Stay informed on cybersecurity issues in your organization.
Everyone likes to be able to shift blame or responsibility away from their own internal operations. It is a natural human approach for when "bad things happen." The majority of emergency managers have little to do "directly" with the cybersecurity of their organization. Therefore, there has "traditionally" been only a modicum of interest in the topic with emergency managers.
One recent grant year's funding guidance had a requirement to include a project on cybersecurity — if you were to get the money for the other projects. Thus, a project was developed, I'm sure, in each applicant agency and someone in the information technology area now has responsibility for executing that project. The rest of the emergency management team is off working on "disaster stuff" that they are familiar with and responsible for.
My pitch to you is that cybersecurity is like a terrorist attack, be it a bomb or anthrax. You have the same level of responsibility to become informed, coordinate, share information, etc.
As for the most recent "catastrophic hack," you can start with being informed. See the information below for the basics on what happened, its implications and what organizations should be doing. I'm wondering — did anyone activate their emergency operations center (EOC) in response to this attack? PS: The attack remains ongoing!
CISA is tracking a significant cyber incident impacting enterprise networks across federal, state, and local governments, as well as critical infrastructure entities and private sector organizations. An advanced persistent threat (APT) actor compromised the SolarWinds Orion software supply chain and is abusing commonly used authentication mechanisms. If left unchecked, this threat actor has the resources, patience, and expertise to resist eviction from compromised networks and continue to hold affected organizations at risk. CISA urges organizations to prioritize measures to identify and address this threat. For details, review the related CISA Alert, which CISA will update as information becomes available.
A sophisticated APT actor inserted malicious code into certain trusted SolarWinds Orion software updates, which were then made available to customers as legitimate software updates. Once these updates were applied, the APT actor gained access to customer network environments. The immediate danger is that the APT actor can use this access to create new accounts, evade common means of detection, obtain sensitive data, move across a network unnoticed, and establish additional persistence mechanisms. The APT actor has only targeted some organizations with further network exploitation. However, all organizations that installed the compromised updates remain at risk without corrective action.
CISA is also investigating incidents—not connected with SolarWinds—where abuse of Security Assertion Markup Language (SAML) authentication is present. This activity is consistent with the APT actor’s behavior. CISA strongly recommends that all organizations investigate, and, as applicable, remediate (potentially rebuild), and share information with those assisting in this massive response effort.
Steve Myers shared the information above.