Tabletop looks at how state responds to cybersecurity threats
Allen Avery, a cyber critical intelligence analyst with the Fusion Center in Seattle, talks about why hackers attack.
Tabletop looks at how state responds to cybersecurity threats
A rogue state manages to trick a local public utilities district in a phishing scam and somehow seizes control of transmission lines, shutting down power for hundreds of thousands of people on Election Day.
An airport dealing with a protest gets hacked and flights can’t leave the area. Personal information at hospitals and banks are seized.
All of these scenarios could legitimately happen, probably not at the same time, but officials from more than 30 state agencies gathered for a tabletop exercise Feb. 8 at Camp Murray to review cyber threats, discuss reporting and information sharing, and discuss how cybersecurity awareness can be strengthened in Washington state.
“The threat is getting worse, not better,” said Maj. Gen. Bret D. Daugherty at the start of the two-and-a-half-hour session on Feb. 8. “We just need to be prepared for it. Here at the Military Department, a cyber threat is just one more thing that keeps us up at night. It isn’t a special shiny category over here all by itself. It’s just another potential disaster we have to plan for.”
Daugherty said if the threat is big enough – like an attack on the power grid – he’d recommend activating the Washington National Guard’s cyber protection team, which has worked on power grid issues before.
Washington Emergency Management Division Deputy Director Jason Marquiss reminded participants that a cybersecurity threat could have physical requirements.
“It’s just like we were responding to a flood, or a lahar or a volcanic eruption,” Marquiss said. “Cyber is just the mechanism. The local jurisdiction may have shelter needs, and access needs, and people needing help with translated materials. How would we help a public airport asking for our help?”
More than 30 state agencies were represented at the tabletop exercise.
Tabletop participants were guided on real incidents. There was the time in 2015, when inmates at an Ohio prison built computers out of recycled materials, hid it in the ceiling of their prison cells and hacked their way through internal databases to create security passes, submit credit card applications and commit tax fraud.
“We talk about threats from the outside all the time, but something to think about is there are folks on the inside, who may do something nefarious, as well,” said Rob Lang, the cybersecurity manager for the Washington Military Department.
There was the time in May of 2017 when WannaCry ransomware spread across the globe through unpatched, vulnerable operating software, demanding money to decrypt files. There was the time in December 2016, when hackers took over a transmission state in Kiev, Ukraine, shutting down power for about an hour.
“No big deal; that happens here when a storm hits us,” Allen Avery, a cyber critical intelligence analyst with the Fusion Center in Seattle, told the group. “But what if the hacker is able to control that for days, months, years? And you have no energy?”
“When there are any kind of outages, we are brought into the processes and that triggers our own oversight and ability to coordinate with other entities, including EMD and the Governor’s Office,” said Mark Vasconi, the director of the Regulatory Services Division for the state Utilities and Transportation Commission. “We would want to understand how many customers affected, what’s being done to remediate the problem and to understand the root cause of the issue. What best practices were engaged and what’s being done to ensure this doesn’t happen again?”
Maia Bellon, the director of the Department of Ecology, pointed out that it wouldn’t just be power impacted, it could be sewer systems and water systems.
“Many of you saw the West Point treatment plant failure,” Bellon noted of the King County plant, which caused about 235 million gallons of untreated wastewater — including raw sewage – to spill into a nearby beach. “And a big part of that failure was a lack of electricity and if the PUD has a wastewater treatment plant or a drinking water plant out to customers, we could have a major blowout.”
Ecology Director Maia Bellon makes a point as Robert Lang facilitates the discussion.
Lang noted that we need to differentiate between a cyber incident such as ransomware on a business, for instance vs a significant cyber incident, where public health and safety are impacted, and the physical affects start to be noticed by the agency’s Alert & Warning Center and the state’s Emergency Operations Center gets activated.
Lang points to the state’s Cyber Incident Annex utilized to help respond to emergencies.
Daugherty asked participants how many participants had received a phishing scam and nearly everyone raised their hand. Phishing is when someone tries to get you to download a file or click a link that ends up placing malware on your device or seizes control.
“They’re getting so sophisticated,” Daugherty said. “It’s no longer about the Nigerian prince seeking money. Now, there are contests and emails that look real from people you know.”
The Office of Cybersecurity, which participated in the tabletop, has tips to help you stay safe online.
Meantime, new legislation named for the late Maj. Gen. Tim Lowenberg would build upon the success of the Washington National Guard’s cyber units and create dedicated units around the country to help states counter cyber-attacks. The legislation is currently in the House Subcommittee on Military Personnel and has 32 sponsors, headed up by Congressman Derek Kilmer.
Maj. Gen. Bret D. Daugherty helps lead the discussion at the tabletop exercise.