You are here:

Against the clock: CISO speaks on IT recovery protocol

Seminar co-sponsored by U.S. Department of Homeland Security

By Jesse Drake

CISO Randy Arvay, Ph.D.

Randy Arvay, the University's chief information security officer, weighed in on a challenging topic – "The Legal and Financial Considerations of a Cyber Attack on Physical Infrastructure" – at a federally-funded seminar on October 11. 

The mission of the 2017 National Seminar and Tabletop Exercise for Institutions of Higher Education (NTTX) is, in part, to "improve preparedness and build resilience for the variety of threats and hazards that pose the greatest risk to campus communities across the nation." In all, 79 universities took part in the seminar, which was hosted locally at the S.J. Quinney College of Law and sponsored nationally by the U.S Department of Homeland Security (DHS), DHS Office of Academic Engagement (OAE), Federal Emergency Management Agency (FEMA), and FEMA National Exercise Division (NED). 

“It was a nice opportunity to get together with different campus and hospital groups at the U, others in government, and our peers in higher ed,” Arvay said.

Arvay joined a panel of University or Utah colleagues Jerry Allred, manager of Risk & Insurance Services, Jeffrey Graviet, director of Emergency Management at the U, and Phil Chaffee, U Health's director of Emergency Management.

A hypothetical cyber attack resulting in a complete power loss, summarized below, was presented to the group. Arvay addressed the financial fallout in those critical first hours and days – to what extent does the U has capacity to absorb costs, the legal liabilities, and existing insurance policies, among other things.

"This particular discussion centered around recovery efforts here at the University, and concepts for responding," Arvay said. "Nothing was prescriptive, a lot depends on the gravity of the situation. But it's fair to say that in any large-scale scenario like this, partnerships have to come together quickly, including vendor partners, and those on the local and state level."

The scenario

Your IT department is 24 hours into response efforts, trying to understand the impacts to systems and what sensitive personal, research, and financial information may have been compromised.

It appears to have been a malicious and complex cyber-attack – possibly by an advanced persistent threat2 (APT).

While attempting to recover from the impacts to your networks and systems, emergency services have been working around the clock to help those affected by the power outages, including the evacuation of patients from on-campus medical facilities.

The next few days

Although your IT response teams are confident that they have successfully blocked the hijacked account used to access your industrial control system, they have yet to confirm that there is no malware remaining on those systems at this time.

Research faculty grow increasingly concerned over potential impacts on their research projects. Students and parents are anxious about how this event will impact the remainder of the semester and whether private information has been compromised.

Rumors spread on Twitter claiming that the attack was a result of a malicious insider, while alumni express disappointment via social media with the institution's prevention efforts.

Last Updated: 11/29/17