Safeguarding Our Cities – Understanding Municipality Cybersecurity Threats

img blog safeguarding our cities understanding municipality threats
logo adaptive

In an era where technology permeates every aspect of urban life, from traffic management to waste disposal, the digital infrastructure of municipalities stands as both a beacon of progress and a vulnerable target for cyber threats. The interconnectedness of systems that underpin the functioning of cities has opened up Pandora’s box of security challenges, leaving municipal governments grappling with the daunting task of fortifying their defenses against an ever-evolving array of cyber risks.

As the world becomes increasingly reliant on digital solutions to address urban challenges, the specter of cyber attacks looms large over the landscape of municipal governance. The ramifications of a successful breach extend far beyond the realm of data security, with the potential to disrupt essential services, compromise public safety, and inflict significant financial losses. From ransomware attacks paralyzing critical infrastructure to data breaches compromising sensitive citizen information, the threats confronting municipalities in cyberspace are multifaceted and relentless.

Against this backdrop, understanding the intricacies of cyber threats facing municipalities is paramount to crafting effective defense strategies. This article delves into the cybersecurity challenges confronting urban centers, exploring the unique vulnerabilities inherent in municipal systems and the proactive measures that can mitigate these risks.

For example, every local government relies on critical services and communication systems that would significantly impact its ability to function if compromised. Communication is crucial during any disaster or emergency, including a cyberattack. In the event of a cyberattack that knocks out municipal servers, electronic communications such as email, instant messaging, and texting may be shut down, potentially impacting the delivery of critical public safety services such as emergency medical personnel, fire, and police, which rely on access to computer systems and networks to communicate.

RELATED: Cyber Attacks on Critical Infrastructure – Is your Municipality Prepared?

By shedding light on the evolving nature of cyber threats and offering insights into best practices for safeguarding municipal infrastructure, this article aims to empower city officials and cybersecurity professionals alike in their quest to ensure the resilience and integrity of our urban environments.

Are Municipal Cyber Attacks Threatening Citizens’ Privacy?

In excerpts from an article by Packetlabs, they wrote, “Cyber attacks are not only weakening private businesses but also hampering administrative and executive work. Several municipalities and government offices worldwide have reported a loss of data and documents due to municipal cyber attacks. Last year alone, 44% of cyber-attacks targeted municipal offices.

Government offices store various information on citizens for their day-to-day activities as part of welfare and administrative work. As governments move into the age of computerization, government databases are also being digitized rapidly. So, the data stored by the government is a potential and attractive target for cybercriminals. The stakes are high because the stolen information can lead to fraud or crimes on a large scale.

The most significant drawback with software and equipment used by the government is that they are usually out of date. Municipal offices are more vulnerable to cybercrimes because their IT systems are not updated regularly like a private company’s. Even though they are insured against such crimes, data loss can still lead to a public outcry and damage personal reputation or property.

Municipal Cyber Attacks around the World

Several instances of municipal cyber-attacks globally have raised concerns among citizens concerning the technological capabilities and security of large volumes of information stored by the government. Cybersecurity breaches like these hamper the working of the government and threaten the integrity of private information. Here are a few examples of municipal cybercrimes that have occurred in the past few years:

Canadian Municipal Offices: The CBC reported the loss of confidential information from Canadian government offices at several levels. The estimated losses incurred by the government were between 3 and 5 billion dollars.

Baltimore City ransomware: The city of Baltimore faced a ransomware attack. The attack derailed several administrative operations of the town and resulted in backlogs.

Cockrell Hill, Texas: A city in Texas with about 4,000 residents was also the victim of cyber-crimes; the hackers got away with police department files. On being denied a ransom of four thousand dollars, the hackers erased the data, resulting in the loss of sensitive information related to crimes and criminals.

Pimpri-Chinchwad ransomware: The cyberattack on the municipality’s smart servers led to a loss of approximately six hundred thousand dollars. Even though there was no data loss or ransom, the attacks alone signify the government’s need to enhance its data management and security.

