Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
01:00 PM
Lewis Huynh
Lewis Huynh
Connect Directly
E-Mail vvv

Adapting to the Security Threat of Climate Change

Business continuity plans that address natural and manmade disasters can help turn a cataclysmic business event into a minor slowdown.

Climate change is a generational risk with profound implications to alter not just our physical world but our digital world, too. While not traditionally associated as a cybersecurity risk, the accelerating frequency, severity, and significance of climate change and extreme weather have left a devastating toll on individuals, businesses, and the critical infrastructure connecting the world. With staff facing reduced capacity and readiness and impaired IT and security controls, hackers have a larger attack surface to target.

Facing this growing threat, IT and cybersecurity teams should work with leaders across their organization to develop a robust business continuity and disaster recovery (BC/DR) plan that includes climate and extreme weather-related events. While no silver bullet, having a documented set of procedures and actions can help turn a cataclysmic business event into just a minor slowdown. 

Related Content:

Cyber Attacks, Climate Change Are Top Global Risk for Businesses & Governments

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Ghost Town Security: What Threats Lurk in Abandoned Offices?

Factoring in Economic, Social Challenges
Over the last three decades, hurricanes, wildfires, earthquakes, and other extreme weather events have exposed the fragility of entire communities. We are constantly reminded of communities at risk of being wiped out or experiencing power outages that leave businesses, governments, and individuals in the dark for days, weeks, or longer.

With the growing reliance on digital technology and the innate dependency on suddenly fragile data centers and power grids, strategies for managing these climate risks must be part of any organization's business continuity and disaster recovery (BC/DR) plan. If organizations don't plan for these risks, the economic and social costs of inaction could be overwhelming.

On top of the weaknesses and holes that may arise in security measures, the indirect social and financial costs of climate change should also factor into IT and cybersecurity leaders' decision-making. The International Organization for Migration estimates there could be more than 200 million climate refugees by 2050 and rising inequality could force people to turn to cybercrime as a means to survive.

The rate of cyberattacks against hospitals, schools, local governments, and businesses has risen steadily, and we're already beginning to see phishing scams designed to take advantage of people's anxiety around the effects of climate change. And as resource competition increases between nations, cyber warfare is a threat that cybersecurity professionals should consider, including attacks that can bring about the same types of infrastructure problems that follow climate disasters.

In 2019, the US power grid was under a cyberattack carried out using known firewall vulnerability. And just this year, in what unraveled as nation-state attacks, SolarWinds and Microsoft suffered breaches through the manipulation of exploits in their software development processes. These supply-chain attacks effectively allowed attackers to move upstream to increasingly more valuable targets, including Fortune 500 companies and US federal agencies that were spied on and had information stolen.

While the immediate effects are still unclear, it's clear to see how devastating an attack of this scale targeting power grids or data centers could be. Not only does cybersecurity play a critical role in providing digital safeguards after a climate event, but it is also pivotal in protecting the services, resources, and systems that keep society running. 

Adapting BC/DRs to Recent Climate Threats
During the recent winter storms, my family joined more than 4 million other Houstonians as we lost power, running water, and cell service for days. Without the means of doing my job, and extremely intermittent cellular service, I had to rely on our organization's leaders along with my team to continue vital business functions like security and cloud management. The entire experience highlighted the need for alternative modes of communication and documenting soft-touch processes, two key areas we had identified as critical to our BC/DR plan and were in the process of implementing.

Smaller organizations and startups just getting started may find setting up a BC/DR plan as challenging early on as they work to describe, document, and verify critical procedures. For these organizations, many processes develop organically, particularly around communication and responsibilities, and can be difficult to wrap into a larger executable format. But as companies mature, it becomes increasingly important to have documentation of the clear steps and actions to be taken in order to provide business continuity.

Climate and extreme weather-related downtime impacts more and more businesses and are expected to cost the global economy $210 billion annually. Adapting BC/DR plans to this new reality means accounting for the myriad social, economic, and technological challenges businesses will face because of climate change. Beyond just documenting roles, processes, and operations, these BC/DR plans should account for what to do in the event that an office loses power, what to do if an organization's on-premises or cloud-hosted data centers are damaged, and how to respond if the organization is under cyberattack.

We're already experiencing the effects of climate change, but we still don't know the true impact it will have, so it's the job of IT and cybersecurity leaders to plan for the worst and adapt to the new risks. A layered approach that includes cybersecurity best practices such as mandating multi- and dual-factor authentication across the board, increasing employee security training with extra focus on social engineering attacks such as phishing scams, and implementing security tools and automation to increase controls provides a strong start. From there, stacking on top of this a living BC/DR plan that maps out and factors in the hazards of climate-based risks as well as those with business-halting ransomware attacks will keep businesses agile while responding to threats.

Lewis Huynh is a seasoned cybersecurity professional and technologist with decades of hands-on experience. From hacking PCs and learning machine learning languages at a young age to pioneering DevOps and cloud networks, Huynh has extensive knowledge of some of the most ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file