Baltimore’s city government suffered a crippling "ransomware" attack earlier this month. Hackers held key databases hostage, from water billing to email, costing the city close to $20 million to recover.
While Baltimore officials were still reeling from the May 7 cyberattack, municipal employees in Charleston, S.C., were rehearsing how they would handle a similar ransomware strike.
But organizers of the May 22 cybersecurity workshop in Charleston added a twist: The simulated cyberattack hit immediately after a major hurricane.
"We’re starting to see cities incorporating cyber incident response in their emergency management plants — but not always," said Rich Johanning, critical infrastructure preparedness specialist at AECOM, which is supporting the "Jack Voltaic 2.5" workshop series under a Department of Defense contract. "We’re finding that municipalities aren’t necessarily thinking from a cyber perspective. … That’s why we’re here, to educate and inform them on the impacts."
The one-two punch of a hurricane and a cyberattack isn’t such a far-fetched scenario, as South Carolina’s northern neighbor can attest. In early October last year, days after Hurricane Florence brought devastating floods to the area, a small water utility in North Carolina reported being "specifically targeted" by cyber criminals who were out to inflict maximum damage with the Ryuk ransomware.
Amanda Knight, emergency management director for Mount Pleasant, S.C., said that the "many disasters that have impacted the region" in the past five years have strengthened communication among southeastern cities.
During Jack Voltaic, "we detailed how vital it is to have immediate access to the resources necessary to respond and recover" from a cyber event, she said. Knight was one of about five dozen local, state and federal officials who participated in last week’s workshop.
The Jack Voltaic exercise series launched in August 2016 in New York as a research experiment aimed at unearthing any gaps in major cities’ ability to respond to major cyberattacks. That inaugural event focused on the power, water, finance and emergency management sectors, according to planning documents from the Army Cyber Institute.
"The primary objective was to identify an exercise framework and rehearse coordinated responses by any city to cyber events that affect multiple sectors," the institute said.
The program’s second version moved to Houston in July 2018, less than a year after Hurricane Harvey dumped feet of rain on the region.
Jack Voltaic 2.0 asked emergency planners what they would do if a fictional "Hurricane Miguel" made landfall in Freeport — while hackers simultaneously crashed systems at the Texas Medical Center and the sprawling Port of Houston.
The latest string of workshops is rehashing the lessons learned from last year’s exercise and laying the groundwork for the next one. "Jack Voltaic 2.5" is touring six cities across the United States this year, starting in Charleston.
Other cities of strategic interest to the Department of Defense are on the schedule: Norfolk, Va., home to a huge naval base; San Diego; San Francisco; Seattle; and finally Beaumont, Texas, adjacent to Port Arthur and capstone of a crucial energy corridor.
"These workshops are identifying issues that current policies and executive orders don’t really address," Johanning said in an interview. "Cities don’t always understand what they rely on: From an infrastructure perspective, they know they need power, they need water — but what’s their center of gravity? What’s the crown jewel that they need to make sure they’re aware when something nefarious is going on?"
In Charleston, a port city linked to Norfolk Southern and CSX rail hubs, the railroads are a backbone part of the community’s critical infrastructure. Workshop participants last week discussed a scenario in which hackers disabled rail signaling networks, snarling rail and road traffic ahead of a big storm.
"When I’m stopping a train that’s now going to block a major [hurricane] evacuation route, how do you address things like that?" Johanning said.
Such dire scenarios may sound far-fetched, but they’ve lately drawn attention and resources from officials at the Department of Homeland Security, the Federal Emergency Management Agency and the Department of Energy, which recently set up an Office of Cybersecurity, Energy Security and Emergency Response to parry both cyberthreats and natural disasters.
"That’s when we as a nation are most vulnerable," Karen Evans, the DOE assistant secretary leading CESER, said in an interview earlier this year.
"We need to make sure that as we do those emergency responses, the people involved are aware that they’re not introducing more vulnerabilities when they’re reconstituting services, so that our adversaries don’t take advantage of us during a natural disaster."