What if a cyberattack knocked out power and all the other utilities that we take for granted?
"Leave the World Behind," a new movie from Netflix featuring an all-star cast including Ethan Hawke, Kevin Bacon and the inestimable Julia Roberts, explores this very question.
While details are scarce, the novel the movie is based on ponders what would happen if a cyberattack leads to a massive blackout, leaving families to find ways to survive in the absence of the basic essentials they took for granted.
Now, there's a small chance the movie will have a dramatic and embellished interpretation of how people would react to such an event.
And the odds of a cyberattack of that scale happening are quite remote.
But recent trends in cybercrime suggest threat actors are increasingly and deliberately targeting critical infrastructure sectors, such as organizations involved in delivery of utilities, with the recognition that interference with critical infrastructure will be much more widely felt. Thus, the leverage they have to extort a ransom correspondingly increases.
What federal cyber security reporting tells us about the risks critical infrastructure face
The Canadian Centre for Cyber Security recently issued a report containing many interesting findings, including:
- Ransomware remained one of the most pervasive forms of cybercrime, and could have a serious impact on a target's ability to function.
- Organized cybercrime posed a threat to Canadian national security and economic interests.
- Russian- and Iran-sponsored threat actors (as well as non-state-affiliated threat actors who operate from within those borders) were likely to be key origins of threat vectors.
- Financially motivated threat actors would likely focus on high-value targets, such as organizations operating in critical infrastructure.
Impact on organizations working in critical infrastructure is more likely to have a broader impact on the public.
For instance, an attack on a transit operator can leave everyone relying on those services stranded. Attacks on utilities, such as electricity and water, can leave households and businesses unable to perform routine tasks. Impacts on payment processing nodes could effectively freeze retail and commercial activities.
This added vulnerability makes organizations operating in critical infrastructure sectors more enticing for threat actors. In the past few years, successful attacks have led to substantial ransoms, and even where a ransom wasn't paid, the impact on the targeted organization when trying to restore services could be very substantial.
In the current environment, all organizations (and individuals for that matter) should be taking extra precautions to minimize the risk of a successful attack, as well as maintaining processes to ensure if attacked, sensitive and critical information can be recovered.
The importance of 'hardening' oneself to cyber-threats is particularly important for any business or organization that delivers services relating to critical infrastructure. In addition to being more likely to be targeted by threat actors, a successful attack may create further legal risk from anyone that was adversely impacted by any service stoppage.
How critical infrastructure organizations can begin preparing for cyberattacks
To mitigate the risk of cyberattacks and the attendant legal risks, organizations can take the following steps:
- Ensure the IT infrastructure being used (or relied on through third parties) is up-to-date.
- Maintain data and process redundancies to minimize service stoppage.
- Train personnel who have access to sensitive data or infrastructure on best practices and red flags to be mindful of.
- Maintain and update a response plan that outlines clear responsibilities and action items that can be implemented with minimal lag.
- Maintain a risk mitigation plan that includes identifying any stakeholders that you are contractually or legally required to give notice to.
- Obtain an appropriate insurance policy for cyber-related risks.
The list above is not intended to be exhaustive, but the more an organization is able to do to proactively protect itself from an attack and minimize fallout if an attack is successful, the more likely it will be that service disruptions will be minimized and a court or regulator will find adequate safeguards were in place.
Organizations looking for assistance in proactively preparing, or dealing with an attack that has already occurred, are not alone. Breach coaches, who are typically lawyers, can be helpful resources that can bring in the necessary experts and forensics to help an organization deal with the crisis or plan for one.
If you are looking for assistance with preparing your organization, don't hesitate to reach out to a member of Gowling WLG's Cyber Security & Data Protection Law team.
 You'll have to watch the movie..
 Most jurisdictions have reporting requirements to the designated privacy regulatory authority.