Vulnerability to cyber hacking is exposing and expensive, and it also has the potential to be highly dangerous. In developing a cyber resilience plan, a collaborative and comprehensive approach is the most powerful writes Fay Sweet.
A power utility has been hacked causing an outage affecting more than two million residents. First responders are running out of fuel and the gas stations have no generators to operate the pumps. A tanker overturns on the freeway spilling its cargo of chemical waste. Fortunately, this nightmare scenario was imaginary… a regional stress test for emergency planning in San Diego County, California, United States. “This was the first time our cyber response team was activated and it was able to successfully execute the new cyber disruption response plan,” says Senior Emergency Services Coordinator Robert Barreras, at the County of San Diego Office of Emergency Services.
San Diego County belongs to an exclusive club. It is one of very few counties in the U.S. to have developed a response plan for dealing with cyberattacks. The test involved more than 400 officials, emergency management personnel, FBI, police, fire, local utilities, businesses and more participating in an all-day cyberattack exercise.
“With cyber issues prevalent in the news, we realize that every piece of software and every computer network has some vulnerability to hackers, so it just may be a matter of time before government experiences a major cyber disruption,” continues Barreras. “As part of the County of San Diego’s plan there is a Living Safely strategy for making this one of the safest communities in the nation, and a proactive response to cyber resilience forms an important part of that.”
Work on developing the cyber resilience plan began in early 2014 with a Threat and Hazard Identification and Risk Assessment (THIRA). Cyber risk was high on the list of priorities, so work started to build a plan and response. “From the start, it was clear that the strength of our plan would be rooted in great collaboration across as many agencies as possible,” says Barreras. “From law enforcement to IT representatives, civil and military partners and the private sector, it has been extremely powerful to bring together individuals who wouldn’t normally meet. In the longer term this will be beneficial to the region in many ways.”
The resulting cyber plan describes the types of attacks possible, breaks down technical terms to a user-friendly level, gives templates and suggested response formats to quickly and effectively identify and isolate incidents, and focuses on the formation of a Cyber Disruption Response Team (CDRT). The CDRT is activated when a certain level of attack hits the county, as deployed for the exercise described above. The CDRT includes cyber/IT experts from the FBI, law enforcement, County of San Diego, the cities within the county, San Diego County Water Authority, local utilities, Hewlett-Packard and AT&T. As future phases are rolled out, these partnerships will extend to hospitals, education facilities and more.
The finalized plan will become an annex to the San Diego County Operational Area (OA) Emergency Operations Plan (EOP). AECOM has continued to help the county with multiple hazard planning documents over the past several years.
Working with Barreras and the County of San Diego in preparing the cyber plan, AECOM’s cyber specialists included cyber analysts, planners, federal consultants and project managers. Similar plans have also been created by AECOM for the cities of Boston and Houston.
Cybersecurity in San Diego
San Diego is growing its reputation as a center of cybersecurity excellence.
- Almost 7,000 San Diegans work in the core of the cybersecurity industry in San Diego County. (This industry is defined as firms that provide cybersecurity products and services largely to customers external to their organization or firm.)
- A key component of San Diego’s cybersecurity industry is the United States Navy Space and Naval Warfare Systems Command (SPAWAR). Employing an estimated 3,095 cybersecurity professionals and tasked with administering hundreds of millions of dollars in cyber contracts, SPAWAR has a profound impact on San Diego’s cyber industry.
- The total economic impact of cybersecurity industry workers in 2013 was $1.515 billion, and the industry supports an additional 6,600-plus indirect and induced jobs.
- The community foundation – Securing Our eCity, has drawn attention to the ubiquitous nature of cyber threats and the importance of every individual and business to take action to protect themselves.
- The Cyber Center of Excellence (CCOE), a public-private partnership, has been founded to help accelerate the region’s cyber innovation economy and support the flow of a highly skilled workforce.Source: Cyber Security in San Diego: An Economic Impact and Industry Assessment
An integrated and holistic solution
“Cyber resilience is about understanding risk and protecting the important things, and being able to bounce back in the event of an intrusion,” summarizes Dean Fox of AECOM’s cyber resilience practice. “In our hyper-connected and digitized world we are all vulnerable to hackers and cannot protect everything, so planning for resilience starts with understanding the risk and prioritizing the response.”
For Fox, a successful resilience plan requires an innovative approach rooted in collaboration and knowledge. “To finish in the right place, we need to start in the right place, and that means getting the right people around the table. The only way to understand all potential vulnerabilities is to have all stakeholders involved.” From this starting point it becomes possible to make informed, critical decisions on what and where to budget for security and resilience of assets, systems and networks.
