Preparedness in Trying Times
September marks National Preparedness Month across the U.S. and it comes at a critical time. Preparedness is defined by FEMA as "a continuous cycle of planning, organizing, training, equipping, exercising, evaluating, and taking corrective action in an effort to ensure effective coordination during incident response.".
Nature-induced incidents command headlines in equal measure with man-made incidents, and these stresses introduce key resilience gaps across sectors and communities. Recent cyberattacks impacting water utilities in Minnesota and the Department of Motor Vehicles in Nevada demonstrate how a digital compromise can quickly become a physical service disruption, eroding public trust and placing lives at risk.
With IT/OT convergence, the line between physical and cyber incidents is blurring and in the end, the source of an incident doesn’t matter much as the impacts increasingly are felt in very real ways.
Across state and local government, these incidents manifest within critical services at an alarming rate.
Critical Services and Public Trust
Citizens don’t differentiate between cyber or physical root causes.
Critical services such as power and water have many interdependencies and, outside of practitioner circles, the relationships between domains and components within the service delivery continuum aren’t widely understood. For civil workers and leaders entrusted with stewardship of critical services, continuous threat analysis is needed.
Public trust is exactly that: people trust that tap water will flow when the faucet is on, or they trust that they’ll be able to continue dialysis treatments at home today without the threat of power interruption in their neighborhoods, and they trust that there are no substantial service delays within bus routes used for accessing opportunities.
Critical services may be easy to take for granted because for the most part over the past century, we’ve done a good job ensuring they are resilient. But recent developments threaten that confidence.
Vulnerabilities Exist Beyond the Surface
Cybersecurity practitioners are all too familiar with the concept of vulnerabilities and the most common tools or methodologies of discovery—when vulnerabilities are technical. Systems and applications ship with defects that aren’t found until they’ve been deployed, if even then but regardless, the vulnerability discovery and analysis space is well-served.
Process and procedural vulnerabilities, however, are insidious and not always apparent.
Underfunded preparedness, untested scenarios, siloed responsibilities, lax communication, and lack of coordination are damaging. Process and procedural gaps are often more insidious because as government, citizens expect procedural competence but as a “system of systems”, things can often go wrong when a common understanding of the critical relationships between things is lacking or needs enrichment.
We must become adept at dealing with both vulnerability domains, especially in an age of rapid convergence. And this adeptness must occur closer to the source of vulnerabilities and incidents.
Examine Failure and Threat Modes
Preparation requires that we examine government infrastructure as a system of systems. To avoid cascading failures that lead to potential disasters, preparedness demands scenario development across domains:
Power loss cascading into water pumping and treatment failures, or wholesale loss of water availability.
Water main breakage requiring emergency coordination while cyberattacks sow interdepartmental confusion.
Transit disruptions cascading into healthcare crises or emergency response delays.
City managers and mayors must view preparedness as orchestration—aligning utilities, emergency management, finance, public safety, and inter-local cooperation in one contiguous plan.
State governors must push further, ensuring cross-county and statewide preparedness investments which optimize public goods.
Preparedness Requires Threat Scenario Development
Preparedness is more than drills. It’s about:
Analyzing relationships between components and entities
Identifying municipal and state funding streams and their external dependencies
Modeling cascading failures
Stress-testing contracts and vendor assumptions
Ensuring funding is in place for resilience, not just recovery
Embedding cyber-physical scenarios into emergency playbooks
Where systems and processes are concerned, it’s important to imagine scenarios that might threaten their availability and continuity. Just as tabletop exercises help us prepare for the likeliest types of cyber incidents, threat modeling forces us to imagine how a system or process might become compromised or fail altogether.
Connecting Incidents to Societal Impact
Preparedness is about protecting systems as well as systems of systems (SoS), all with the goal of protecting lives, livelihoods, and preserving trust.
The recent incidents impacting Minnesota and Nevada offer many opportunities to improve cybersecurity architecture and processes. Post-incident reviews (PIR) will be crucial.
Whether the societal impact is…
Citizens’ inability to access services at the DMV
Citizens’ inability to pay a water bill
A citizen who’s also a dialysis patient but loses power power mid-treatment
A firefighter without comms during a wildfire
A trauma-affected person unable to access public safety because of a cyberattack
…every incident has a human face and a real story.
It is helpful to catalog the most critical services and understand the potential societal impact of each. Business impact analysis (BIA) is crucial for the development of disaster recovery and response plans, incident response plans (IRP) and developing enterprise risk management (ERM) capabilities; over the course of a BIA, it’s common to map critical assets to the critical services they support and serve in part as a gap analysis.
Every preparedness gap is a gap in trust.
Journey to Better Preparedness with Claroty
Preparedness is not a destination, but a journey. Regardless of where your organization is on that journey, Claroty provides a significant boost to your operations without a big uplift:
Document & Assess – Run Claroty’s platform to produce a defensible baseline risk assessment by configuring business impact and risk benchmarks.
Implement & Demonstrate – Use Claroty’s segmentation, monitoring, and secure access controls to close critical security infrastructure gaps where IT and OT converge.
Report & Sustain – Leverage dashboards to continuously prove progress across departments, boards, councils, and the public.
Preparedness is Infrastructure
Preparedness is infrastructure.
Preparedness is governance.
Preparedness is public trust.
The stakes seem to rise every year, and cybersecurity leaders must rise to meet them. The Claroty Platform is an arbiter of cyber-physical risk signals and a critical node in an enterprise risk management service bus—providing a sort of nervous system for cyber-physical systems protection.
To learn more about how adopting the Claroty Platform can help with the development of cyber risk management practices, schedule a demo with one of our experts.
