Municipalities are no strangers to cyberattacks, but the introduction and ready availability of malware through ransomware-as-a-service providers has led to an increasing number of attacks against cities and counties.
One small sample taken from the past six months revealed that Lowell, Mass., Spartanburg County, S.C. and Suffolk Country, N.Y. were victimized, knocking services offline and causing millions of dollars in recovery costs.
With that to set the stage, we sat down with Grayson Lenik, Director of SpiderLabs Security, Trustwave Government Solutions (TGS), a wholly-owned subsidiary of Trustwave Holdings, Inc., to discuss the cybersecurity issues specifically facing state, county, and local government entities and some protective measures that can be implemented to boost their security.
Q: Are state and local municipalities experiencing more cyberattacks now than, say, three years ago?
Grayson: I would say yes. If you look at the news, just about any week you'll find some town, some village, some airport, something that's been attacked with ransomware. I think these targets are the type of threat actors prefer right now.
The shift to striking municipalities, which can include small, medium, and large cities, towns, county government, or even school districts, is part of the larger trend where we see the threat actors shifting to victims and attack methods that can be quickly monetized. In the past, hackers were more interested in data theft, credit card theft, and data that’s a quick flip to cash in hand, as that pool started to dry up over the years, we started seeing mainly ransomware.
Again, attackers are using ransomware because it's easily monetizable, but also because municipalities have a lot of devices and functions that are connected to the Internet, which makes them a target-rich environment. Because municipalities often run a lot of disparate technology such as wastewater systems, airports, and transportation systems, this means they have a large number of Internet access points to their system which constitutes a large attack surface. They are also complicated environments that can be harder to maintain and secure.
We see that local governments are not only being hit with ransomware but are bearing the brunt of the latest ransomware attack trend, the double extortion method. This tactic sees ransomware being inserted into a network, sensitive data exfiltrated, and then essentially, it’s held hostage. If the target refuses to pay, the attacker threatens to publicly post the stolen info as a further lever to force payment, or they publicly shame the victim online hoping they will pay up to stop the bad publicity.
Another downside is municipalities are not necessarily cybersecurity experts, but we can get more into that a bit later.
Q: Are municipalities being targeted with ransomware more so than other forms of attacks?
Grayson: Ransomware is the primary end goal I’m seeing but municipalities can also be the target of other missions, such as long-term access where attackers get in, gain a foothold, explore the network, and then just bide their time. Honestly, this is one of the tactics that scares me more than ransomware. This type of access can be used to launch a more coordinated and possibly more severe attack on a municipality. One that directly impacts its citizens.
Just imagine if the attacker damages all the pumps at a water treatment facility. This type of attack could interrupt daily life in a way that I don't think most people are prepared for. How long can you go without filing up your coffee pot?
One possible silver lining with the ransomware attacks we see taking place against municipalities is they are financially motivated, which indicates the attacker likely does not have a wider scheme in mind. They just want their money. There are different types of attacks. Some attacks are meant to be low and slow and avoid detection, to sit and wait for an opportunity. Others are meant to make bad actors rich, and ransomware, generally speaking, is the way to do that.
Q: Are there any indications that certain threat groups specifically target this sector?
Grayson: It’s very hard to say who belongs to which group at any given time. The groups behind attacks taking place one month are different from those attacking just a few months down the road. Most likely, this is due to the popularity of ransomware as a service (RaaS) and the rapid development of malware to avoid initial detection. These are professional ransomware distribution platforms with features like customer service and tech support where a criminal can go and, for a fee, walk out with all the tools necessary to pull off an attack. RaaS really lowers the bar of entry for even a technical novice to launch a successful attack.
Q: Do threat actors take a different approach or use different tactics when attacking these entities or is it all the same?
Grayson: For the most part, threat actors look at municipalities and other local and regional government entities the same as any other target and use phishing, known vulnerabilities, etc., to gain access, but I feel in general that they are less prepared than other industry verticals.
There just hasn't been the same focus on cybersecurity with this group over the years as, say, the hospitality or healthcare industries. So again, municipalities represent a target-rich environment with some easier attack paths.
