Cyber & Info Security
The attack that takes down the power grid may not arrive through the transmission lines. It may arrive through an email. The threat that paralyzes a hospital may come through a software vulnerability in the medical device connected to a patient who cannot afford for it to stop working. The attack surface of every organization in public safety, healthcare, utilities, and government has expanded into digital space , and the adversaries who exploit it are not waiting for the defenses to catch up.
ESTONIA * APRIL - MAY 2007
Cyberattack
A bronze statue. A geopolitical dispute. And the first coordinated nation-state level cyberattack against an entire country's digital infrastructure.
In April 2007, the Estonian government relocated a Soviet-era war memorial - the Bronze Soldier of Tallinn - from the city center to a military cemetery. The decision triggered political outrage in Russia and riots in Tallinn. It also triggered something the world had never seen before: a sustained, coordinated cyberattack against the digital infrastructure of an entire nation.
For three weeks, waves of distributed denial-of-service attacks struck Estonian government ministries, parliament, banks, newspapers, and broadcasters. The Estonian parliament's email was disabled. Online banking, which Estonians used at one of the highest rates in the world, was intermittently inaccessible. Government communications were disrupted at the moment the country was managing an active civil crisis in its streets.
Estonia's response, and the international protocols it helped create, became the foundation of NATO's cyber defense doctrine. The Cooperative Cyber Defense Centre of Excellence, established in Tallinn the following year, exists because of what happened in those three weeks. The cybersecurity professionals who worked those nights in 2007 were operating without precedent, without established playbooks, without allies who had faced the same scenario. They built the playbooks. Everybody uses them now.
The cybersecurity professionals who worked those nights in 2007 were operating without precedent, without established playbooks, without allies who had faced the same scenario. They built the playbooks. Everybody uses them now.
IRELAND * MAY 2021
Ransomware
The Irish Health Service Executive ransomware attack shut down national health IT infrastructure. Cancer treatments were postponed. The clinicians who kept the system running on paper.
On May 14, 2021, a ransomware attack encrypted the Health Service Executive of Ireland's IT systems, bringing national health infrastructure to a halt. Hospitals canceled appointments. Radiology systems went offline. Chemotherapy treatments were postponed for cancer patients.
The clinicians, nurses, and administrative staff who kept the health system running did so on paper. Handwritten patient records. Manual laboratory processes. Clinical decisions made without access to medical histories stored in systems that were no longer accessible. They kept the system running because patients were still arriving.
The HSE attack demonstrated, at national scale, what the digital dependency of modern healthcare means when deliberately exploited. The health system that goes dark is not just an IT problem. It is a patient safety crisis, a clinical operations crisis, a public confidence crisis, and a national security crisis simultaneously.
The clinicians kept the system running on paper because patients were still arriving. The digital and the human, operating in parallel. That is what cyber resilience looks like from the inside of a crisis.
UKRAINE * DECEMBER 23, 2015
Power Grid Attack
88,000 people evacuated on a single highway. The firefighters moved in the opposite direction.
The first confirmed cyberattack to successfully take down a civilian power grid. 230,000 Ukrainians lost power on the evening before Christmas Eve. The grid operators who restored it manually after the automated systems were locked out, and the incident that forced every power utility in the world to ask a question they had not been required to answer before.
At 3:30 p.m. on December 23, 2015, operators at three Ukrainian regional power distribution companies watched their workstations being controlled remotely. The attackers, subsequently identified as the Russian military intelligence unit Sandworm, had been inside the networks for six months. They had mapped the systems, positioned their tools, and chosen their moment. In the space of 30 minutes they opened breakers at 30 substations, cut power to 230,000 customers, disabled the UPS systems that powered the control centers, and deployed malware that wiped the firmware of the serial-to-Ethernet converters, ensuring that remote restoration would be impossible.
The grid operators who restored power that evening did so manually. They drove to substations and operated equipment by hand because the remote systems were either locked or destroyed. They worked through the evening and restored power to most customers within six hours — not because the automated systems recovered, but because the operators knew their grid well enough to operate it without them.
The significance of the Ukraine attack was not its scale. 230,000 customers losing power for six hours is a manageable outage. Its significance was what it proved: that a cyberattack could cross from the digital into the physical, that critical infrastructure could be taken offline not by physical sabotage but by code delivered through a network, and that the people responsible for keeping the lights on needed to be able to do their jobs without the digital systems they had come to depend on. The grid operators who drove to those substations on the evening of December 23rd demonstrated something that every critical infrastructure security professional has worked from since: the human who knows the system is the last line of defense when every automated system has been taken away.
The grid operators restored power manually. They drove to substations and operated equipment by hand because the remote systems were locked or destroyed. The human who knows the system is the last line of defense when every automated system has been taken away.
The cyber and information security professional works in the newest and fastest-changing frontier of emergency management. The threat landscape that exists today did not exist five years ago. They are building defenses against attacks that have not yet been invented, in an environment where the attacker needs to succeed only once. They do this with the full knowledge of that asymmetry. And they do it anyway.
We Serve Those Who Serve Others.