Cyber Doomsday

Part  1

I watched TVO ( TV Ontario) The Agenda the other day.  It scared the heck out of me.

Steve Paiken was interviewing Ted Koppel.  The topic was Koppel’s new book  Lights Out, a hypothetical ( ?) modern-day  Armageddon.

A Shocking Possibility

In a nutshell, Koppel reveals that “a major cyber attack on America’s power grid is not only possible but likely, that it would be devastating,and that the United States is shockingly unprepared.”   I have not read the book ( it’s on order) yet but was rapt by the interview.   

No Water, No Toilets…

During the succeeding days, I tried to rationalize how I would deal with the situation.  Well, if I was home, 41 stories up with basically 2 toilet flushes, no water, no heat, no fridge, no stove I would have to grab a flashlight walk down to P3 and get to my kids’ house.  ( Maybe drive if the garage door was locked open)  Hopefully, the tank would be full, but most likely at half).   I won’t continue with the story because I am sure you are doing your own version by now, don’t forget, no transportation, no communications, no hospitals, no money, no banking machines, and replacement transformers are all custom made.

Not Even Mutually Assured Destruction

“What about the nuclear mutually assured destruction scenario,” asked Paiken.  The response was logical.  The M.A.D. approach only works when country A directly threatens country B. In this case, it is clear who is doing what to whom and who would retaliate in kind.  With the black web and the various techniques to avoid detection, the country attacking the grid might take months to be discovered ( It took the FBI man-months to prove that North Korea actually hacked their systems, but it only took Sony and the rest of the world seconds to suspect it).

“What about immediately imposing regulations on the industry,”  asked Paiken? “In the US there are over 3000 independent power companies, some gigantic others minute,” responded Koppel.  “The big guys are doing what they can, the little guys, well we can only hope.” ( The small glitch in Aug 2003  which brought down the interconnected grid in Ontario and many states on the entire eastern seaboard resulted in some action but nowhere near the precautions which should have resulted).  If we want to benefit from an interconnected grid, the possible price is a tumbling domino effect should one participant fail, no matter the cause, a falling tree branch or a cyber attack.

A Wing and a Prayer

Paiken asked Koppel what precautions he had taken to prepare for a potential 2 or 3-month outage and the response was as you might expect, “ …freeze dried food, bottled water, flashlight, and batteries…” (and likely a shotgun,  although it wasn’t explicitly mentioned.)

 

Part 2

Well if having my gas and water cut off wasn’t enough along came an article in wired.com entitled,  Hackers Remotely Kill  A Jeep on the Highway-With Me In It.

Although the author of the article, Andy Greenberg had an agreement with the hackers,  Charlie Miller, and Chris Valasek,  he still reports it was pretty scary having lost control of his vehicle’s speed as he was driving 70 mph on the edge of downtown St. Louis. “ Cars lined up behind my bumper before passing me, honking. I could see an 18-wheeler approaching in my rearview mirror. I hoped its driver saw me, too, and could tell I was paralyzed on the highway… “To better simulate the experience of driving a vehicle while it’s being hijacked by an invisible, virtual force, Miller and Valasek refused to tell me ahead of time what kinds of attacks they planned to launch from Miller’s laptop in his house 10 miles west. Instead, they merely assured me that they wouldn’t do anything life-threatening.” Not a hypothetical anymore this is really getting serious.

 

Part 3

The last part of this sad trilogy is a recent article in the Wall Street Journal entitled Europe Sets Up Digital ‘SWAT’ Team for Aviation Cyber Threats.

 

The gist of the article discussed how Europe’s top air safety official said he is hiring a group of high-level computer experts to identify and combat looming cyber threats to aviation.

Intended to be a kind of digital SWAT team for hacking attacks, the initiative launched last month goes beyond U.S. efforts and is the most dramatic example of the European Aviation Safety Agency’s increasingly aggressive approach to such risks.

