Last month, Houston conducted a three-day exercise to test its ability to detect and handle a cyberattack. The exercise, called Jack Voltaic 2.0, simulated a cyberattack occurring concurrently with a natural disaster, in this case a hurricane. A full report on the exercise, with takeaways that will be applicable to other cities, is forthcoming.
Despite conducting "tabletop exercises" throughout the year ahead of major events, Houston hadn't before specifically prioritized cybersecurity testing — until the city was approached for this experience.
Smart Cities Dive discussed the exercise with two members of Houston's public safety team who were instrumental in its implementation: George Buenik, Director of the Office of Public Safety and Homeland Security, and Jack Hanagriff, Law Enforcement Liaison with the Office of Public Safety and Homeland Security.
This interview has been edited for brevity and clarity.
SMART CITIES DIVE: How did the idea for this exercise first come about?
JACK HANAGRIFF: There's a Texas cybersecurity group that's made up of academia and the CTO for the state of Texas. Academia was interested in doing a research project, and the Army Cyber Institute at West Point had also been in communication with them because they had just done a similar project in New York last year, called Jack Voltaic 1.0; we're Jack Voltaic 2.0.
Also, the Greater Houston Cybersecurity Task Force in parallel was meeting with the mayor [Sylvester Turner] discussing how public and private entities need to better communicate related to cybersecurity needs. That's where it all originated, two groups working in parallel, looking for a large city that had natural disasters and had multiple sectors — water and power, those kind of things. They wanted to do a physical and cyber related incident that involved both public and private, and multiple sectors.
We had eight different sectors... [including] the water sector, the health sector, communications, cellular companies, our port, energy companies... and of course, emergency services — police, fire, emergency management from the City of Houston and Harris County. Simultaneously, we had the Army and their various divisions... running in parallel with us. It was a learning experience to find out if the city can realize that they've had a multi-sector cyberattack and combat it. If all sectors are under a coordinated cyberattack, would we be aware and able to handle it from within?
Three days is a long time to do a simulated exercise. What did you cover and how did the simulation play out?
GEORGE BUENIK: The first day was more or less planning and getting everything situated in our emergency operations center. We were making sure equipment was operational and doing more of the planning. Day two was an eight-hour exercise, a full day, which is typically how long a tabletop exercise would take place. Day three was half-day and it was what we consider an after-action to talk about some of the things that took place, good and bad.
HANAGRIFF: The first day we also had to bring in tech people who were going to be on the virtual range so they could get all their laptops up and be familiar with the virtual range. We wanted them to hit ground running the next day. ... When dealing with technology there's always bugs and we wanted to make sure everyone knew where they were going and what they were doing, and that they could access the range because they've never been on that network before.
This was like a real event, so when you show up, the event is on. There's not really any "hold the hurricane" because we don't have that ability in a real event.
Did you try to simulate past cyberattacks in other cities, such as this spring's ransomware attack in Atlanta?
HANAGRIFF: We built the physical side based on a hurricane that we've experienced before, but on the cyber side we mostly tried to center on common threats, nothing particular to the Houston area. Our goal was not to throw wrenches at anybody. ... It didn't necessarily center on a particular event of a city, it centered on particular tactics currently being used around the world. In other words, we didn't launch the Atlanta model or anything like that.
We had a cyber virtual range where IT security professionals were on a live cyber range, which was a fake network… using basic tools everyone should have, and they slowly ratcheted up different types of cyber traffic such as malware and penetration testing. They slowly brought those up and did sector-specific tests because there were objectives that each of our sector partners wanted to test.
They had a canned scenario that followed the timeline of the hurricane and some injects that were canned, but there were also some results from the virtual range that were unexpected. But they didn't want to do wild card stuff. The whole goal was to determine if we can predict it and handle it, not what can we throw at you to bring you to your knees. It was more, what are our capabilities today and how do we communicate our findings with each other? And if it gets to where everybody's dealing with it, would we need outside help?
"This was like a real event, so when you show up, the event is on. There's not really any 'hold the hurricane' because we don’t have that ability in a real event. "
Law Enforcement Liaison with the Office of Public Safety and Homeland Security
What did you learn from the exercise?
HANAGRIFF: We have very good processes in place, both public and private entities, when it's related to natural disasters like a hurricane. Everybody comes to the table — from water to communications to power and health — and prepares for a hurricane. When we go over to the cyber side, it’s a little more difficult because everybody is more hesitant to discuss cyber vulnerabilities and their cyber gaps. Why can't we mirror what we do on the physical side, the same processes and procedures, on the cyber side?
We're really good at doing a physical incident… but with cyber it's like crickets. ... That was a big discovery. The cyber communities are… very quiet about their capabilities and their vulnerabilities, so bringing that up was kind of difficult. It's in both the public and private [sectors], and it's the same with the Army. That's why this was a learning experience for both sides, we’ve been learning from each other.
BUENIK: This exercise opened our eyes. ... One of the things we've never really considered with major events… is what if a cyberattack hits one of these events? Last year when we had the Super Bowl and did tabletop exercises and planning and what-ifs, cyber was one thing I don't think we really considered.
We've always planned for things like the power going out; think of the Super Bowl a few years ago in New Orleans when the power went out. We worked extensively... on how to deal with power outages... but I don't think we ever thought of, when the lights went out in New Orleans, could that have been cyberattack? It wasn't, but this exercise opened our eyes [because] that wasn't part of our contingency plan. We had all the physical security, all the terrorist-type security contingency plans.
"This exercise opened our eyes. ... Last year when we had the Super Bowl and did tabletop exercises and planning and what-ifs, cyber was one thing I don’t think we really considered."
Director, Office of Public Safety and Homeland Security
Will the results of the exercise prompt changes in your operations?
BUENIK: The City of Houston has its own technology office and a chief security information officer. Their job is to protect the city by preventing attacks — to detect cyberattacks and phishing scams and viruses and ransomware. They're doing that on daily basis.
We weren't aware of all the additional resources that could be helping us on the public sector side. Now, as a result of this exercise and research project, we are going to be talking about and thinking about cybersecurity when we're planning all of our major events.
HANAGRIFF: One of the immediate benefits of this program was we had to go visit with these entities and we were able to have conversations and establish mechanisms that we never had before. An example was, if I call your company and ask if you're seeing this type of cyber traffic… they'll say yes or no... but they won't report it to you [unless] you call them. At least we'd know they're dealing with the same things that we are. What we determined in dealing with cyber is that there may be some back-door sharing going on, but there isn't any formal sharing method for being attacked.
We found that in private industry as well, that the physical security side and the information technology side don't always communicate. We need to make sure those two worlds are both at the table at some point.
Do you have other takeaways from the exercise?
HANAGRIFF: What was unique about working with our local, state and federal partners is we never had conversations about the cyber side. ... Normally we're discussing physical events, but now we had to bring in a whole different conversation to talk about the physical and cyber side.
Some of the other partners had counterparts that they never interact with on the cyber side. So you had the state CTO talking with the Texas National Guard, and those actions never really happened before. You had the physical world and the cyber world at the same table having conversations that they’ve had [internally] for other events, but they never had together. That was unique.
BUENIK: One of the things we do best in Houston, especially with major events, is working with local, county, state and federal partners. We always consider these things a collaborative and team effort. When everyone is working closely together, that's what we consider our key to success.