Cyber attacks may not seem like something safety professionals need to add to their list of concerns, but the truth is they are a growing threat for U.S. employers and their workers.
In April 2022, five major food distributors in the U.S. and Canada were destroyed by explosions and fires with 20 more having related, but more minor, incidents related to cyber attacks.
FBI warns of more to come
Following those cyber attacks, the U.S. Federal Bureau of Investigation (FBI) said that more trouble could be on the horizon, warning the food and agriculture sector that “ransomware actors may be more likely to attack agricultural cooperatives during critical planting and harvest seasons, disrupting operations, causing financial loss and negatively impacting the food supply chain.”
At the ASSP Safety 2022 Conference + Expo, safety professionals Leo DeBobes, Terrie Norris, Randy Milliron and Sarah Bogner discussed ways to incorporate cyber attack hazards into emergency preparedness plans.
Hospital shut down for 18 days following phishing scam
They used a hospital in Wyoming as an example, since hospitals, local utilities and other businesses are seen by hackers as high-profile targets because of the amount of information that they have.
In this case, a specific person at the hospital was targeted with a phishing email scam. The person clicked the fraudulent link which allowed malware to get into the hospital’s computer system. That malware stayed in the system for about a week gathering data before releasing ransomware.
The cyber attack caused the hospital to shut down for 18 days. They couldn’t take on new patients and had to send their existing patients to other hospitals. In the end, it cost the hospital $1.2 million.
While this attack didn’t cause an explosion or endanger the lives of workers in the same way the incidents in April 2022 did, it certainly disrupted operations and impacted the local community.
So what can safety professionals do to help prepare their organizations for a cyber attack and mitigate any potential damage done? Here are four things DeBobes, Norris, Milliron and Bogner recommend:
Separate critical controls from other operating systems
Something that utility companies do to add an extra layer of protection is to make certain that critical control systems run independently from other operating systems.
This means making sure that electronic controls for important facility operations function separately from the operating systems that control email and other general company systems.
If possible, use a completely different server or physical device to achieve this.
This could make things complicated when presented with something like the COVID-19 pandemic, which resulted in people working from home. However, new solutions would need to be found to ensure cyber security is maintained, because hackers are waiting for opportunities like this to launch their attacks.
Off-site data storage
Another thing to consider is where data is being stored. If it’s onsite, then if there is a cyber attack, or even a natural disaster, the data could be compromised, which could lead to more problems within an individual facility.
If off-site data storage is used, then practice drills should be held to make sure that everything on backup is functional when needed.
Practice drills to make sure it all works
Speaking of drills, regular training drills for cyber attacks should also become routine. This will ensure that operations can continue when everything is running off those off-site backup servers.
Drills should be more involved than just flipping the switch to make sure everything functions. They should last for a few days to make sure that everything is working as needed and that everyone can still perform required tasks.
Finding out some critical data is missing from the backup server while in the middle of a cyber attack or other emergency isn’t a good situation to be in.
Do some research
Don’t forget to do some research ahead of time to make sure backup servers are protected against cyber attacks, too. Hackers may be anticipating the use of those off-site systems, and safety professionals will want to prepare that as well.
The U.S. Small Business Administration, Federal Communications Commission and FBI all have helpful guides on how to protect businesses and other organizations against cyber attacks. Insurance providers Nationwide and Travelers also provide guides for cyber attack prevention.