Did you know that your organization and you can be a cyber criminal’s target even if you do not have much valuable information? Imagine that it is the morning of February 3rd, 2020. Frigid temperatures extend as far south as Texas and are expected to stay in place for at least the next 6-8 days. As you are getting ready for work you hear the local fire company’s siren begin to wail. A few seconds later your whole house goes dark. You pull out your phone to turn on the flashlight app and it starts wildly chirping and buzzing. There is an alert from the Federal Emergency Management Agency (“FEMA”) advising everyone of a nearly nation-wide blackout and recommending that everyone stay off the streets and at home while emergency crews work to assess and address the situation.
Your Wi-Fi is out, so try connecting your laptop to the Internet via your phone but the phone has trouble keeping you online. So, you E-mail your office that you will try again in a bit when the power comes back on, then change into warmer clothes and settle in on your couch armed with a heavy blanket, a book, and the old AM/FM radio that you found buried at the back of your closet.
By noon the news begins reporting that the blackout was the result of a coordinated attack. The attackers created malicious software (malware) that overwhelmed the protective switches, called relays, which are used by power companies to keep their electrical distribution equipment from being damaged. The malware kept the relays from working properly, causing transformers and other equipment to overheat and, in some cases, to catch fire. Officials are still assessing the damage, but they are warning that although there is some inventory of spare parts and equipment, much of the equipment will need to be newly manufactured which could take months.
As the day progresses you accept the fact that the power will be out a while and that the fire-and-blanket approach is not a long-term strategy. You are about to hop in the car to buy a generator when your phone rings. It is the CEO of your company. The FBI called her moments ago and told her that they traced the problem back to an individual E-mail account at your company: your account. Foreign agents gained access to your E-mail account and used it to send infected E-mails to select customers of your company. These infected E-mails allowed the foreign agents to gain control of other systems, and to eventually work their way up to a company that has access to the electrical grid. From there, they were able to infect the grid and cause the nation-wide blackout. The FBI assured the CEO that they will not publicly name your company, but cautioned that given the scope of the damage and the number of agencies involved it may not be long before the company’s name, your name, and your collective role in the blackout are leaked. You hang up and collapse onto your couch, your head spinning at the thought that your world has forever changed.
Could This Really Happen?
While this scenario may sound far-fetched, cyber criminals target victims for a variety of reasons, and most aspects of this scenario have already occurred. For example, according to the Wall Street Journal, agents of the Russian government gained access to an excavating company’s E-mail systems in 20181. They exploited the excavating company’s trusted relationship with its customers and moved up to larger, more sophisticated companies, eventually gaining access to the US electrical grid. “They got to the point where they could have thrown switches” and disrupted power flows, said Jonathan Homer, chief of industrial-control-system analysis for DHS2. “Some companies were unaware they had been compromised until government investigators came calling, and others didn’t know they had been targeted until contacted by the Journal.” Thankfully, investigators from the FBI and DHS were able to stop the foreign agents before damage could be done to the US electrical grid. Otherwise, the US may have suffered the same fate as Ukraine in 2018, when an attack on its electrical grid caused massive equipment failures and lengthy power outages3.
To help keep this from happening to you, follow our Top 7 Tips for Reducing Individual Cybersecurity Risks. Click Here to download a PDF version of this document, along with our Top 7 Tips for Reducing Individual Cybersecurity Risks.