Emerging Risk: The Converging World of Cyber and Physical Threats to Business and Security

By September 12, 2014Business Risk

I’ve been busy this week preparing for a presentation I will give at a conference in Park City, Utah next week sponsored by Critical Intel – a firm that specializes in intelligence analysis for critical infrastructure – specifically – the electric and power sector.  I will be focusing my talk around building an internal intelligence function to protect critical infrastructure, something I did in a previous life.  And it brought me around again to thinking about how dependent we are on critical infrastructure and well functioning IT systems – and how the physical and cyber threat landscape converges more and more everyday.

When I mention critical infrastructure and especially power and electric infrastructure to people not in this line of work – you can almost hear them yawning in their head. But the truth is, if ever there is was a more critical threat to our economy, way of life, and in many cases, very survival, it is the potential for an actor (whether state or non-state, criminal or terrorist) to take out large portions of the electric grid.

Consider this:

The electric grid is the only one of 16 sectors identified by the Department of Homeland Security that supports the other 15 completely.  

While oil and gas also support a large portion of those through supply chain and power generation, electricity supports everything and that everything is increasingly automated without many underlying processes that would allow them to be run without computers – or electricity.  Think about this.

I lived through a small scale demonstration of what could happen in the event of a large scale attack on the power grid when we lost power in Houston during Hurricane Ike for between 1-4 weeks – depending on where you lived.  Here’s what it looked like:

  • No traffic lights and no street lights
  • Huge piles of rotting food behind groceries stores. Grocery stores closed.
  • Emptied refrigerator contents at everyone’s curb (the smell from milk products that have gone off is overwhelming in a couple days time in 100 degree heat)
  • Closed gas stations and long lines at gas stations that were open, with people filling up extra tanks for generators
  • Hot, damp houses with no electricity, no phones (all need to be charged) no computers
  • Hospitals, in this case were the first to have their power restored, but in a more catastrophic situation – like Katrina – life saving machines, ventilators, dialysis, etc – would be unavailable to people who needed it
  • Banks can’t open, transfer money and people cannot withdraw their money

I could go on, but clearly, you see what I’m getting at here – and if you’ve ever lived through a natural disaster – or even a lengthy power outage, much of this is not a surprise.  Its not rocket science, but its also something we tend not to think about until the actual threat is looming.

The threat comes from myriad places and angles.  For example, yesterday the International Business Times reported that ISIS – largely perceived as a physical threat to security in the Middle East and beyond – is building a cyber army dedicated to attacking US financial and critical infrastructure.  Also yesterday, Politico reported on USG concerns over a Cyber-Fort Hood. Specifically, they are concerned about a rogue insider – an IT system administrator – with the knowledge and access to create a massive internal system failure impacting critical infrastructure. So an angry employee who you might think of as more of a work-place violence threat, might actually go for something bigger and more economically damaging through the IT side of things.  (There are plenty of examples of this happening on a smaller scale already) There are the state sponsored, Stuxnet type viruses of the world too.  Consider it’s “sister” virus Shamoon (largely believed to be an Iranian retaliation) that took out 30,000 computers at Saudi Aramco in 2012.  Luckily that virus didn’t impact their refineries (which could have catastrophic consequences), but that doesn’t mean something like it won’t in the future.  And here again we are moving from what has largely been a physical threat of more traditional warfare between states – into a backend, more covert type of warfare – with potentially disastrous implications for national economic and physical security – not to mention for any business that relies on electricity to make a profit.  (Are there any that DON’T?)

So I need to get back to that presentation now: discussing how building an effective intelligence function within a business can assist in mitigating this risk by monitoring threats, providing advanced warning of potential threats, and educating the workforce and executives on how these threats can impact the bottom line in their business, not to mention national security.  It s a different animal than working in intelligence in a large government organization and it requires diplomacy, relationship building, research and analysis, and marketing skills to make it work.  And though your bottom line may be protecting the interests of the business, you are in the process protecting key critical infrastructure.

Its a pretty big deal.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.