This approach is at the heart of AECOM’s Converged Resilience™ service – an integrated, holistic solution to cybersecurity and operational resilience that bolsters an organization’s ability to anticipate, avoid and absorb threats. From here, resilience experts provide a streamlined process that integrates resilience into all project phases, from planning and design, to construction, operations and maintenance.
Fox concludes; “By seamlessly delivering an innovative approach to risk evaluation, we can see companies and government bodies really understand how best to align investments to assure the continuity of their operations.”
San Diego Living Safely
The Living Safely strategy is the plan for making San Diego County one of the safest communities in the U.S. Living Safely focuses on achieving three outcomes over time to ensure San Diego is a region where:
- Residents are protected from crime or abuse
- Neighborhoods are safe to work, live and play
- Communities are resilient to disasters and emergencies
Source: County of San Diego
CYBER RESILIENCE CASE STUDY
Keeping the water flowing
The Chicago Department of Water Management operates the two largest capacity conventional water treatment plants in the world. Together the facilities have the capacity to process almost a billion gallons of water every day, supplying water to the city of Chicago and 125 suburban communities in Illinois. To help ensure continuity of this critical service, we completed a threat and vulnerability assessment update for the department using the American Water Works Association’s risk and resilience standard J100; Risk Analysis and Management for Critical Asset Protection Standard for Risk and Resilience Management of Water and Wastewater Systems. This project was one of the first full-scale applications of the J100 methodology for a large water utility.
During the work, critical assets were identified; appropriate threats and hazards were determined; we estimated consequences, effectiveness of existing mitigation measures, and threat likelihood for critical threat-asset pairs; calculated the baseline risk; applied mitigation measures and evaluated the cost benefit of implementing various mitigation suites. We evaluated the resiliency of the supervisory control and data acquisition hardware and software, system access vulnerabilities, malware prevention and control and performed penetration testing and rogue wireless testing. We led several group meetings and workshops throughout the project with DWM staff, as well as the Chicago Police Department, FBI, Coast Guard, Office of Emergency Management and Communications, and the Joint Terrorism Task Force. These workshops provided knowledge sharing and served as a tool for achieving consensus on tough issues and making everyone involved feel that they participated in the solution.
We customized several components of the J100 methodology to meet the client’s unique needs. For example, we modified the methodology used to estimate the likelihood of terrorist threats, and developed methods for estimating other threats and hazards such as the likelihood of proximity hazards and workplace violence incidents. We then completed an economic analysis to estimate the regional economic impacts of a major water disruption or contamination event. After completing the assessment, we worked with the Chicago utility to develop a security and preparedness capital improvement plan that prioritizes the investments that the city will make to improve the security and resiliency of its critical infrastructure.
CYBER RESILIENCE CASE STUDY
Making connections and saving energy
Helping the U.S. Army to make more efficient use of energy and water at its sites, our teams have connected vital industrial control systems for the U.S. Army Corps of Engineers in Fort Belvoir, Virginia. Following the introduction of legislation requiring metering in all federal buildings, the Army Central Metering Program involves installing, and protecting from cyber threats, a network of advanced meters that report remotely to a central database located at Fort Belvoir. This work encompasses some 6,700 Army, Army Reserve and Army National Guard facilities at more than 480 sites worldwide. The meter system provides army installations with a resilient capability of measuring and tracking electricity, water, natural gas and steam consumption at individual facilities.
The army is also undertaking the installation of advanced utility meters on all military construction projects and for renovation or energy projects with a programmed cost of $250,000 or more that include electrical, natural gas, water or steam components.
AECOM troubleshot configuration settings and network designs, and developed a solution enabling the full integration of vastly improved meter data reporting. The successful project established cybersecurity and resilience solutions enabling secure communications to facilitate the collection of data from multiple sites to meet legislative requirements.
$2.1trillion is the estimated cost that data breaches and cybercrime will cost businesses around the globe by the year 2019. Juniper Research
$65 billion will be spent on U.S. cyber security contracts 2015-20. U.S. federal budget projection
43% of firms in the United States experienced a data breach in 2014 . Ponemon Institute
$445 billion is lost annually to cybercrime and espionage around the world. Center for Strategic and International Studies.
317 million new pieces of malware were created in 2014. Verizon 2015 Data Breach Investigations Report
1 million new threats released each day. Verizon 2015 Data Breach Investigations Report
£34 billion is the annual cost of defending Britain against cyber-attacks and repairing the damage done by hackers who penetrate security systems. U.K. Centre for Economics and Business Research
15% of U.K. businesses questioned said they had lost revenue due to a cybersecurity breach. U.K. Centre for Economics and Business Research
700 articles on data breaches appeared in the New York Times in 2014, there were 125 articles on the subject in 2013. Verizon 2015 Data Breach Investigations Report
$12.7 million is the average cost of cybercrimes in the U.S. in 2014. Statista, the Statistics Portal