Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/13/2021
01:00 PM
Lewis Huynh
Lewis Huynh
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Adapting to the Security Threat of Climate Change

Business continuity plans that address natural and manmade disasters can help turn a cataclysmic business event into a minor slowdown.

Climate change is a generational risk with profound implications to alter not just our physical world but our digital world, too. While not traditionally associated as a cybersecurity risk, the accelerating frequency, severity, and significance of climate change and extreme weather have left a devastating toll on individuals, businesses, and the critical infrastructure connecting the world. With staff facing reduced capacity and readiness and impaired IT and security controls, hackers have a larger attack surface to target.

Facing this growing threat, IT and cybersecurity teams should work with leaders across their organization to develop a robust business continuity and disaster recovery (BC/DR) plan that includes climate and extreme weather-related events. While no silver bullet, having a documented set of procedures and actions can help turn a cataclysmic business event into just a minor slowdown. 

Related Content:

Cyber Attacks, Climate Change Are Top Global Risk for Businesses & Governments

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Ghost Town Security: What Threats Lurk in Abandoned Offices?

Factoring in Economic, Social Challenges
Over the last three decades, hurricanes, wildfires, earthquakes, and other extreme weather events have exposed the fragility of entire communities. We are constantly reminded of communities at risk of being wiped out or experiencing power outages that leave businesses, governments, and individuals in the dark for days, weeks, or longer.

With the growing reliance on digital technology and the innate dependency on suddenly fragile data centers and power grids, strategies for managing these climate risks must be part of any organization's business continuity and disaster recovery (BC/DR) plan. If organizations don't plan for these risks, the economic and social costs of inaction could be overwhelming.

On top of the weaknesses and holes that may arise in security measures, the indirect social and financial costs of climate change should also factor into IT and cybersecurity leaders' decision-making. The International Organization for Migration estimates there could be more than 200 million climate refugees by 2050 and rising inequality could force people to turn to cybercrime as a means to survive.

The rate of cyberattacks against hospitals, schools, local governments, and businesses has risen steadily, and we're already beginning to see phishing scams designed to take advantage of people's anxiety around the effects of climate change. And as resource competition increases between nations, cyber warfare is a threat that cybersecurity professionals should consider, including attacks that can bring about the same types of infrastructure problems that follow climate disasters.

In 2019, the US power grid was under a cyberattack carried out using known firewall vulnerability. And just this year, in what unraveled as nation-state attacks, SolarWinds and Microsoft suffered breaches through the manipulation of exploits in their software development processes. These supply-chain attacks effectively allowed attackers to move upstream to increasingly more valuable targets, including Fortune 500 companies and US federal agencies that were spied on and had information stolen.

While the immediate effects are still unclear, it's clear to see how devastating an attack of this scale targeting power grids or data centers could be. Not only does cybersecurity play a critical role in providing digital safeguards after a climate event, but it is also pivotal in protecting the services, resources, and systems that keep society running. 

Adapting BC/DRs to Recent Climate Threats
During the recent winter storms, my family joined more than 4 million other Houstonians as we lost power, running water, and cell service for days. Without the means of doing my job, and extremely intermittent cellular service, I had to rely on our organization's leaders along with my team to continue vital business functions like security and cloud management. The entire experience highlighted the need for alternative modes of communication and documenting soft-touch processes, two key areas we had identified as critical to our BC/DR plan and were in the process of implementing.

Smaller organizations and startups just getting started may find setting up a BC/DR plan as challenging early on as they work to describe, document, and verify critical procedures. For these organizations, many processes develop organically, particularly around communication and responsibilities, and can be difficult to wrap into a larger executable format. But as companies mature, it becomes increasingly important to have documentation of the clear steps and actions to be taken in order to provide business continuity.

Climate and extreme weather-related downtime impacts more and more businesses and are expected to cost the global economy $210 billion annually. Adapting BC/DR plans to this new reality means accounting for the myriad social, economic, and technological challenges businesses will face because of climate change. Beyond just documenting roles, processes, and operations, these BC/DR plans should account for what to do in the event that an office loses power, what to do if an organization's on-premises or cloud-hosted data centers are damaged, and how to respond if the organization is under cyberattack.

We're already experiencing the effects of climate change, but we still don't know the true impact it will have, so it's the job of IT and cybersecurity leaders to plan for the worst and adapt to the new risks. A layered approach that includes cybersecurity best practices such as mandating multi- and dual-factor authentication across the board, increasing employee security training with extra focus on social engineering attacks such as phishing scams, and implementing security tools and automation to increase controls provides a strong start. From there, stacking on top of this a living BC/DR plan that maps out and factors in the hazards of climate-based risks as well as those with business-halting ransomware attacks will keep businesses agile while responding to threats.

Lewis Huynh is a seasoned cybersecurity professional and technologist with decades of hands-on experience. From hacking PCs and learning machine learning languages at a young age to pioneering DevOps and cloud networks, Huynh has extensive knowledge of some of the most ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21742
PUBLISHED: 2021-09-25
There is an information leak vulnerability in the message service app of a ZTE mobile phone. Due to improper parameter settings, attackers could use this vulnerability to obtain some sensitive information of users by accessing specific pages.
CVE-2020-20508
PUBLISHED: 2021-09-24
Shopkit v2.7 contains a reflective cross-site scripting (XSS) vulnerability in the /account/register component, which allows attackers to hijack user credentials via a crafted payload in the E-Mail text field.
CVE-2020-20514
PUBLISHED: 2021-09-24
A Cross-Site Request Forgery (CSRF) in Maccms v10 via admin.php/admin/admin/del/ids/<id>.html allows authenticated attackers to delete all users.
CVE-2016-6555
PUBLISHED: 2021-09-24
OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP trap supplied data. By creating a malicious SNMP trap, an attacker can store an XSS payload which will trigger when a user of the web UI views the events list page. This issue was fixed in ver...
CVE-2016-6556
PUBLISHED: 2021-09-24
OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP agent supplied data. By creating a malicious SNMP 'sysName' or 'sysContact' response, an attacker can store an XSS payload which will trigger when a user of the web UI views the data. This iss...