not mandatory, statistics are not readily available. We can tell you that attacks have disrupted operations in a building for up to 92 days, tenants have canceled leases, lease rates go down, occupancy drops, and the brand has been tarnished or permanently damaged.

Mandatory reporting of OT cyber events is on the horizon.

Just because reporting an OT incident is not required now doesn't mean it will remain that way. There have been bills introduced, Presidential memos, and various organizations pushing to have ALL incidents reported. This year owners and operators of critical infrastructure are now required to report ANY substantial incident. A ZDNet article said, "Owners and operators of US critical infrastructure will now in some cases be legally required to report cyberattacks and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA)." "...operators and owners to report substantial cyberattacks, like ransomware, to CISA within 72 hours and within 24 hours of making a ransomware payment." The intent is to extend this to all sectors. At this point, anyone can voluntarily report an event, but most don't.

I hope no one gets attacked, but that's not the reality. Someone will, and that someone maybe you. The incident happened to me when I had only been driving for a few years. I had enough experience to be lulled into a sense of security that as long as I was on an interstate, I only had to worry about what was behind me and beside me. My dad told me to keep an eye on what was happening in front of me because you never know what might happen. There could be a wreck or somebody headed the wrong way. I want to think I would have been ready if a wreck occurred in front of me. But somebody headed directly at me, on a highway that was supposed only to go one way, took me almost too long to process. Thankfully I moved out of the way. But what if I had blown a tire from the debris on the shoulder? What if someone behind me had done the same thing, and we wrecked? What if I went to the left, and so did the car coming at me? What if? What if? What if? I don't know because it didn't happen, but I didn't know because I DIDN'T ask the "What ifs" and plan before the incident. I reacted. I might have reacted incorrectly, and the consequences could have been catastrophic.

Tabletop Exercise = What If

If you are not familiar with what is a tabletop exercise, according to ready.gov “Tabletop exercises are discussion-based sessions where team members meet in an informal, classroom setting to discuss their roles during an emergency and their responses to a particular emergency situation. A facilitator guides participants through a discussion of one or more scenarios.” Essentially it means bringing together stakeholders to find out what should be done, who should do what, and how to remain operational during an event.

So… Isn't it time to at least work on some basic scenarios of "What if's" and plan for attack? Even if you don't have the exact "What if," your team will know how to work together during an event. You will be foundationally ready by having defined roles and responsibilities. You will have a communication strategy. You will have your service providers informed of your expectations during this time. And you have a process to analyze what happened and how to mitigate/remediate the vulnerability or vulnerabilities that allow it to happen in the first place.