We don't see much in the way of database protection or email security. We don't see them using third-party security vendors to monitor their systems 24/7, and finally we don't see a properly staffed IT and security staff. Municipalities, I think, have fallen behind a little bit.
It might make sense for municipalities to emulate the healthcare industry. If you look back at data breach reports, healthcare had a big spike several years ago.
Q: So, what happened?
Within healthcare, new regulations came into play and there was a lot of public pressure. Hospital administrators started paying attention, and they got better, at least with their external defenses. Then as they got better and healthcare stopped being the easiest industry vertical to attack, you started to see the graph and the data points move away from healthcare and spread to other areas.
I believe we're now starting to see that spike move toward state and local government, and I think if I'm looking in a crystal ball, municipalities and state and local government will be a big focus over the next few years.
There is a difference between commercial verticals and government entities that hinder the latter when it comes to improving their cybersecurity. Verticals, like healthcare, often have to respond to regulatory and compliance measures imposed from above.
Municipalities are unlike healthcare. With healthcare, a governing agency can say, "OK, healthcare, it's time, you're now going to fall under HIPAA and you’re going to protect medical and personal data."
I think that it's difficult for government, especially the federal government, to state, "OK, municipalities, here is your new regulatory system," because the regulations will not likely apply to half of the municipalities, due to their region, geography, demographics, or what the local government controls or their financial and physical ability to put in the proper controls.
It’s hard even for the federal government to come up with regulatory requirements due to the disparity between agencies, and in some cases, states were able to move faster and have some requirements in place. This brings up the issue of clashing state and federal regulations. It can be very difficult.
The one area the federal government is focusing on is setting up grant programs through DHS that municipalities can tap to help bolster their cybersecurity programs. Our penetration testers are actively participating in this program and that is where I get a lot of insight.
Q: Where are most municipalities lacking when it comes to cybersecurity preparation?
Grayson: While some government entities are investing in their cybersecurity, generally, it's bare-bones level security. We see applications open to the Internet that shouldn't be, servers that haven't been patched in three or four years, and weak password policies in place. Many of the cybersecurity 101 issues are being ignored.
There is also a lack of higher maturity measures. For example, we don't see offensive security measures like penetration testing being done and we don’t usually see some of the more advanced security tools like Endpoint Protection deployed properly.
There is also a lack of knowledge on the incident response side. Smaller municipalities tend to react to a cyberattack as if it's any other crime and call the local police. Local law enforcement has made huge strides in dealing with cybercrime, but they will never be able to react as well as your own employees.
I also think the real assistance and the real power to help resides with Federal Law Enforcement. The US Secret Service, the FBI, and state-level emergency response departments who do have the personnel to help with a cyberattack.
One example is the Cyber Fraud Task Forces. They are comprised of the Secret Service, FBI, US Marshals, Department of Defense, and local authorities. Its primary responsibility is to support cyber threat investigations and supply and support intelligence analysis for community decision makers.
There probably isn’t enough messaging out there about the resources that are available to smaller municipalities. There are people that can help and there are some smart and well-trained law enforcement agents out there.
Q: Are there some basic measures a municipality should take to protect itself that differ from other orgs?
Grayson: As we noted earlier, covering the basic cyber hygiene points: changing passwords, enabling multi-factor authentication, patching systems, gaining real visibility into what is happening on your network, and training personnel to spot malicious emails is a good start. The Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security is also a great resource for information around best practices.
However, I think the biggest missing piece is an unwillingness to look beyond this year's budget and instead say, "OK, let's be proactive about security." Don't be afraid to reach out and get some help. Signing a retainer with a cybersecurity vendor might cost thousands of dollars, but the cost of a breach can run into millions of dollars to recover.
Managed Services is a great way to enter the security landscape. I would also encourage municipalities to share resources. Especially when you look at the smaller towns, why not gather up the three or four closest towns and see what they can afford to do to protect themselves as a group?
For those municipalities with more mature cybersecurity capabilities in place, the next step is to test. As I noted earlier, penetration testing is tremendously helpful. Don't just take your vendor's salespeople's word for it. Test the implementations. If you've never been through a penetration testing cycle externally or especially internally, it can be very eye opening. That's why I'm a huge proponent of offensive security as a way to really test implementations.
