State and local government officials should respond to cyber incidents with well-practiced disaster recovery plans, one Colorado official said.
Responding to an incident as if it were a disaster can give officials a way to activate a whole-of-government response and funding options, said William Chumley, the state’s chief customer officer and interim chief information security officer.
Attacks are inevitable, and states must be prepared, he said. “It’s not if, it’s when.”
During an April 21 GCN webcast on data protection, Chumley shared some lessons learned after the Colorado Department of Transportation was hit by a ransomware attack in February 2018 that affected roughly 80% of the systems at the department.
The issue stemmed from a brute force attack that uncovered an unsafe password, he said. When the network was infiltrated, officials were able to isolate and shut systems down, but the team’s daily operations, employee payrolls and vendor payments were disrupted. This meant employees had to find ways to maintain business continuity without phones or computers for four weeks.
The experience showed that effective cyber response is much like disaster response, in that the key to business continuity lay in logistics and training. Declaring the incident a disaster allowed DOT to get help from the Division of Homeland Security and Emergency Management and the Air National Guard and access state funds for response and recovery.
The incident demonstrated to Chumley how important it is for employees to work through the details of a disaster response plan. ”You have to have a good incident plan and a disaster response plan they actually practice,” he said. The plan must be documented and regularly updated, he advised.
“It is thinking about it and preparing for it being real, and then practicing,” he said. “You’ve got to practice, practice, practice.”
Regular tabletop exercises helped officials clarify roles and exposed gaps in business operations at a granular level. An exercise in which cell networks went down forced staff to reevaluate existing processes and think about alternative communication methods, from printing off phone trees to practicing with emergency radios, Chumley said.
The ransomware attack also uncovered some technology vulnerabilities. Inconsistencies existed around asset inventories and configuration databases, and it wasn’t always clear which systems touched which others or how applications were updated and monitored. Plus, the legacy systems and technical debt created problems that weren’t always visible.
The data discovery required to stand systems back up after the attack helped the agency fully understand the exposure from the technical debt that “we probably knew [existed], at some level, but we didn’t have data,” Chumley said.
The key is responding, not reacting, Chumley said.
“What we found is that it’s mostly common sense and practice,” he said. “And being ready, knowing it will happen and getting rid of the fear aspect can really be powerful and empowering. To say let’s practice, let’s be ready and think differently about how we respond.”