Friday, October 1, 2021
Blog topics: Archive
“Winning isn’t everything it’s the only thing”. – Vince Lombardi
“You play to win the game” – Herm Edwards
If you think about it, protecting a school, hospital, or a city’s water supply from a cyberattack is a lot like a football coach drawing up a game plan for playing against the #1 team in the country – every day.
There’s game film, playbooks and you always have to account for how you’re going to stop the other team’s best player from scoring; all the while trying to figure out what else the coach might have up his sleeve. And there’s no halftime show to try and adjust to stage a comeback.
That’s the challenge facing the State of Indiana in its efforts to continue rapidly moving forward in its mission to further strengthen its cybersecurity resiliency and response.
The progress that’s been achieved comes as the State of Indiana and the Indiana National Guard recently hosted two cyber exercises in a partnership with several federal agencies, health care providers, and technology companies, water utility service providers, state, and local government officials, as well as state and federal emergency and law enforcement agencies.
“Conducting these exercises highlights the strength of the cybersecurity structure that exists within the state and underscores the work that’s been accomplished over the past three years by Indiana Governor Holcomb’s Executive Council on Cybersecurity with our partners in the military, academic, public and private sectors,” said Indiana Department of Homeland Security Executive Director Stephen Cox. “Most importantly, it represents the progress with cyber that’s been achieved on behalf of all Hoosiers when we approach cybersecurity as something that is not solved by one entity alone, but by everyone at all corners of the state.”
Having a playbook is especially crucial, given the fact there are not only a seemingly endless number of situations in which a cyberattack or incident can occur, but there are all kinds of circumstances and variables that can interfere with a cyber team’s strategy for protecting its systems.
When Water Runs Out…
A water utility being attacked is not only scary to every city in America, but the reality of it also happening is real.
The Cybersecurity and Infrastructure Security Agency (CISA) has partnered with the State of Indiana and the City of Fort Wayne to exercise how state, federal, mutual aid, and local government would work together in a long-term cyberattack that eliminates the supply of water from the city, with a special emphasis on the secondary effects for the city’s hospitals.
As the Cybersecurity Program Director for the State of Indiana, there’s no question cybersecurity impacts every aspect of our daily lives. As we’ve seen with recent cyber incidents – everything from pipelines to water utilities to schools and hospitals – a cyberattack can create substantial effects and damage to our community and our critical infrastructure, disrupting our daily lives and safety.
When Natural Disasters Hit…
Following the completion of the tabletop exercise, a second cyber exercise as part of a full-scale functional exercise hosted by the Indiana National Guard for first responders and several military branches as well as search and rescue teams at the Muscatatuck Urban Training Center.
The grounds of the 1,000-acre facility, located in Southern Indiana, is a real city that includes a built-in physical infrastructure, a well-integrated cyber-physical environment, an electromagnetic effects system and human elements. There are more than 190 brick-and-mortar structures with roughly 1.5 million square feet under roof, 1.8 miles of subterranean tunnels, a cave complex, more than nine miles of roads, managed airspace, a 185-acre reservoir, and a cyber live-fire range.
The focus of the Indiana National Guard exercise centered on measuring how federal, state, local and private sectors respond to a devastating earthquake.
“We really need to prepare now for these acts which we’ve already seen here in Indiana and across the world,” said Ron Pelletier, founder and chief customer officer at Pondurance, a cyber security company. “When natural disasters hit all parts of the world, we are seeing more and more targeted cyberattacks in those affected areas. Investing now in preventative measures is the best way to avoid situations like that from becoming worse. It comes down to planning to avoid cyber breaches but being prepared to respond.”
As emergency and military teams respond to the effects of the earthquake, the Indiana National Guard also tested the additional response of its incident command leadership while the cyber experts from IU Health, Citizens Energy Group, and Pondurance made the efforts more difficult by attacking the water supply in the aftermath.
It’s Not “If” But “When”...
Pelletier added that Pondurance hopes disaster drills, such as these two, will raise awareness among policy makers to help fund security programs and protocols. “National, state, and community security is truly at risk here, and we need to take action now to preserve it. Waiting for the dam to burst before you repair it is a terrible maintenance strategy, and that’s exactly the situation we have here across power grids, water supplies, healthcare, you name it.”
Having the ability to draw on the resources and expertise required at a moment’s notice to keep people safe in the event of a cyber incident or attack relies on making certain that the state and its partners have a line of communications that’s always open to make sure the State of Indiana provides a response that’s most effective, regardless of the circumstances.
Many of those who are participated in both state exercises also serve on the Indiana Executive Council on Cybersecurity (IECC). As defined in Executive Order 17-11 from Indiana Governor Eric Holcomb, the IECC is a first-of-its-kind collaboration, whose work as an organization within state government, is responsible for guiding the state’s cybersecurity policy, It is comprised of 35 Council members and 250 advisory members, all of whom are subject matter experts represent a wide range of businesses, industries and professions, including education, finance, utilities and insurance, among many others.
The State of Indiana and its partners offer best practices, guides, toolkits, and resources to allow all organizations and critical infrastructures to mitigate, but also prepare for a cyberattack. For more information about the IECC or the State of Indiana’s Cyber Strategy, visit www.in.gov/cyber.
For more information about CISA’s cybersecurity services and resources, visit www.cisa.gov.