How to Avoid Municipal Cyber Attacks

Cyber-attacks on municipal servers and databases have far greater repercussions than they do on an individual company’s IT assets. The attack is indirectly on the whole community. Such cybercrimes can be fought by high-level, in-depth testing and maturity assessments at regular intervals. The several compliance standards enacted will also guarantee the safeguarding of personal and confidential data.”

Ransomware Attacks on Municipalities

In excerpts from an article by Citizens, they wrote, “Last year alone the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) reported ransomware attacks against nearly all the 16 U.S. critical infrastructure sectors. Towns and cities were hit hard, too, according to several reports.

Why this Matters:

  • Cyber attacks on municipalities and governments are growing at an alarming pace, with no regard to size, location, or agency type.
  • Government software and equipment is often out of date or lacking security controls, leaving them vulnerable to attack.
  • Organizations must safeguard constituent, partner, and government data or risk fines, data loss, and loss of confidence.

As the Department of Homeland Security recently noted, “State and local governments are rich targets for cyber adversaries and the frequency of attacks is accelerating.” And yet most government entities struggle to keep up with cybersecurity’s ever-changing landscape.

With most states only spending about 1% to 3% of their overall IT budgets on cybersecurity, according to a study from Deloitte and the National Association of State CIOs, it’s clear that the public sector needs to step up – and get serious about protecting information technology (IT) assets.

The financial cost is high, especially for governments, cities, and states. According to a report from KnowBe4, ransomware alone cost U.S. government agencies about $19 billion in recovery costs and downtime. Local cities have reported millions of dollars in ransomware costs, including paying ransoms, retooling systems, and missed revenue.

Ransomware isn’t the only cyber threat municipalities are facing. The Institute for Defense & Business, a nonprofit research and education institute, reported the top five threats in the public sector as being state-sponsored attacks, ransomware, phishing attacks, hacktivists, and improper usage and internal attacks. It can be difficult to protect against each of these crimes individually since there’s no way to predict when and where cybercriminals will strike.”

While the article was about municipalities in the U.S., Canada mirrors that information.

Municipalities Face a Constant Battle as Ransomware Snowballs

In excerpts from an article by DarkReading, they wrote, “As record-breaking volumes of ransomware hit cities, towns, and counties this year, municipalities remain easy targets that pay, and there’s no end of the attacks in sight.

Municipalities in the United States and globally are experiencing a fresh wave of ransomware attacks. As this string of cyberattacks continues, it highlights how a historically unprepared sector remains in desperate need of implementing viable cybersecurity defenses and solutions.

“There is an uptick in ransomware attacks across almost all industries and organization types in the past 12 months,” says Erich Kron, security awareness advocate at KnowBe4, “with record-breaking amounts of ransomware attacks, the financial impact from ransomware, and a variety of ransomware-enabling tools and ransomware-as-a-service (RaaS) providers on the market.”

This assessment is shown by the data: According to a Sophos study on ransomware attacks, “The rate of ransomware attacks in state and local government has increased from 58% to 69% year-over-year, contrary to the global cross-sector trend, which has remained constant at 66% in our 2023 and 2022 surveys.”

However, as the threat of ransomware attacks against municipalities remains high, the security protections for these targets have remained limited.

RELATED: Cyber Attacks on Municipalities are on the Rise – Sending Shockwaves Through Communities

Municipalities Make for the Perfect Victim

While threat actor tactics and tools evolve and the volume of their attacks increases, the data shows that municipalities are falling behind and failing to rise to the occasion when it comes to protecting themselves. According to the Sophos study, there are a variety of reasons for that.

For instance, municipalities are notoriously understaffed, underfunded, and possess little training when it comes to cybersecurity preparation and mitigation. When ransomware groups seek out their targets, they know that municipalities will be unprepared to handle their attacks, which will either lead to success and potential notoriety or, even better, an easy ransom payment.

