After any large-scale disaster, human nature drives us to look back and see what we might have done differently if we only “knew then what we now know.” While learning lessons from these events is beneficial, a constant focus on yesterday’s problems won’t necessarily help you prepare for tomorrow. But what if you could foresee the next big crisis and have enough time to do something about it?
Most of the events we label as “black swans” aren’t really as unpredictable as they initially seemed. There may have been warning signs — early indicators of future trouble — that turned unforeseeable events into identifiable “white swans”. In many cases, there may even be experts offering advice on how to mitigate potential damage related to such events. Nassim Nicholas Taleb, the author who coined the term “black swan” has expressed irritation that the term is applied to the coronavirus pandemic. Taleb actually tried to warn leaders at the onset of the crisis when many were underestimating the risk. “We issued our warning that, effectively, you should kill it in the egg,” he says.
So what could be tomorrow’s next white swan?
Warning signs
A combination of two events could be today’s early warning of the next big crisis. First, the February 2021 Texas power and water crisis. This event, triggered by a record setting cold snap, provides a glimpse of what a mass disruption of the utility infrastructure could look like, and what it would mean if a similar event continued for an indefinite period (a scenario that some say was mere 4 minutes and 37 seconds away from unfolding).
The second was a cyberattack on an Oldsmar, Florida, water utility. In that event, an unauthorized cyberintruder accessed controls that, according to reports, “let them open and toy with a computer with a program that sets the chemical content for the underground water reservoir that provides the drinking water for nearly 15,000 people. While the facility does have backup alarms in place to measure unsafe chemical levels, the hacker was at least briefly able to order the plant to poison the water.”
Maturity Assessment: Can your ERM program handle the next pandemic-level event?
Taken together, these incidents, and many others like them, could be seen as a forewarning of a cyberattack on a fragile utility network — events that could lead to prolonged disruptions and even force the immediate migration of entire metropolitan areas or large geographic regions. Just like the pandemic, this would require major adjustments by organizations with operations (or customers) in the affected areas and, in some cases, force the creation of new business models on the fly.
Why worry? “ScotchTM tape and bubble gum”
With no shortage of potential looming crises to worry about, why dwell on this one in particular? One reason is the long list of experts raising red flags. According to a report from the Government Accountability Office, “The U.S. electric grid is growing increasingly vulnerable to cyberattacks from countries such as Russia, and a well carried out attack on the grid could cause widespread power outages.”
Alan Brill, senior managing director with the cyber risk practice of Kroll LLC, notes, “The ‘bad guys’ have been looking at infrastructure, whether it is a water or power distributor, sewage plant or traffic lights for a long time.” Dave Weinstein, vice president of threat research at Claroty Inc., lists water and wastewater attacks as a top concern. "It gets the least attention, and they're probably the least mature sector from a cybersecurity standpoint," he says. He describes his impression of their organizations:
In the article Texas power crisis: Cyberattacks greater threat to grid than weather, Jim Cunningham writes, “Extreme weather is the culprit in the Texas power crisis, but that's not our worst problem. The greater threat we face is the daily bombardment of cyberattacks on our nation’s critical infrastructure — most notably on the electric sector which the rest of that infrastructure relies to operate.”
In the same way that pandemic experts sounded multiple alarms after SARS and H1N1, a growing chorus of experts across the utility and cyber spectrum are convinced that we are grossly underestimating the threat (and potential damage) of an attack on our infrastructure.
Potential for a larger scale event
One way to magnify the scope of an attack on the utility infrastructure is to include wastewater facilities. Mary-Anna Holden, a commissioner on the New Jersey Board of Public Utilities, observes, “Nobody thinks about wastewater systems until they break.” In planning exercises, power outages aren’t what trigger chaos and widespread casualties, she notes. Often it’s the lack of clean water that forces relocation.
Wastewater plants are especially prone to creating larger-scale damage. “If someone's hacked into the operational network and can control chlorination, do something to the [wastewater] digesters or can get control of the wastewater plant, that's the thing that keeps me up at night,” Holden said. “You could cause cholera or dysentery downstream, which could be a major city. How do you counteract that?”
When paired with a potential “domino effect” of cascading power outages, the scope of a coordinated cyberattack on multiple components could create a situation where an entire region of the country is forced to relocate all at once.
Crystal ball or tinfoil hat
The problem with these warnings is that there is no certainty of a future attack… only probabilities. Yet any efforts to mitigate the estimated potential damage will require very real resources to be committed. That means resources could be taken away from one strategic effort in order to prepare for a risk that may never materialize. To make matters worse, people are generally fairly awful at estimating probabilities. Tom Kendrick, in a paper presented at the PMI Global Conference, notes: “Today, despite the fact our theoretical understanding of statistics and probability has evolved significantly, most people are still bad at assessing probabilities, as evidenced by the many lost ‘bar bets’ and questionable decisions we make.”
