The Metcalf Sniper Attack and Its Lesson for CEOs
Unknown to many, an ominous terrorist attack occurred on U.S. shores in April 2013.
During what’s known as the Metcalf Sniper Attack, six individuals armed with AK-47 assault rifles infiltrated a power generator substation near San Jose, Calif., and systematically disabled 17 giant transformers that sent electricity to Silicon Valley.
No one was ever caught and while no blackout occurred (thanks to grid officials successfully rerouting power generated by other plants to the region), the substation was offline for nearly a month to effect repairs.
While the ultimate motive of the attackers is unknown, from their actions it appears that they were well trained and well versed on the makeup of the substation plant. They knew what they were doing and where the security vulnerabilities lay.
Chance are this came from their ability to extract data from supposedly secure networks, piece together pertinent information, develop a plan and execute it at will.
This sensational, but very real, circumstance should be a wakeup call to everyone who runs an organization. While many in such roles may look at physical and cybersecurity strategies separately, they are most certainly intertwined. Combined cyber and kinetic (real world) attacks are more and more common.
A recent example of this is Operation Orchard, the Israeli attack on a suspected Syrian nuclear facility that was enabled by a concurrent cyberattack to shut down Syria's air defenses.
These types of operations, though, aren't just reserved for nation states or multibillion-dollar global enterprises
If you have some well sought-after intellectual property on your premise, than you’re also at risk. In fact, smaller entities may be easier targets.
Not looking at cyber and physical security as interrelated can lead to blind spots in coverage. It’s akin to spending $100,000 on a state-of-the-art firewall but leaving it in an unlocked, unwatched room where someone can tamper with it. A firewall’s defenses can be completely bypassed or subverted by allowing direct physical access to it.
Cyber security must be looked at holistically and include physical security. The human dimensions should also be considered: This means IT security and program managers should work alongside senior operations and business managers to ensure all approaches are in sync and fully functioning.
This “people first” approach must encompass all the complexities and angles of protecting valuable assets from the office campus as well as the network architecture point of view.
The net effect will be the establishment of workable, innovative strategy. What’s more, the resultant efforts will ensure that all security expenses are optimized for their maximum effectiveness and that duplication of activities is minimized if not altogether avoided.
I’ve observed for some time how CEOs and other executives can’t keep their cybersecurity programs in a silo where only a certain number of people fully understand and appreciate their impact. The Metcalf incident showcases that this isn’t just about money and ideas but could include the safety of those working at a facility.