Sophos reported that more than a quarter of state and local government organizations (28%) in its survey admitted to making a payment of at least $1 million or more when it came to ransoms, a massive increase compared with the 5% that made that large of a payment in the 2022 data. Of the organizations whose data was encrypted in an attack, 99% got their information back, with 34% reporting that they paid a ransom and 75% relying on backups.

Nick Tausek, lead security automation architect at Swimlane, notes that the local public sector historically has a worse security posture than the federal government or large corporations. He adds that the public sector also has “organizational lack of appetite to endure prolonged outage due to public services, and a lack of automation.”

Furthermore, along with tight funding and limited security programs and staffing, “these commonalities are present in most municipalities at a greater proportion than the private/federal ecosystem, and combine to make recovery difficult, and the temptation to pay the ransom to restore functionality more alluring to the victims,” Tausek continues.

While ransomware groups celebrate their easy wins, municipalities struggle to bounce back. When Dallas was hit by the ransomware attack that took down its systems, the city was still trying to make progress in becoming fully operational even a month later. The only good news is that the city worked with cybersecurity experts to try to enhance its security posture and take additional steps after the attack occurred. But these attacks leave lasting effects that can take extended periods of time to recover from, making municipalities all the more vulnerable in the meantime.

“Simply adding people to the security team is not cost-effective, is not scalable, is difficult in practice, and is not enough to respond at the modern scale of threats,” he says. “A two-pronged approach of investing in both automation technology and skilled cybersecurity professionals is the strongest approach to maintain a healthy security posture.”

Ultimately, he says that prevention, while obvious, will always be key.

“End-user training, vulnerability management, patch management, regular backups, disaster-recovery drills, and system/network hardening are still the best lines of defense against ransomware,” he notes. By incorporating these into automation software it will reduce human error and allow for a quicker response time when threats arise.

Municipalities will need to prioritize their limited defensive budgets strategically, which means “an in-depth analysis of where your threats are,” according to KnowBe4’s Krohn, so that these groups can mitigate these issues on a scale of what is most pressing and needs attention.”

The Economic Impact of Cyber Attacks on Municipalities

In excerpts from an exhaustive report by KnowBe4, they wrote, “In March 2022, the FBI issued a stark warning to local U.S. governments and public services: ransomware attacks against regional and local governments were disrupting operational services, posing risks to public safety, and generating financial losses.

The impact of these attacks, it said, are “especially significant due to the public’s dependency on critical utilities, emergency services, educational facilities, and other services overseen by local governments.

Within the government sector, local government entities had become the second highest victimized group behind Academia. Larger organizations and agencies with access to greater resources, including states and transit systems, have demonstrated stronger readiness to deal with attacks. But regional and local governments struggling with weak security planning, lax risk prevention, and poor response and recovery, have been left vulnerable to attack.

Adding these conditions to the volume and sensitivity of data on their servers, which include records and operations of law enforcement, city operations, healthcare, and education, as well as Personally Identifiable Information (PII) such as passport numbers, social security numbers, bank accounts, private health information, and even mental health evaluations, the costs of a cyber attack are potentially far higher than in the private sector. In the eyes of the hacker community, this makes them more likely to pay the ransom. These factors are compounding to make regional and local governments increasingly attractive soft targets for malicious hackers.

Smaller administrations and agencies may also be less familiar with the mechanism for reporting to and accessing support from law enforcement and specialist security vendors, meaning that the true impact of ransomware will continue to be under-reported. And in a high percentage of cases, victims will not receive the support they need.

Ironically, Government transparency laws require that government operating information be made publicly available, allowing cybercriminals to acquire information on agency leadership, vendor relationships, and associated contractors. Making it possible to tailor attacks directly to the victims. Records can expose other vulnerabilities, including a lack of cybersecurity training, allowing them to identify the agencies and personnel they can most easily compromise.

Businesses can fold following cyber attacks. Governments cannot. Maintaining the confidence of citizens and stakeholders is essential to a municipality’s credit analysis, and vulnerabilities or a hindered ability to rapidly respond to attacks reduces the confidence of stakeholders and threatens credit standing.

