Georgia’s Governor Nathan Deal proclaimed February 25th, 2014 to be “Business Cyber-security Day in Georgia”.
As part of the initiative, the Technology Association of Georgia (TAG) ran a Cyber Attack & Business Continuity Simulation, which I attended. It was an amazing presentation, not only of content but also of coordination.
The simulation was of a fictional company (The Logistics Company, aka TLC) and how it would respond to different attacks on its systems. There were seven attacks carried out during the simulation. There were roughly 30+ people involved with the simulation and the entire event was broadcast to multiple locations around the US as well as to Kuwait. Making it more interesting, the people involved hold the same positions in their real companies as the people they were portraying in the simulation. The people playing the C-suite in the simulation, are really C-suite executives in their respective companies, the lawyers in the company are really corporate lawyers in the real world, etc.
In addition, due to the Governor’s proclamation, the entire event was hosted at Dobbins Air Force Base and included participation from the Georgia Air National Guard, the Cobb County Police/911 department, the GBI, as well as the FBI.
There were five cyber attacks, one physical attack, and one social engineering attack.
In reverse order, the social engineering attack was left until last and was more informative vs. something that the business needed to directly respond to in the simulation. An outside resource recruiter informed the business that she had been approached by a Chinese company to try & poach recruits from TLC’s supply chain division. She was approaching TLC because she had become suspicious after following up with each of the recruits to see how their interviews had gone with the Chinese company and been told that the interviews were all one way with the Chinese company asking all the questions & not following up to actually hire any of the interviewees.
The end result was, the Chinese company was trying to gather intel about TLC for a variety of potentially nefarious reasons. I assume the logical response of TLC would be to warn/train its employees about how to respond to strange recruiting requests. Obviously, TLC cannot mandate that their employees don’t talk to recruiters at other companies, but they do need to be aware that every time they talk to someone outside the company, the information could be used to hurt TLC.
The physical attack proved very interesting to me because it helped me realize the role of police and other emergency response personnel in an emergency. The fictional attack was two ex-employees sabotaged the company’s data center (it turned out to be their backup data center, so it wasn’t as large of a crisis as it could have been). The employees went and destroyed cooling towers as well as backup generators so the data center had to be taken down immediately or risk frying all the equipment.
The immediate business response was to call 911. After which, they realized it was their backup facility and it did not hurt their primary data center. They then quickly made arrangements to back up their main facility to a third-party data center. In real life, the backup would take a while to accomplish but so long as their primary facility didn’t go down, it would not hurt their day-to-day operations.
The problem with the immediate business response was, as soon as the police arrive at a potential crime scene, the business loses all control of the scene until the police allow them back in. Therefore, if the business needs access to computers, data, etc. they may lose access to all of it until the police finish collecting the evidence they need. This can potentially hurt the business even more than the actual damage if they cannot complete in-progress business at the time of the crime.
The cyber attacks ranged widely in nature (I forgot what the fifth one was):
- An international hacker encrypting the business’s data files & demanding a ransom
- Disgruntled employees installing Raspberry Pi’s to override PLC (Programmable Logic Controller) instructions to disrupt a sorting & packaging facility
- Hackers disrupting the shipment routing system and sending critical shipments of organ transplants to random addresses
- The DoD finding out that routers shipped by TLC included malware which was spying on the data flowing through the networks
All of the cyber attacks were pretty complicated and included potential damage to the business’s brand image in the marketplace (especially when the critical organ transplants were not delivered on time), as well as complications involving contracts and insurance policy questions. The main lesson learned here was to ensure that your legal team is involved in preparing your business continuity planning to ensure that you are not breaking contracts with suppliers, clients, or insurance policies depending on how you respond in an emergency situation. There may be SLAs, legislation (such as HIPAA or other privacy laws), or other contractual agreements which you may be bound to regardless of what has happened to your company.
The three main points I got out of the simulation were:
- Having a single page listing all important phone numbers is better than any 8 inch thick binder full of amazing plans, because the binder will get left on the shelf during an actual crises.
- The act of planning is almost more important than your response in a situation. The act of planning forces you to organize and think through your response so that you at least do something instead of freezing in an emergency situation.
- It’s important to have a good response team put together – but even more important is to have all of them in communication during a crisis. Get the key decision makers in one room, or on one conference call. No one leaves until the crisis is over. If they need information, send out others to collect it. Keep your decision makers in the loop at all times so they can respond as soon as the situation changes.
I’m looking forward to attending next year’s simulation!