Public, private partnerships key in cybersecurity safety
Lt. Col. Tom Muehleisen of the Washington National Guard talks about cybersecurity partnerships.
Public, private partnerships key in cybersecurity safety
Preparing for a cybersecurity threat shouldn’t be relegated to the techies of the world, but also to emergency management professionals and, really, to the public at large, a panel of state and private partners said at the annual Partners in Emergency Preparedness Conference on April 21.
The panel was made up of state Cyber Security Manager Rob Lang of the Washington Emergency Management Division, Lt. Col. Tom Muehleisen of the Washington National Guard, Dan Banks, the chief planner of the state Emergency Management Division and Jodie Ryan, CEO of private firm Celerity Response.
“The threat is real and persistent,” Lang said. “Today we want to talk about the plan. When most folks talk about cybersecurity, they think of IT. They think of the techies. But if you look back to policy and doctrine, back to 2009, you’ll see speeches from politicians, including President Obama, talking about the public safety aspects. … It’s a community issue. It’s something we all need to have a piece on.”
The state Comprehensive Emergency Management Plan is the go-to document for most emergencies that state and local officials will face. In March of last year, cyber security threats were formally added to the plan as an incident annex, providing a basic coordination framework similar to existing emergency management frameworks for state, local and tribal governments, the private sector and operators of cyber critical infrastructure to manage a significant cyber event when it occurs.
Dan Banks, chief planner at the state Emergency Management Division.
“We had a plan before the annex, but it needed real improvement,” Banks said. “We spent several months going from a technically jargon oriented plan into a real annex of the state comprehensive emergency management plan.”
Muehleisen notes that hacking threats are turning up way too often these days and it’s only a matter of time before some kind of hacking incident targets domestic industrial control systems, which could impact everything from power plants to HVAC systems.
“More and more of these systems are being plugged into a network. Air flows. Valves closing. But the engineer that designed it really didn’t want it to go into the network so there are vulnerabilities. And that’s something we need to be aware of,” Muehleisen said.
Ryan said that there’s been plenty of large retailers that have had data breaches where credit cards and identities are stolen. She noted that just a few weeks ago a person posing as the superintendent of a local school district requested via email a listing of employee names, addresses, salary information and social security numbers – and the district gave the personal data to the anonymous person.
“A day doesn’t go by that some other scary attack is happening – whether it’s destructive malware or a phishing attack,” Ryan said, adding that the only way to truly combat the threat is by the public and private sectors working together.
“Building trust takes leadership from the Guard, from the public sector and money and talent from the private sector to show up to help the public sector, who may not have such a robust system in place, needs our help,” Ryan said. “… And we, as a private sector, are having a bad day, we need to admit it. Don’t be afraid to show your vulnerabilities but do it in a trusted circle.”
Muehleisen says the Washington National Guard’s cybersecurity unit has done work recently with the state Auditor’s Office, the state Department of Licensing and the Office of the Superintendent of Public Instruction among others to test for vulnerabilities.
The Guard became the first to see if they could get into the network of a public utility when the Snohomish County Public Utility District asked for the help.
“The Snohomish PUD has an extremely effective security posture,” Muehleisen said. “They’re very good, leaders in their field, just fantastic and their CIO worked under an assumption of breach. They assumed his 10-foot wall, a beautiful wall, would be met by an 11-foot ladder and sure enough we did. We got in. But his security was actually quite good.”
It only took 17 minutes to break into the Snohomish PUD’s system, Muehleisen said at the presentation, noting the flaws in the system have since been fixed. The incident was detailed in the trade journal Environment & Energy Publishing showing that the system was violated by an email cleverly disguised as work-related, but it all led to a number of cybersecurity summits and tabletops.
“On Sharepoint, I know sharing is caring, but having a file called passwords.doc is not a good idea,” Muehleisen added. “Having a file at all with passwords with files in it is not a good idea.”
Lang notes that “cyber hygiene” is a best practice -- simply information awareness, developing programs so agencies understand the threats they face and exercise those threats. During an exercise in the state Emergency Operations Center last year, a natural disaster exercise had a component when a simulated hacker tried to take advantage of the situation – and the different officials in the EOC had to react to the situation.
Cybersecurity is just one aspect of infrastructure like water and roads, Banks noted, and needs to be practiced.
One way to help emergency managers figure out what cybersecurity is all about is through a free FEMA training offered online here.
For more on our cybersecurity plan, visit http://mil.wa.gov/emergency-management-division/cyber-security-program