Municipalities form the backbone of civil service. The lack of funding for cybersecurity initiatives is detrimental. The need for legislation is important, but the need for training is crucial. Legislation is simply not enough; it acts as a superficial and temporary fix to a long-term, persistent problem. Without initiatives like cybersecurity awareness training, our governmental representatives and state and local employees are significantly more vulnerable to social engineering attacks. This is a matter of state and national security, one that should not be overlooked or ignored.”

5 Essential Elements of a Municipal Cyber Security Plan

In excerpts from an article by Bitsight, they wrote, “ Cyberattacks on state and local governments are on the rise. Average down time from cyber attacks on these targets is 7.3 days and results in an average loss of $64,645.

These incidents are costly and disruptive. Most state cybersecurity budgets are a paltry 0% to 3% of their overall IT budget on average. But another one of the real issues is a lack of talent and knowledge. According to CSO, “Resource-constrained municipalities find it hard to compete for cybersecurity talent with the private sector, which also faces a shortage of qualified professionals.”

While budget may be tough to solve, there are ways to help close the knowledge gap. We’ve outlined five elements of a municipal cyber security plan. Properly implemented, it can help local governments better allocate security resources, reduce the risk of a breach, and protect constituent services.

The 5 essential elements of a municipal cyber security plan are listed below:

1. Analyze the attack surface

As a municipality’s digital ecosystem expands, so does its attack surface and overall threat landscape. Cities must get a handle on risk hidden across digital assets in the cloud, across departments, and the remote workforce. Without visibility, protection is almost impossible.

One way to tackle this problem is to incorporate attack surface monitoring into the municipal cyber security plan.

By continuously analyzing the digital environment, security teams can quickly validate their cities’ digital footprints. With this insight, they can identify each digital asset, its location, and the corresponding cyber risk. For instance, if the city manager’s office uses an application without IT’s knowledge, security teams can quickly discover that asset and understand its potential for risk.

Importantly, with this ecosystem-wide view, administrators can prioritize remediation of assets that are at disproportionate risk or most critical to the municipality, such as those used by emergency services and utility departments. This ensures that budgets and resources can be focused where they’re most needed.

2. Benchmark municipal security performance against other cities

Another strategy that can help municipalities focus their security efforts is to benchmark security performance in the context of their peers. Understanding the standards of care that other cities are maintaining can help security leaders determine security targets that they should strive to achieve, and where their current security programs may fall short. From there they can create improvement plans, prioritize cyber risk-reduction strategies, and, if needed, advocate for increased security resources.

3. Implement continuous monitoring for rapid response

Time to discovery is critical in minimizing the impact of cyberattacks. Security responders can get one step ahead of the bad guys by using a continuous monitoring tool like security ratings.

Security ratings are data-driven measurements of ecosystem-wide security performance. Derived from objective, verifiable information, ratings help assess risk and the likelihood of a data breach based on externally observable risk factors – such as open ports, misconfigured software, compromised systems, exposed credentials, and weak security controls.

Findings are presented as a numerical score – much like a credit score – making it easy for everyone to understand how well the municipality can withstand an attack. Because time is of the essence, these insights are captured in near real-time so that security gaps can be rapidly identified and city leaders can make quick and effective decisions about risk reduction.

Continuous monitoring with security ratings is a beneficial approach for municipalities with decentralized or distributed security programs, which range from city halls to local schools. This method enables the measurement of the overall effectiveness of the security program, rather than a siloed approach to security management and measurement.

4. Scale security monitoring to third parties

As the SolarWinds supply chain attack showed, third parties pose a significant cyber risk to government entities. Although the federal government was the main target of that hack, smaller organizations are just as susceptible to these attacks and must up their game. Simply reviewing a third-party’s cyber security policies and protocols isn’t enough – deeper and continuous cyber security assessment of their security postures is needed.

But with small IT departments and restricted budgets, it’s not always easy for local governments to scale third-party risk management programs across the hundreds of contractors that support municipal services.

Fortunately, security ratings can also be applied to third-party networks.

