War Room
BY JESSE ROMAN
In 2019, FM Global, one of the world’s largest insurers of commercial property, opened a new “cyber lab” at its research campus in Massachusetts. Inside the lab sit several servers, which together house all of the elements needed to create a convincing “virtual business,” including computer systems, networks, webservers, databases, and even a virtual internet. Although it’s missing the cubicals and water cooler talk of a real office, the computer viruses that routinely attack these networks don’t know the difference, said Jens Alkemper, research area director for equipment, cyber, and materials science at FM Global.
The ensemble is purpose-built to test and demonstrate some examples of what can happen in a cyberattack. Before it was interrupted by the pandemic, FM Global often hosted clients in the lab to show them what a real ransomware attack looks like. During the demonstration, a visitor is asked to click a suspicious email link, setting the attack irreversibly in motion. A ransom message appears on the screen and a timer begins counting down, informing users that their data is now encrypted. The only way to save the data is to pay the ransom using cryptocurrency, which releases a decryption key. If the payment isn’t made before the timer runs out, the data is lost. The ransomware racing through the system is real, an actual virus utilized by cybercriminals.
The visitors are then shown how a security operations center monitors the situation. “They see how the virus spreads, how the company can be literally taken down in a matter of minutes, right in front of your nose,” Alkemper said. “The speed of the attack is really what gets people. They think they have time to react—in fact, they don't. You can't make plans when you are under attack. It just doesn't work.”
FM Global also operates a research campus in nearby Rhode Island where, among other things, it conducts full-scale fire tests and allows observers to witness the speed and power of an out-of-control fire and the impact of sprinklers and other protections. At first, Alkemper was skeptical that, compared to a fire test, a demonstration on a computer would have the same kind of visceral impact. In fact, the cyberattack demonstrations have had a profound effect on participants, he said. “When you stand there, it gets to you,” he said. “People walk out and say, ‘What do I have to do? Who do I have to call?’ Suddenly it becomes real.”
FM Global is in the process of expanding the cyber lab and outfitting it with the ability to test different building control systems, operational technologies, and wireless IoT devices. The intent is to test these physical devices to learn how they work and identify their vulnerabilities. “We will see where they can be breached in order to see how you defend them. That's what it's really about,” Alkemper said. “How do you make it difficult to breach these devices? How do you detect an attack? If our clients are using it, if it's part of their environment and it's a risk to them, then we want to try it out, to test it, and see how you can protect it.”
In addition, the company uses the cyber lab almost like a forensic investigation space to understand and replicate, step by step, successful cyberattacks carried out against their clients. Using the same software and systems, the aim is to figure out how to prevent, defend, or minimize the spread of similar cyberattacks in the future, similar to how FM Global handles research on other property-related threats.
“Just like fire, just like other natural hazards, cyberattacks are something you can engineer against,” Alkemper said. “There is no magic here. Sure, there's a language barrier, and it’s real. But put that aside, and this is an engineering challenge. And that means there are things you can do. The majority of property loss is preventable, not inevitable, even when it comes to cyber risk. Sound solutions are available, and with our cyber lab we can show that they work.”
Jesse Roman is associate editor of NFPA Journal. Top photograph: FM Global