You may have read the article "Are squirrels a bigger threat to the power grid than hackers?" (Washington Post, Andrea Peterson). When I first heard the brief sound bite "squirrels are a bigger threat to the power grid than hackers," it sounded to me like someone was just trying to be provocative.
But then I thought about it some more. In my personal life, I have seen squirrels take down the power by chewing on lines, and shorting out transformers. And then when I mentioned the article to some colleagues at MEDITECH, they smiled with a knowing smile. They knew of one of our customers - a hospital - whose power had been brought down 5 times in 2 years by squirrels.
Properly Assess Risks
I started using this story in Cybersecurity presentations to illustrate the importance of properly assessing risk.
At the time, there were big scary headlines about Russian Hackers taking down the power grid (and actually, there continues to be headlines about this over 6 years later) and that gets a lot of attention. Executives want to know "how are we prepared for a successful Russian attack on the powergrid?" And rightfully so.
However, it's important to not ignore the common risks that are less scary but cause problems nonetheless. Squirrels may not be bent on bringing down the entire power grid at once, but because they frequently cause significant problems, their actual impact can be pretty great.
A proper risk assessment will put it all in perspective, and should result in a risk treatment plan that addresses risk big (Russia) and small (like the size of a squirrel). To protect against Russian Hackers, the utility companies invest in ways of building more resilience into the systems; they practice incident response; they investigate technologies for securing OT (Operational Technology) systems that run everything.There are also steps that can be taken to mitigate the threat of squirrel caused power outages. Google "squirrel proof power grid" and you'll see what I mean.
Outwitting Squirrels
Fast forward a few months, and one of those aforementioned colleagues drops off a book at my desk - "Outwitting Squirrels" by Bill Adler, Jr. The amusing subtitle of this comprehensive book is "101 cunning stratagems to reduce dramatically the egregious misappropriation of seed from your birdfeeder by squirrels." At first blush you might think this is not a scholarly tome but merely a humorous book. It turns out to be a detailed analysis of squirrels, how to feed birds, bird feeders, and the constant struggle to prevent squirrels from driving away the birds that so many love to watch.
It was only when I read this paragraph from "Outwitting Squirrels" that I realized there is yet another connection to Cybersecurity:
"...every time a human constructs another barrier, squirrels break through. Funny, also, because bird feeders spend hundreds of hours and dollars trying to keep these small animals away-- and the squirrels have nothing better to do all day long than to break into feeders."
Then it hit me - that describes exactly the current struggle between hackers and defenders in the cybersecurity world.
We defenders set up some new defense — a new firewall, "next gen anti-virus", honey pots, SIEMs, WAFs, multi-factor authentication, heuristic based threat detection — and then the hackers work all day long to break in.
They are highly motivated. This is their food, after all. This is how they make a living. They also love doing what they do. It's exciting. It's interesting. Who doesn't like trying to do something clever? For anyone who has solved a puzzle, picked a lock, or - yes - broken into a computer system, it must be admitted that there is a thrill to it, and a sense of accomplishment.
Take Away Their Motivation
Really, the only way to prevent squirrels completely is to quit rewarding them with food.
Similarly, hackers are not going to give up as long as they can monetize hacking in some manner. Right now the focus is on ransomware. Paying the ransom simply encourages them to do more of the same...and gives them the resources to get better at it.
It's important to make it "expensive" for the hackers. Risky. At the Cyber Health Working Group's CyberGard conference a few years back, one of the presenters from the National Cyber Forensics Training Alliance (NCFTA) said (paraphrasing from memory here):
"These attackers aren't on Mars. We can get at them."
Highlighting the importance of bringing these hackers to justice. Thankfully, the authorities do continue to improve in this area.
Minimize Losses
Another lesson that comes to mind is that you can't fully keep the attackers out, but you can work to minimize losses. By putting in a "squirrel proof" feeder, for instance, I've been able to prevent squirrels from eating the birdseed as quickly as they used to. It's a lot of effort, but they can still get into the squirrel proof feeder. They simply hang upside down and reach in with their front paws.
For hackers, we might make it difficult for them to break into the systems. We also put in place software that allows us to track what they do and help dynamically shut them out in real time. By doing this, we can at least minimize attacks.
Welcome to the War
Is there a bigger lesson we learn from the battle against squirrels? Isn’t it that it’s not just a matter of “one and done” - you can’t just set up defenses and be done with it. It is truly a back and forth struggle, a contest of wills. It is always evolving.
You must observe the enemy - learn their tactics, adapt as they change, and continually be on the alert.
A Hospital CIO told me an account that illustrates this well. They detected a hacker attacking their network from an Eastern European country. They refused connections from that country. The next day the attackers were coming from within the U.S. They were able to also shut out these attacks. Day after day the attackers would try different routes and tactics. After 30 days of this, the attackers were able to steal a small amount of credit card data. However, the actions of this IT Security team was effective - they minimized the amount of information the hackers were able to steal, and over the course of that 30 days they were able to tighten up security until the hackers finally gave up.
Unfortunately, all of this requires time, skill, money, and vigilance. Add to this that some of the security controls may annoy staff, customers, partners, and executives. Just as the increasing defenses put in place to shut out squirrels can sometimes deter birds, difficult security controls may drive away customers.
Today’s security professional must balance usability, business goals, and risk. Cybersecurity truly has become a tight-rope walk! Walking a thin wire - hey, that’s something else we can learn from squirrels!
Please contact me if you ever need advice — I am always eager to help defend our Critical Infrastructure.
Comments