By Andy Jabbour
Part of effective risk management is understanding not only the threats and risks we are facing today but where those threats are going and how they may impact our organizations in the months and years ahead. Some of our biggest national security and organizational security failings have been due to a lack of imagination and a failure to prepare for evolving threats.
Following the WannaCry ransomware outbreak in 2017, I shared the following thought on LinkedIn: “WannaCry brings up a thought I often have – what is the best way to capture cyber incidents with physical impacts? I catch myself using ‘cyber-physical’ but that can’t be the best term.” That post, and the subsequent discussion led to this post: Terminology for $500. What Are Blended Attacks? which was further refined in Blended Threats (update 1.1): Understanding an Evolving Threat Environment. In the two and half years since, we’ve written a lot on blended threats and led numerous exercises exploring them and how to prevent, protect against, mitigate, respond to, and recover from them.
At Gate 15, we spend a lot of time discussing Blended Threats. A Blended Threat is a natural, accidental, or purposeful physical or cyber danger that has or indicates the potential to have crossover impacts and harm life, information, operations, the environment, and/or property.
As we’ve written about and discussed those ideas, the greatest fear has always been that a blended threat would develop as a cyber attack resulting in the loss of life. Sadly, while perhaps not intentional, it seems that has now happened. We first caught wind of the incident by a post from Dissent Doe (@PogoWasRight) via her DataBreaches.net site (a daily stop for our team as we execute the intelligence cycle). On 17 Sep, she wrote, “It was our nightmare realized: a medical center was completely paralyzed by a ransomware attack and someone died as a result. As of last week, the University Clinic in Düsseldorf reported that it was in a state of emergency. Operations had been canceled, and ambulances had to be redirected to other clinics. On September 10, the clinic had posted an announcement… Days later, the clinic remained paralyzed and unable to function normally, even as of yesterday. And now we read that the threat actors’ attack has resulted in a death.” Read the complete post for more links and details.
This is a tragic example of something many of us knew was coming sadly, finally, happening. We saw some foreshadowing of this a year ago in Alabama when three hospitals in Alabama were temporarily closed “to all but the most critical new patients” due to a ransomware attack.
- TIME: 3 Hospitals in Alabama Forced to Turn Patients Away After Ransomware Attack, 02 Oct 2019
- AL.com: Report: Alabama hospitals pay hackers in ransomware attack, 05 Oct 2019
- CNN: 3 Alabama hospitals are accepting patients again after a ransomware attack on its computers, 11 Oct 2019
As security and risk leaders we need to understand the all-hazards threat environment, anticipate what our evolving concerns are, assess the risks, prioritize resources, and take action to reduce those risks as effectively as we can. Blended threats are here, and they’re having a variety of impacts:
- Threatpost: CEOs Could Be Held Personally Liable for Cyberattacks that Kill, 07 Sep 2020
- Verizon: Smart cities and cyber security: protecting citizens from malicious attacks, 16 Sep 2020
- ESET We Live Security: Sports data for ransom – it’s not all just fun and games anymore, 16 Sep 2020
- HackRead: Hacker finds ex-Aussie PM’s passport number using his Instagram post, 16 Sep 2020
- IBM Security Intelligence: A New Botnet Attack Just Mozied Into Town, 17 Sep 2020
Restating our message from earlier this month, as the environment changes, our preparedness activities need to keep pace. Is your incident response plan ready for the threat of ransomware, for blended threats, and for other evolutions in our all-hazards threat environment? Our team is ready to help you develop the plans, training and exercises you need to be ready. During this National Preparedness Month, maybe it’s a great time to take the next step in your organizational preparedness.
In a post earlier this month, the DHS Cybersecurity and Infrastructure Security Agency (CISA) wrote CISA “recommends users and administrators use this month as an opportunity to asses cybersecurity preparedness for cyber-related events, such as identity theft, ransomware infection, or a data breach.” We agree. Let’s get started.
Understand the Threats.
Assess the Risks.
Take action! Our team is here to help you build the relationships and capabilities you need and to assist in the development of plans, training, and exercises to support your ability to prevent, protect against, mitigate, respond to, and recover from the threats and hazards that pose the greatest risk to your organization in our complex, all-hazards environment.