Cyberattack and the City

Smart cities have become a lucrative target for cyber attackers due to the increasing number of connected systems embedded throughout the smart city’s infrastructure. The numbers talk volumes - global investment in smart cities will reach $80bn in 2018, and is expected to reach $135bn by 2021 (Source: IDC’s Smart cities spending guide)

For smart threat actors, it’s quite easy to take control of the smart lighting system of Barcelona (which uses sensors to collect air quality data) or New York’s 600 traffic cameras (which sensors are also used for emergency management). But also traditional municipalities are at risk, with cybercriminals increasingly targeting municipalities and other government organizations. They consider them softer targets than most of the enterprise networks which are better protected. Since state and local government networks host highly valuable information about individuals and critical infrastructure (and also process financial transactions) municipalities are attractive targets.

Hackers know that the networks of municipalities often lack sufficient security defenses, which makes them vulnerable for cyber attacks as shown below. The table lists some of the attacks on cities since the beginning of this year.

Target

Date

Attack

Fallout /Damage

City of Farmington (NM)

January 2018

SamSam ransomware attack demanding ransom of 3 bitcoins ($35,000)

Some services, including electronic bill pay and records processing, were shut down

City of Allentown, PA

February 2018

Phishing attack spreading the Emotet virus to both financial and public safety operations

$1 million in mitigation measures ($185,000 for the Microsoft response team and $800,000 to $900,000 to fully remediate the damage

City of Cambridge (Canada)

February 2018

Hijack attack by cryptocurrency miners

The browsers of 474 visitors of the website Cambridge.ca were covertly hijacked to create Monero cryptocurrency

City of Atlanta

March 2018

Ransomware attack demanding $51,000 in bitcoins

$17 million ($6 million in current measures, $11 million in potential costs

Baltimore’s 911 operations

March 2018

Ransomware attack on the CAD dispatch system by exploiting a system vulnerability in the firewall

Dispatchers had to work in manual mode; the City’s network was left exposed during troubleshooting

 

Colorado’s Department of Transportation

April 2018

SamSam ransomware attack demanding ransom in bitcoins

2,000 employee computers were locked down; $2 million in damages

 

IT accounts normally take up less than 0.1% of overall municipal budgets. This is not surprising, as the results of a study conducted by M.K. Hamilton & Associates showed. Of the surveyed and interviewed officials of local governments in Washington about information security, an estimated 80 percent of municipalities serve a community of less than 25,000 people, and 60 percent served fewer than 10,000. That’s why they had no staff members working in IT, and had to work with minimal to zero funding.

But also larger cities postpone such investments as the attack on the City of Atlanta illustrates. The city’s independent auditor already warned in 2010 that the city’s Information Technology Department “currently does not have funding for business continuity and disaster recovery plans.” In 2014, the city still lacked such a plan. In January 2018, the auditor reported that the monthly vulnerability scan results indicated the presence of 1,500-2,000 severe vulnerabilities in the scanned population, with a history that went back over a year with no evidence of mitigation of the underlying issues.

The City of Atlanta is not alone. In 2016, KPMG identified serious issues with the Halifax police department’s cybersecurity while auditing the Halifax Regional Police (HRP). KPMG identified 67 concerns, 35 of which were “high-impact, high-likelihood issues.” Eighteen months later, the police department had still done little to fix those problems.

To wage their attacks, the threat actors use a wide range of methods and tools, varying from phishing emails to high-tech, nation-backed break-ins.

The good news - municipalities are not powerless in their fight against cybercrime. They have the following options at their disposal.

  1. Having an incident response plan

Having Disaster a Recovery (DR), Business Continuity (BC) or Incident Response (IR) plan in place is essential for mitigating and recouping the damage of a cyberattack. As we have seen above, the City of Atlanta could have benefited from having such plans in place.

  1. Boosting the cybersecurity posture

To boost their cybersecurity posture, municipalities need to keep local controls up to date, patch vulnerabilities immediately, deploy security controls for safe email and web browsing, minimize admin access, and perform cybersecurity assessments.

  1. Conducting regular security awareness training

As the Allentown attack shows, cybersecurity is only as strong as its weakest link. Once an employee opens a malicious file or clicks on a malicious link, the municipality is potentially breached. Employees need to be properly trained on what to watch out for, especially social engineering attacks.

  1. Sharing resources and knowledge

Municipalities are connected to other (and better funded) governmental agencies that can share resources and expertise with them, such as the NCCIC.

  1. Having cybersecurity insurance

In the U.S. several insurance companies provide insurance catered to municipalities. Depending on the provider, the insurance covers privacy & cybersecurity liability, media communication liability, data breach response expenses, crisis management costs, cyber extortion damages, privacy regulatory defense costs, and fines.

Cybersecurity assessments is a great tool that allows municipalities to tests their defenses using a range of attack vectors, including phishing, ransomware and other attacks. Cymulate’s BAS platform enables the security team of cities to test if the cyber security defenses of the city would stand up against various types of attacks and malware. The platform identifies possible gaps using simulated multi-vector, internal and external attacks in a safe manner. After the simulation is completed, a comprehensive security report is generated which also includes suggestions for fortifying the security posture.

Since it is a SaaS platform, comprehensive assessments can be launched at any time, allowing municipalities to mitigate vulnerabilities and exposure before cyber attacks happen.

Want to learn more? Want to try it out? Click here to get a free trial.

Filed Under: Data Breach, Cybercrime, Cyber Attacks, NCCIC, Cyber Insurance, Ransomware, Phishing