Disaster planning used to be so simple. Find a location where emergency responders can create a mock disaster—earthquake, tornado, flood—set the stage appropriately with property torn asunder, simulated casualties and other issues and then practice until the response is perfected. It was like golfers practicing their swing or basketball players shooting shot after shot to create muscle memory for competition.

Those days are gone as black-hat hackers have begun to follow natural disasters like criminals following storms to scam the elderly. In the cyber scenario, the hackers infiltrate a portion of municipal water or power utilities’ digital infrastructure and demand ransom to release it.

Planning to avoid, but preparing to respond

“We really need to prepare now for these acts, which we’ve already seen here in Indiana and across the world ,” said Ron Pelletier, founder and Chief Customer Officer at Pondurance, a cyber security company.  “Investing now in preventative measures is the best way to avoid situations like that. It comes down to planning to avoid, but preparing to respond.”

The stark reality of the need for that preparation will come into focus on Saturday, August 14, when a cyber exercise will be conducted as part of a full-scale functional exercise revolving around emergency response to an earthquake. The exercise will be hosted by the Indiana National Guard at the Muscatatuck Urban Training Center with first responders and several military branches as well as search and rescue teams in attendance.

As emergency and military teams respond to the effects of the mock earthquake, the Indiana National Guard will also be testing the additional response of its incident command leadership when cyber experts from IU Health, Citizens Energy and Pondurance make the efforts more difficult by mock-attacking the local water supply.

The benefits of investing so much time, energy and resources into practicing for disaster response have long been accepted for traditional emergency response. Bringing cyber response into the mix is a sign of the times.

Ron’s Pondurance team hopes this weekend’s disaster drill, and future drills, will raise awareness among policy makers to help fund security programs and protocols.

“National, state, and community security is truly at risk here, and we need to take action now to preserve it. Waiting for the dam to burst before you repair it is a terrible maintenance strategy, and that’s exactly the situation we have here across power grids, water supplies, healthcare, you name it,” he said.

Chetrice Mosley-Romero, cybersecurity program director for the State of Indiana, agrees adding, “Having the ability to draw on the resources and expertise required at a moment’s notice to keep people safe in the event of a cyber incident or attack relies on making certain that the state and it’s partners have a line of communication that’s always open and the opportunity to go through these types of exercises and ensure the State of Indiana is prepared for an effective and quick response.” 

Does insurance solve the threat of cyber crime?

The Muscatatuck earthquake is not a fanciful scenario.

In April, hackers gained entry into the networks of Colonial Pipeline Co. through a virtual private network (VPN) account, enabling them to take down the largest fuel pipeline in the U.S., which led to shortages across the East Coast. Dozens of schools, hospitals, including Eskenazi Hospital, and other businesses have also fallen victim to cyberattacks. The practice is so common that companies can now purchase cyber insurance, and that’s given rise to a debate over whether that insurance coverage is fueling a rise in cyber crime.

Ron sides with the argument that insuring yourself against cyber threat is only one part of the solution and should not be a singular response.

“Cyber insurance is only part of an incident response program, but on its own merits will not bring your data, systems or even your customers back.  That will take proactive planning that is both robust yet flexible in all regards,” he said.

Fighting ransomware requires the nonlethal equivalent of the “global war on terrorism” launched after the Sept. 11 attacks, John Riggi, a former FBI agent and senior adviser for cybersecurity and risk for the America Hospital Association told the Associated Press in a story carried by the Indianapolis Business Journal.

“It should include a combination of diplomatic, financial, law enforcement, intelligence operations, of course, and military operations,” he said.

A public-private task force including Microsoft and Amazon made similar suggestions in an 81-page report that called for intelligence agencies and the Pentagon’s U.S. Cyber Command to work with other agencies to “prioritize ransomware disruption operations,” the Associated Press reported.

The World Economic Forum warned in 2019 that cyberattacks and their potential to cripple critical infrastructure remain one of the biggest risks facing the world today.

A first-of-its-kind cybersecurity collaboration

While the need for the disaster drill is clear, it’s fairly unusual for so many groups to be involved.

“It’s just another example of how Indiana approaches problem-solving from a collaborative point of view,” Ron says. “That’s key.”

Chetrice agreed: “We’re pleased to have participation from the private, public, academic and military sectors. It’s a reflection of how Indiana has an open approach to bringing all stakeholders into the fold when it comes to protecting Hoosiers across the state.”

Many of those who are participating in the exercise also serve on the Indiana Executive Council on Cybersecurity, a first-of-its-kind collaboration responsible for guiding the state’s cybersecurity policy. It has 35 Council members and 250 advisory members, including Ron and Mike Langellier, TechPoint’s CEO, whose knowledge as subject matter experts represent a wide range of businesses, industries and professions, including education, finance, utilities and insurance, among many others.