Kendrick points out that there are only three ways to estimate probability. The first way is to construct a mathematical model, which is difficult to do for complex scenarios (like a cyberattack on the utility infrastructure). The second is to run analytics on historical data, which is impractical in this case. That leaves the most common option — guessing. So, the hard costs of mitigation efforts are presented next to the squishiness of a best guess. At the same time, if all the warnings do turn out to be accurate, we have the time and advanced warning to address the risk before the crisis happens in a much more strategic and controlled way. As Taleb framed this choice with the pandemic, the leaders he warned “did not want to spend pennies in January; now they are going to spend trillions.” But how do we know which outcome we are currently facing?
A better understanding of the probabilities
One part of firming up the odds of an attack is to treat previous attacks as incidents and dig a little deeper into the trends and intent that could be uncovered. In 2007 the Department of Energy conducted an experiment to see if a physical piece of utility equipment could be damaged by remote access. With just 21 lines of code, a 2.25-megawatt power generator weighing 27 tons self-destructed and was reduced to a smoking heap. At a minimum, this proves any bad actor with the right access could cause tremendous damage.
Is your ERM program up for its next challenge?
More recent evidence includes the 2013 Bowman Avenue Dam attack outside New York city, where a hacker allegedly affiliated with the Iranian government targeted floodgate controls of a small dam that is two and a half feet tall. While the successful nature of the attack itself alarmed authorities (the attacker would have been able to control the floodgate remotely had it been operational at the time of attack), others speculated that the hacker may have thought he breached the Arthur R. Bowman Dam instead. That dam has a height of 240 feet and controls a volume of 1,424,000 cubic yards of material. If true, this could be an indicator of intent.
The Solar Winds hack, disclosed in December 2020, could also be an indication of greater risk. Ben Fox and Alan Suderman report, “And while this incident appeared to be aimed at stealing information, it heightened fears that future hackers could damage critical infrastructure, like electrical grids or water systems.” Similar concerns have been raised with the 2021 discovery of the Microsoft Exchange security flaw that left servers from at least 30,000 US organizations vulnerable.
These, and numerous other cases, indicate that the risk is more than hypothetical. At least some mitigation efforts are probably warranted.
Splitting the difference between all or nothing
For organizations looking at how to respond to these types of threats, it should be noted that this is not a binary, all-or-nothing choice. Some mitigation efforts require fewer resources than others. Dan Lohrman offers three middle-of-the-spectrum suggestions in the Government Technology article How Vulnerable is America’s Power Grid:
- Read and implement actions from theFramework for Improving Critical Infrastructure Cybersecurity. Take appropriate steps to ensure that protections are in place for your enterprise. Utilize available federal, state and local resources to ensure that projects are in place to strengthen key government asset protections, utilizing the “Identify, Protect, Detect, Respond and Recover” approaches.
- (Re)examine your disaster recovery and backup power options for key systems and data centers. Are your generators and uninterruptible power supplies tested and in working order? What is covered by backup power? Are fuel provisions in place to cover emergencies? Run drills and exercises to test your people, processes and technology.
- Work with the utilities and public service commissions in your region to ensure that information sharing is occurring and best practices are being implemented. Establish protocols using a model similar to Michigan’s Cyber Disruption Response Strategy to coordinate across public and private entities.
Responses on the lower end of the spectrum could include more simple tasks such as asking employees to develop their personal plans for a 50/100/250 mile forced migration, assembling a list of likely high-demand resources in each region (moving companies, generators and bulk water supplies, furnished corporate housing etc.), and setting up news alerts for cyber events on power or water utilities (to track occurrences of near misses which could be used to trigger greater investment in mitigation).
Activities on the higher end of the spectrum could involve paying retainers to some services to be at the front of line when there is a “run” on them after an event, developing complete disaster recovery plans and return-to-live estimates if critical locations were forced to relocate indefinitely, and detailed plans of how to get critical resources into affected areas while relocating key personnel out of them.
The ability to balance the level of mitigation to match the level of risk, and then make adjustments should the overall risk level increase or decrease, allows an organization to take some steps without committing to an all-out response immediately.
How the right technology can help
While it can be tempting to try and identify some silver-bullet technology that will neutralize the threat from a large-impact cyberattack on utility infrastructure, the reality is that these are uncharted waters. No single solution can solve all the challenges associated with such a complicated event. There are, however, some specific areas where technology can help organizations begin to gain more control:
- Get a single pane of glass: You need a primary platform to effectively attack cross-functional problems
- Robust incident reporting: Incident reporting can turn black swans into white swans and make it easier to focus on emerging threats and concerning trends
- Monitor plans and progress: The steps may be uncharted, but you know you’ll at least need to know who is working on what, and how much progress is being made (no black holes)
- Democratize risk assessments: Change the way we think about risk and crowdsource to those who may not traditionally be included in the assessment process
- Blur the lines: A unified approach is required because no one silo can tackle this kind of complex risk
This is what traveling back in time actually looks like — choices that are easy only if you know with certainty what will happen (and when). This could be the equivalent of going back to 2018 with an idea of what a pandemic would do to the global economy (and every organization within it). Or, conversely, it could be the next Y2K dud. Either way, it should at least promote a discussion of how to keep scanning the horizon for the next potential pandemic-level risk lurking out there, and what the process should be for deciding the appropriate balance of risk vs. cost.
Reach out to us to discuss how Origami can help you create a solution that works with your process for complex, large scale emerging risks.