[BreachExchange] Natural disasters bring cyberthreats small and large

[Destry Winant]

https://statescoop.com/natural-disasters-bring-cyberthreats-small-and-large

While much of the response to Hurricane Florence involves evacuating
coastal communities and coordinating emergency services across
multiple agencies, a natural disaster of Florence's scope could bring
a lower-profile, but still dangerous, threat of cybercriminal
activity.

The North Carolina Department of Information Technology, which is
responsible for keeping its fellow state agencies outfitted with
communication equipment and other resources through the storm, posted
a series of tweets Thursday warning residents to be wary of online
solicitations for hurricane relief.

"Phishing attacks use email, malicious websites to solicit personal
info by posing as a trustworthy organization," the agency posted.
"Take time to look at the sender’s email address and don’t click on
any links until you are positive the organization is real."

Fundraising scams have become common occurrences after natural
disasters. The U.S. Computer Emergency Readiness Team issued
warningslast year after Hurricane Harvey devastated the Houston area,
advising internet users to be on the lookout for phony charities
designed to steal money, credit card numbers and other personal
information.

The North Carolina IT agency also reminded its Twitter followers to be
cautious of emails sent by people posing as the Federal Emergency
Management Agency, which has long had to tell people in
disaster-stricken areas not to fall for such phony solicitations.
Those attempts often ask victims for personal identifying information
such as Social Security numbers or bank accounts, which FEMA does not
require people to supply when requesting aid.

But the potential cyberthreats that accompany a large natural disaster
like a hurricane don't just imperil residents trying to recover. They
also make a tempting attack surface for hackers looking to mess with a
local government's infrastructure, said Laura Lee, an executive vice
president at Circadence, a cybersecurity consulting firm.

"Let’s say you're an adversary and you’re not sure your cyberattacks
will work, but you want a playground," Lee told StateScoop. "You can
take a situation like in North Carolina and see if you can mess with
the traffic signals. In that kind of backdrop you can hide in the
noise."

Lee's firm recently developed the parameters of a three-day drill
conducted in July by the city of Houston and U.S. Army Cyber Institute
that simulated a major cyberattack that strikes during a natural
disaster. While the Army won't publish its report on the drill until
November, Lee said it helped bring policymakers together with
cybersecurity and IT professionals they might not ordinarily talk to.

"This had some nuances of what cyber could add, and getting the tech
people talking to the policy people," she said.

Lee's firm helps government organizations and businesses prepare for
how they'd respond to cyberattacks, and folding in the prospect of one
overlapping with a natural disaster has become a more common part of
the training.

"There’s a whole bunch of scenarios we talk about," she said. "Being
able to maneuver food to the right locations or water — that could be
messed with. You could take snow, tornadoes or hurricanes and add to
that. What could you to do cause problems?"

But Lee said that the reason governments are increasingly adding
cybersecurity components to their disaster drills isn't because of any
natural circumstance.

"I think cities and regions are starting to think about cyber because
of what happened in Atlanta," she said, referring to the March
ransomware attack that crippled dozens of internal and public-facing
computer systems across the city. (The incident may ultimately cost
the municipal government more than $10 million to repair.) "Before we
did the Houston exercise, we prepared for six months before Atlanta.
Then Atlanta came out and we said, 'Oh boy.' You don’t even need
today’s hurricane to worry about things like that."

Throwing a wide-ranging cyberattack on top of an active disaster would
create a special kind of nightmare, though. Emergencies like
hurricanes, tornadoes and blizzards can upend how local governments
handle transportation, emergency response, healthcare and other
critical functions, which makes securing the systems used to manage
those services that much more crucial.

"You have to look at anything that’s important during that stress of
resources," Lee said.