Hurricane Sandy blows holes in cyber security

Ignore the lessons of the storm with regard to IT protection at your peril. There are some simple questions that any organisation should ask itself and address.

The devastation caused by Hurricane Sandy in New York exposed the vulnerability of the city's infrastructure. Patrick Semansky / AP Photo
Powered by automated translation

A warning issued by Janet Napolitano, the homeland security secretary in the United States, in the immediate wake of Hurricane Sandy is already coming true.

She said the devastation caused by the hurricane on New York now underlines the pressing need for increased cyber security.

Alan Brill, the senior managing director of the cyber security and information assurance practice at the security company Kroll, says many companies, including some Wall Street-based financial institutions, are already facing a massive potential threat in the wake of Hurricane Sandy as hackers take advantage of breaches in security to try to break into IT systems.

"Organisations are going to have to look to determine whether in the course of the storm, they had to use shortcuts or change their procedures to allow them to continue operating," says Mr Brill. "Changes in procedures are often associated with changes in risk."

He quotes an example of the way in which hackers are already taking advantage of disaster conditions, where an organisation's offshore telephone helpdesk was contacted by a bogus caller requesting an emergency download of sensitive personnel information. The caller said the information was needed to assist staff who had been affected by flooding.

Because internet conductivity had been lost in the area and telephones were not working, the help desk could not make a reasonable verification of who was making the request and sent the highly sensitive information to the bogus caller's "backup site," which was, as it eventually transpired, a system controlled by hackers.

Another hazard is the physical destruction wrought by the storm damage that took place in the wake of the hurricane.

"Flooding damaged computers and hard drives in hundreds if not thousands of businesses and organisations throughout the region by hurricane Sandy and the subsequent storm," says Mr Brill.

The data recovery unit at Kroll Ontrack had been working almost around the clock to perform emergency recoveries for mission-critical business data lost as a result of water damage, he adds.

Other problems were less predictable. Some small to medium-sized businesses had the foresight to install generators to provide for continuity of computer operations in the event of a power outage. However, because of the unprecedented length of the blackouts, many of the generators ran low on fuel. With waiting times of up to six hours not unusual in local filling stations, there were long lines of people with plastic petrol containers trying to get fuel for their generators.

Nor is there any end in sight for the disruption caused to New York's vital infrastructure.

"This isn't a problem that will go away, even once the streets have dried out," reports the New Scientist magazine, which says that the problem is that New York is degrading from beneath the city streets. Much of its vital infrastructure - the utility pipes that carry gas, water and electricity plus the city's extensive subway system - is buried deep underground and rapidly rusting away.

Many of the massive skyscrapers in Manhattan, for example, are heated by high-pressure steam sourced from mile after mile of high pressure steam pipes. Some of these are very old and there have previously already been instances of pipe explosions closing down entire areas because of the dangers of dust from the asbestos that had once been used to insulate the underground piping.

The Economist magazine also reports that the worst is yet to come and that catastrophic losses will double every decade in the US because of growing population density on the coasts.

Companies with offices located well outside North America also have much to learn from the lessons on cyber security now being so painfully taught to New Yorkers and also to those international organisations with IT facilities located in the affected area.

"You need to figure out what can go wrong and what your backup plan is," says Mr Brill. "It could be a hurricane or a tornado or an earthquake or any of a number of other disasters. I think the lesson from this superstorm is that you cannot make the assumption that you will not become a victim of circumstance."

Kroll believes there are a number of simple questions any organisation can ask to ensure future IT security in the wake of any possible eventuality.

What is it that the organisation depends on for its IT infrastructure and IT security to work properly?

Where does an organisation get its power and telecommunications?

How do the staff get to work?

How long would the fuel supply to the backup generators last in the event of a prolonged power outage?

Even more alarmingly, Ms Napolitano is warning that the US is now under a growing threat from a cyber attack by hackers bent on bringing down the entire nation's control systems for utilities, water plants, pipelines and financial institutions.

"Ignoring the lessons of Hurricane Sandy really means that you're betting the future of your company on pure, dumb luck," says Mr Brill.