Phishing emails. Hacked systems. Ransomed files. These terms have become all too familiar with reports all over the world from major news outlets. And, let’s not forget the Colonial Pipeline ransomware attack in May 2021. Now, tensions are even higher, and the risk of a cyberattack on municipalities is more prevalent.
IBM Security’s “2022 Cost of a Data Breach Report” states the global average cost of a breach is $4.3 million. This is a 13% increase from years past — an all time high.
“Ransomware attacks are more expensive than average breaches at $4.54 million. Ransomware share of breaches increased 41% since 2021,” the report states.
But why hack a municipality? Ransomware isn’t geared toward physical harm, but typically focuses on a quick payday.
“Information is the new currency of the 21st century,” Chris Poulin, deputy chief technology officer (CTO) and director, technology and strategy at BitSight, said.
Poulin stated if a hacker were to gain access to the network of a municipality, there are a lot of controls they could ransom. For example, a municipality could no longer collect taxes, direct road repairs or pay city employees, such as the police and fire departments. Or, the hacker could gain access to the personally identifiable information (PII) of the taxpayer and individually target them for a quick payout.
According to Frank Welder, technical solutions architect in cybersecurity with Arrow Electronics, ransoming a municipality’s information would create havoc.
“Every municipality has a process. Think of the money disruption and how they (cities) use taxes to pay for road repairs, etcetera.” Welder said. “Quite literally the bad guys want to create a little bit of havoc and chaos.”
Welder pointed out if our governments are the ones to grant permits, what happens when that city doesn’t have the capabilities to do that?
“Will that slow down operations? Will that have an impact? And that’s what the bad guys are going for,” Welder said. “Cities receive money from us all the time: sales tax, property tax, licensing fees, all of those systems. What happens if the bad guys attack those systems and they deny municipalities access to the money that they need to repair the roads, to pay people, and things like that? Think about that type of disruption it would cause.”
In March 2018, Atlanta, Ga., was hit with a ransom of over $50,000. It took the city months to recover from. At the end, Atlanta paid out $2.6 million in incident response and data forensics to combat the ransomware attack.
“Though a municipality doesn’t have the specific obligations of a private company, it still has plenty of crucial considerations and costs. Atlanta’s ransomware attack impacted five of the city’s 13 local government departments and disrupted many functions people rely on every day, including the police department records system, infrastructure maintenance requests and the judicial system. The attack also hindered revenue collection; residents weren’t able to pay their water bills for day,” Wired.com states in its 2018 article “Atlanta Spent $2.6M to Recover from a $52,000 Ransomware Scare.”
According to Poulin, municipalities need to create one IT infrastructure for all the departments they oversee. By having one infrastructure, it creates consistency and guidance for the city’s information technology team and umbrellas every department in the municipality.
“It would be good to have consistency and guidance at a municipality level,” Poulin said. “But even more important is an information sharing analysis center.”
Poulin stated that an information sharing analysis center (ISAC) is a forum to discuss cyber issues, making everyone aware of who’s being attacked, how they’re being attacked, what the hackers are after and what an organization is using that is successful. There is also a more tactful side to an ISAC: Forensic information can be shared to prevent others from the same scenario.
“One thing that can complicate things is city, state and federal regulations,” Poulin said. “There are a crushing amount of regulations that everyone is subject to.”
For instance, if a city takes a credit card payment or anything like that, they are subject to PCI compliance, Poulin stated. Municipalities have a complex network of different departments that store different information — taxes, police department records, physicals for officers and fire personnel and so much more.
“Complexity is an enemy of cybersecurity,” Poulin said. “Complexity doesn’t only mean your architecture, but also means everything that goes on: how much data you store, where you store it, who has access to it.”
Knowing what compliance regulations your municipality falls under will also help in the development, implementation and execution of your IT infrastructure. For example, certain states have specific compliance requirements that others may not have, and those may apply to a city if it employs someone who lives in that state, or if it conducts business with a vendor from that state.
According to Welder, one key thing any municipality should have in place is a hardening of its framework.
“I always think of cybersecurity as building defenses,” Welder said. “We think of a castle. A castle is not just an individual structure. There’s the castle itself, and then there’s walls around that, and walls around that, and walls around that, and then a moat and maybe an open field. If you think about all of those layered defenses with that, if your mindset is that the hackers only need to be right once, I need to make sure that I have many things that they have to pass through to get into the network. Regardless of budget, how hard do municipalities need to make their network for those cybersecurity criminals to access the ‘crown jewels’? Hardening your network.”
Welder questioned, from a systems-and-process perspective, have you hardened your environment? He stated the MITRE Framework perspective points out key areas where cities should harden their environment.
“In many instances, it’s all about keeping up with patches and plugging the holes. The bad guys aren’t creating new vulnerabilities; they are just exploiting existing ones. Harden your systems,” Welder said.
Hardening your network includes routine vulnerability assessments and penetration tests to see where those holes lie as well as patching known software bugs to ensure systems are operating with current, secure hardware.
Secondly, Welder said, cities need to monitor their networks with a single pane of glass that provides reporting for all the ebbs and flows. When you monitor the network, you can then see when abnormalities appear and investigate those abnormalities. Vulnerabilities are public knowledge. These vulnerabilities are routinely published by the Internet Crime Complaint Center — as well as Cybersecurity and Infrastructure Security Agency — under the FBI. It doesn’t take a lot from a cybercriminal to figure out where a potential risk may lie in a network. By creating an all-encompassing IT infrastructure that adheres to compliance, while assessing risks and vulnerabilities, municipalities can work toward a strong cybersecurity foundation to protect their networks and the people they serve.