The past few weeks have been eye opening for anyone concerned with emergency management. Events in Florida and Texas have highlighted the importance—and vulnerability—of water systems and other critical infrastructure to business continuity. In short, we’ve been reminded that anything that affects your facilities, operations or people can put your business at risk.
Water systems, natural gas systems, electrical grids and other infrastructure components are integral to business operations—and increasingly vulnerable. If you are responsible for keeping a business, facility or utility running, your business continuity plan must take these systems into consideration. No operation is too small to be a potential target of nefarious action from internal or external actors, unintentional human error or natural disaster.
Most organizations establish general emergency guidelines to deal with events such as workplace violence, fire, civil unrest and weather emergencies. But as part of Kroll’s work performing risk analyses and developing and testing collaborative crisis management plans, we’ve identified several threats that businesses often overlook or underestimate. Awareness of these potential threats is the first step toward plugging the gaps in your plan and protecting your business.
Think Like a Hacker
Oldsmar, Florida, a small city of 15,000 in the Tampa Bay area, doesn’t seem like a prime target for hackers. But on February 5 of this year, an employee of Oldsmar’s water treatment plant foiled a potentially deadly attack when they noticed that their system was being controlled remotely. The employee quickly discovered that the attacker had increased lye in the water supply to more than 100 times the normal level. However, reports of the incident note that the employee almost dismissed the fact that their system was being controlled externally because supervisors often accessed computers remotely. The reason? The increase of remote work in response to COVID-19.
Security experts have estimated that the Oldsmar cyberattack took all of 3 to 5 minutes. The New York Times reports that Russian hackers have been probing U.S. energy and electrical utilities for nearly a decade. And the rate of cyberattacks has only increased over the past year. No system is too small or too mundane to avoid the attention of hackers.
In fact, it’s the little things that often offer cyber attackers a way into your business’ network. Supervisory control and data acquisition (SCADA) systems—the programmable logic controllers (PLCs) and remote terminal units (RTUs) that enable today’s smart devices and automation—are a primary point of vulnerability. And SCADA is at the root of another unexpected entry point: physical security systems. Yes, hackers have been known to gain entry through popular brands of security cameras.
What You Can Do
Automation, the internet of things and smart factories are here to stay. An increase in remote work is likely for the foreseeable future. Businesses must find ways to strengthen cyber security and hunt down every potential entry point. A thorough cyber security assessment by trained experts is your best option for finding easy-to-miss second- and third-tier backdoor vulnerabilities and determining mitigation factors.
Prepare For Extremes
Recent winter storms have caused widespread devastation to businesses and homes throughout Texas. Even organizations with extensive business continuity and emergency management plans have been broadsided by the near-complete breakdown of the state’s critical infrastructure. Atypical freezing temperatures caused a chain reaction of infrastructure emergencies: As natural gas pipelines froze, power generation stations shut down. As electricity failed, water lines froze and burst. The result? The “costliest disaster in state history,” according to The Texas Tribune.
With bigger and deadlier natural disasters apparently on the rise, businesses need to reconsider the way in which they formulate emergency response. Most resilience plans take a “middle-of-the-road” approach, balancing potential problems and expected costs. Few account for extremes—a problem now illustrated in graphic detail in Texas.
What You Can Do
Consider extremes in your emergency management plans. Yes, implementing backup plans for extreme events that threaten your physical infrastructure can be costly. But identifying and understanding the potential vulnerabilities that such events present are not. Your crisis management plan should at least acknowledge every possible hazard—which leads us to the next gap.
Plan Beyond Your Property Line
The Texas disaster and the global pandemic have both highlighted the importance of considering external factors, such as critical infrastructure and supply chains, in your business continuity plans. These factors might be outside of your control. But identifying them provides the opportunity to, at a minimum, open conversations that could lead to change.
For example, do you know which substation provides power to your facilities? Have you spoken to a power company representative to determine what that substation will do if it loses power, heat or water? What about water and wastewater? Your business might not technically utilize them, but your facilities likely can’t operate without them. How much do you know about your local water infrastructure and its cyber security and crisis management planning?
What You Can Do
Conduct a risk assessment to identify the infrastructure resources you need to maintain full or limited continuity of operations in the event of an incident. Determine who provides critical infrastructure to your facilities. Form a relationship with those organizations. Ask about their emergency planning. If the answer is concerning, decide how you can mitigate a loss of power, heat, water or wastewater if necessary—or even whether a change in location is warranted.
Help Is Available
The best way to identify opportunities to enhance and strengthen your business continuity plan is to run a business risk analysis, especially if you haven’t done so recently; the threat landscape has changed significantly within just a few years. Risk management experts can conduct a thorough assessment, collaborate with you to create a plan that works for your unique needs and even provide training to help you respond with confidence to events like the ones in Florida and Texas. Be sure to look for the depth of experience necessary to recognize hidden hazards and extreme use cases and to help you develop a plan that meets international standards if necessary. Investing in a thorough assessment, planning and training process now can save you untold dollars in the future.