When You Gotta Go, You Gotta Go Cybersecurity Lessons Learned from Jurassic Park
Volume 2: Anyone ever hear of Business Continuity?
In the classic 1993 film Jurassic Park, there is a point in the film where the characters figure out that in order to get the park systems restored they have to perform the oldest trick in the book: turn it off and turn it back on again. They suffered from an insider threat attack that crippled their main production environment. They turn it off and back on again and to their surprise the system comes back online. Sort of. In a manner of speaking anyway.
Business continuity, or disaster recovery, it a critical foundational part of most cybersecurity frameworks. It is the light in the dark to help us come back from a disaster. In the movie, Denis Nedry (the Original Insider as discussed in a previous blog) cripples the park in his attempt to steal dinosaur embryos (a.k.a. intellectual property). Mr. Arnold (played by the incomparable Samuel L. Jackson) tries but can’t bring the system back online without resorting to the age-old help desk trick, turn it off and back on again. As the movie portrays it, there is no business continuity plan to speak of. There are no playbooks or procedures that the staff can follow to recover or even respond to the incident.
Most (if not all) cybersecurity frameworks have an explicit requirement that speaks directly to disaster recovery, often in the form of a cybersecurity incident response plan and a recovery plan. These are the golden rules that organizations develop and follow to respond to and recover from an incident. These plans help give operational teams the instructions on how to handle such events. And without them, as seen in Jurassic Park, companies are often left flailing in the wind trying to get back to an operational state.
If InGen, the company that operates the Park, had a business continuity plan they would have known what to do. At the very least they would have had the documentation to follow to respond to and then recover from the cybersecurity incident. Now it is highly likely that, given in the framework of the movie, they were in the process of developing their business continuity plans. After all, the park was still in its pre-production phase before go-live.
As those of us that have spent time in the utility industry already know, NERC CIP has requirements that speak directly to cybersecurity incident response plans (CIP-008) and recovery plans (CIP-009). As do several of the NIST families. The requirements often make entities develop plans and test those plans on a regular cadence. This is best practice as it gets operational teams familiar with the steps of responding to and recovering from incidents.
If only the Park had a business continuity plan they could have potentially recovered their operational systems without too much trouble. But as the movie showed us, they didn’t and it certainly didn’t help their situation.
