Arthur House, the chief cybersecurity risk officer for Connecticut, recently penned a column in the Washington Post titled “We’d be crippled by a cyberattack on our utilities.” We agree.
Given that “the states, not the federal government, oversee and regulate the distribution of electricity, natural gas and water,” House stresses the need for states to be on the front lines of cyberdefense for public utilities. He also cautions against offensive cybersecurity actions, given that “we cannot guarantee security,” in the event of a counter attack. In our previous blog post, we too argued that “hacking back” can escalate the situation. That’s why we recommend using Defensive Social Engineering (DSE) tools, including posturing, to protect urban infrastructure, rather that actually hacking back.
To confront this threat, House recommends sharing of threat intelligence, contingency planning, and “rigorous regional and national rehearsals” of cyberattacks. A core tool of DSE is Cyber Negotiation, which requires role playing and simulation to prepare for cyberattacks. This form of practice allows for the creation of organizational knowledge and strategies prepared long before a devastating cyberattack ever takes place. Those who are on the front lines of protecting our critical infrastructure need to be prepared to respond to attacks, and House is right that rehearsals are one way to get there.
Beyond information sharing of threats, best practices and state-level cybersecurity response plans need to be shared in order to encourage further adoption. That’s why we are currently scouring existing state legislation and regulations to find which states have plans in place to deal with a cyberattack. Do they have a chain of command already specified? Have they identified what would be done in the case of a ransomware attack? Without a clear chain of command and set of tools for response, cities and states in crisis will be ill-prepared to confront cyberattacks.