“The aim is to quickly provide technical assistance to carriers or national regulators anywhere in Europe in the event of a cyber attack,” Patrick Ky, the agency’s executive director, said in an interview.

 

Conclusion

Let’s get a handle on this folks!

  • Raise the issue whenever you get a chance.  The more the conversation happens, the greater the likelihood some progress will be made.  Tell your friends, tell the folks at the water cooler, ask your car salesman what his company is doing about it.  Don’t be surprised at the blank stare.
  • Write to your legislators.  Perhaps they will get the message if enough people independently sound the alarm.
  • Think globally but act locally. Just as world hunger will take some time to resolve, here are few things you can do.
  1. Make sure all your data, both business and personal, is backed up and secure on devices to which you have access.
  2. Be sure your backup systems have off-grid power sources.
  3. At home keep hard copies of critical data including bank statements, wills, leases, contracts, etc.
  4. Be able to prove who you and your family are.  Picture ID, etc.
  5. If you are still not sure call Jolera, we can help.

How much did you say?

Target reimburses $39 million to MasterCard Inc.

On Dec 2, 2015,  Target Corporation in the US announced it had agreed to reimburse MasterCard Inc. and other U.S. financial institutions a total of about $39 million to settle claims brought against the retailer in connection with its massive 2013 data breach.

This settlement comes on the heels of a $67 million agreement Target struck in August with Visa Inc. on behalf of banks and other firms that issue credit and debit cards.  Combined Visa and Master Card implications at Target are around $ 106 M.  While the final numbers will likely be buried somewhere in an annual report a year or two down the road,   total Target loss estimates vary widely. We can all agree however that you have to sell a lot of bread to recover this kind of bread.

Target’s data breach exposed 40 million credit and debit cards to fraud during the 2013 holiday season. The Minneapolis-based company’s breach ranks among the most high-profile data incidents to hit retailers in recent years.

Other costly breaches at other well-known merchants include Home Depot Inc.,   luxury retailer Neiman Marcus Group, and  P.F. Chang’s China Bistro chain.  Dollar figures from the web are not terribly accurate as civil suits continue to wend their way through the US courts.  Liability and class actions suits can take years to finalize.

Our earlier posts on Cybersecurity generated many positive responses and asked that we provide some sort of mechanism for our readers to measure what they are facing.  We all certainly are not Target Stores with annual sales of $ 72.6B USD. So how does the Small to Medium sized business get a handle on the cost of a data breach?  Jolera has found the Ponemon Institute’s Canadian Data Breach  Study May 2015  most informative.  This report was sponsored by IBM but produced independently by the Ponemon Institute.   Verizon’s  2015 Data Breach Report  contains much useful information as well.

We can distill much of the information and there are many inexpensive fixes you can do tomorrow to shore up your defenses.

40% of the Solution is Not Rocket Science 

Some of the suggestions are things your sensible mother would have mentioned had you asked the question.  Lock the machine when you leave your workstation, make sure no one is looking over your shoulder, use passwords whenever feasible to protect data.  The Ponemon Institute has categorized some security measures which are easily managed and can have a significant impact on your security posture.   Admittedly some of the solutions require a discipline and internal surveillance which may impose a “cost” however there are relatively inexpensive quick wins which will you get some distance down the road.

 

40% of the solutions fall into the quick fix category, they are no-brainers.

So now you are probably doing some mental gymnastics weighing the cost of implementing and monitoring some of these solutions at your place.  The IBM has a blunt tool to help you estimate the cost of a major data breach at your business.  The numbers can be scary and, of course, there is always the hurdle of getting the C-Suite on-side when dealing with intangibles.

Let me suggest a possibility.  Get the Jolera team to lend a hand.  We have over 100 high-tech minds,  and 10,000s of hours of practical hands-on experience to place at your disposition.  Together we can be formidable.  No matter how complex your IT questions we can help you take decisive action and achieve those “elusive” results.