Before a prospective supplier is selected, municipalities can use security ratings to get an instantaneous snapshot of each potential vendor’s security posture. During onboarding, acceptable risk thresholds can be established and incorporated into contracts, much like an SLA. If the vendor’s rating falls below that score anytime during the relationship, an alert is generated, and the appropriate department can engage the vendor to initiate remediation.

The great thing about using security ratings for third-party cyber risk management is that the capability allows cities to flexibly scale their vendor risk assessments with ease, no matter how large their vendor portfolio.

5. Update policies for employee devices and remote access

In today’s digital age, many professionals have the flexibility to work from home or while on the go. While this can be convenient, it also poses a security risk. With more personnel working outside the traditional network perimeter, municipalities must also factor updated policies and network security guidelines for remote and home-based access into their cyber security plans.

Actions include tightening firewall and VPN policies and monitoring the network for unusual activity. Users should be encouraged to embrace easy-to-implement security measures, such as always using secure connections, regularly applying patches, and practicing strong password hygiene.

Mitigate risk with a proactive municipal cyber security plan

There are other elements to a layered cyber security strategy that we haven’t mentioned here, such as endpoint security, intrusion detection, access control, and secure backups. Each is important, but as cyberattacks get more sophisticated, defense strategies must also evolve.

In today’s high-risk environment, municipal leaders must find ways to discover hidden security issues, continuously monitor risk, and educate users about how they can protect themselves – and their cities – from cyber threats while working remotely. Threat actors are stealthier and more persistent; municipalities must be prepared.”

Conclusion

Safeguarding our cities against cybersecurity threats is not just a matter of technological fortification; it’s a fundamental imperative for the resilience and integrity of urban environments. As highlighted throughout this article, municipalities face a complex landscape of cyber risks, ranging from ransomware attacks to state-sponsored intrusions, all posing significant challenges to the essential services they provide.

The exponential growth of digital infrastructure in urban centers necessitates a proactive approach to understanding and mitigating these threats. With limited budgets and resources, municipal governments must prioritize cybersecurity measures that address the multifaceted nature of modern cyber risks.

Key elements of a robust municipal cybersecurity plan include a comprehensive analysis of the attack surface, benchmarking against peer municipalities, continuous monitoring for rapid response, scaling security monitoring to third parties, and updating policies for remote access and employee devices. By incorporating these elements into their defense strategies, cities can better allocate resources, reduce the risk of breaches, and protect critical services for their constituents.

Furthermore, the economic impact of cyber attacks on municipalities cannot be overstated. From financial losses to disruptions in essential services, the repercussions extend far beyond the realm of data security. It’s imperative that governments invest in cybersecurity initiatives and prioritize training for employees to effectively combat these threats.

In the face of a growing threat landscape, collaboration between government agencies, cybersecurity professionals, and private sector partners is crucial. By working together to share information, resources, and best practices, we can collectively enhance the security posture of our cities and ensure the safety and well-being of our communities in an increasingly digital age.

At Adaptive Office Solutions, cybersecurity is our specialty. We keep cybercrimes at bay by using analysis, forensics, and reverse engineering to prevent malware attempts and patch vulnerability issues. By making an investment in multilayered cybersecurity, you can leverage our expertise to boost your defenses, mitigate risks, and protect your data with next-gen IT security solutions.

Every device connecting to the internet poses a cyber security threat, including that innocent-looking smartwatch you’re wearing. Adaptive’s wide range of experience and certifications fills the gaps in your business’s IT infrastructure and dramatically increases the effectiveness of your cybersecurity posture.

Using our proactive cybersecurity management, cutting-edge network security tools, and comprehensive business IT solutions, you can lower your costs through systems that are running at their prime, creating greater efficiency and preventing data loss and costly downtime. With Adaptive Office Solutions by your side, we’ll help you navigate the complexities of cybersecurity so you can achieve business success without worrying about online threats.

To schedule a Cyber Security Risk Review, call the Adaptive Office Solutions’ hotline at 506-624-9480 or email us at helpdesk@adaptiveoffice.ca

Categories
Archives