Whilst the UK and Ireland are not necessarily subjected to hurricanes as often or as strong as they are in other countries, they are prone to natural disasters like flooding. This was the case in 2015 and 2016, when areas in Cumbria, Yorkshire, southern Scotland and parts of Ireland were submersed under water. Snow caused major disruption across the UK in March 2018 and when Hurricane Ophelia hit Ireland in 2017, twenty-two thousand people were left without electricity.
Continuing an essential service during a technology failure or compromise is a requirement of the Network and Information Systems Regulation (NIS), which applies to operators of essential services (OES) across UK and Ireland. Planning for significant disruption requires the definition of your critical resources, processes and their supporting systems and priority for restoration, during and after an event. This could mean resorting to manual processes whilst systems are down or failing over to an alternative location before restoring service back to its normal status. But what if a natural disaster and a cyber-attack were to occur at the same time? Do you plan for that? This is exactly what the Houston public safety team did during a 3-day cyberattack exercise. The city wanted to test their ability to detect and survive a cyberattack whilst a natural disaster was occurring at the same time, such as a hurricane. The plan was to test how a large city involving parties from communications, energy, water, health, port and emergency services who were under a coordinated cyberattack managed whilst experiencing the additional physical challenges brought upon the city by a natural disaster.
The team found they had good processes in place for dealing with the natural disaster but found that the cyber side was more difficult as the people involved were hesitant to discuss their cyber capabilities and vulnerabilities with other parties. Until this exercise, both physical and cyber disaster plans had been conducted separately and now the City of Houston will be talking about and thinking about cybersecurity when planning for major events. Another learning from the exercise was that they were able to have conversations and establish new processes that had not been in place before for dealing with cyber security events between public sectors and private industry.
A lot of effort needs to go into planning for a disaster and the Houston exercise shows how important it is to learn by testing whether the plans work. If the plans fail, then weaknesses will have been identified and can be rectified before a disaster occurs. Business continuity plans need to be adjustable and from a cyber perspective this may involve instigating the plan by isolating operational networks because of an increased likelihood that your organisation is being targeted. OES’ with industrial automation and control systems (IACS) may consider applying IEC 62443, a standard which applies a reference model to separate systems into different logical layers and segregates equipment into security zones.
Identification of critical services is essential to understand what needs to remain operational to provide service. The supporting network, storage and processing capability needs to be measured to know what capacities are required and how much capacities fluctuate month by month or at certain times of year. If you are in a failover situation, you don’t want the service failing from resource overload.
Don’t forget that resources also include people, if there is an event such as flooding, adverse weather or worse, a pandemic, how long can the service remain operational without a change of personnel? Are the personnel needed to get the service back up and running, available and able to access the network? Have all operational procedures been written and maintained if stand-by personnel must use them?
Alternative locations, backup generators and use of diverse routing technologies are all mitigations to be considered to provide options for continuation of service. Your supply chain could also be impacted by the same disaster if they are in a similar location to your business and they too must form part of the business continuity plan.
Generally, IT teams have good backup procedures and reliable backups in place, but restoration of the backups must be considered as part of a business continuity plan. This will ensure that critical services are accessible in the event of a disaster and that the infrastructure needed to restore them is available and service is restorable within a time which is acceptable to the business.
Communication is essential during an event, knowing who is approved to communicate, who they are authorised to communicate with and who to communicate to. Under the NIS regulation, OES’s must notify their Competent Authority within 72 hours of an incident that has a substantial impact on its service. Voluntary reporting of an incident is recommended and with the introduction of the NIS Regulation, the National Cyber Security Centre (NCSC) has been appointed as the single point of contact (SPOC) for the UK and Ireland who can be contacted regarding suspected or actual cyber-attacks. The NCSC are there to coordinate and provide advice to OES’s, so there is a mechanism to communicate between organisations, but are OES’ within similar vicinities of each other able to cope if they were being affected by a natural disaster and a cyber-attack at the same time?
At Gemserv we have a wealth of experience with developing effective cyber security and business continuity procedures. This places us in an advantageous position when tackling the NIS Regulation and we have put together a wealth of information to assists you. To find out more, visit our dedicated NIS landing page: