In January 2020, cybercriminals disturbed government services for a week in Tillamook County, using ransomware. In May 2020, cybercriminals attacked Florence, Alabama, and cost the city almost $300,000 to recover customers' and employees' private information. On February 8, 2020, cybercriminals hacked Oldsmar, Florida's water treatment systems. The sodium hydroxide level (commonly called lye) was 100 times more than normal levels, putting thousands at risk of being poisoned.
What do these three cities have in common? They were underprepared for a potential cyberattack because, like most utilities, they thought they were unlikely to be a target.
Why Are Utilities and Municipalities a Target for Cybercrime?
Cybercriminals know your organization has your community's and employees' sensitive, private information, and that information is a gold mine for them. Not only that, they know your critical systems may not be sufficiently protected, and they're probing for ways to get in and hold those systems ransom. The data they collect and the ransom they extort may not be as big as an attack on a larger organization. Still, they know that, with less work, they can get just as much money from utilities and municipalities like yours.
Plus, with the rise of e-billing, you now have your whole community's payment information on file; bank accounts, credit card numbers, and social security numbers, all stored on your system. Selling that data is big money for cybercriminals, and they know you trust that your organization’s system is secure.
If they're not looking for data, they're looking for ways to disrupt your systems so they can wreak havoc, disrupt operations, or even hold your organization hostage until you pay their ransom. Although technology allows us to streamline operations and increase efficiency, it opens up our networks to more vulnerabilities. With each person, Smart technology, and the Internet of Things (IoT) added to your system, you create a doorway into your system that, if not adequately protected, can be hacked.
Unfortunately, like many utilities, your budget may be limited, and you often have to decide how to stretch every dollar. Many organizations will install security software to monitor a network, putting it into set-it-and-forget-it mode. But without proper maintenance and management, the software will not do its job. As new threats emerge, some organizations will layer software products on top of one another to patch security problems. Still, they do not always integrate with other solutions. As you add solutions, it's harder and harder for your IT staff to keep up, and many times, they are not adequately educated in this new software. All of these factors put holes in your system that cybercriminals can exploit.
Why Is It Important for Utilities and Municipalities to Be Prepared for Cyberattacks?
Many utilities and municipalities like yours assume they’re not a target, so they may not spend as much money on security — which, in turn, makes your organization a bigger target for cybercriminals. And because your services are integral to everyday life, your organization becomes a perfect target for bad actors. Knowing the trouble an attack will cause and knowing that you will do what it takes to keep your services available makes you a prime target.
When an outage occurs, in less than 5 minutes, your phones start ringing with customers wondering when you'll restore services. Imagine your systems being down for an entire week and not fully restored for more than three months. That's what happened to Jersey City Municipal Utilities Authority. In September 2020, a cybercriminal used ransomware to hold their vital sewer and water data for ransom. After three months and more than $500,000 in ransom and expenses, they still had not fully restored their system.
This kind of attack puts a community's health at risk. And breaches that take data like valuable bank account, credit card, and social security numbers put your community members' finances and identities at risk, too.
Unfortunately, it's no longer a matter of if your network will be hacked but when, so it’s best to prepare for the worst case scenario.
In March 2019, cybercriminals used ransomware to attack Baltimore's 911 dispatch system and temporarily shut down the system. Because the city had a response plan, they could switch to manual mode until they restored the system 17 hours later. Just like any natural disaster, having a cyberattack incident response plan is in your community's best interest so that your systems are up soon after a breach disrupts operations.
What Utilities and Municipalities Can Do to Protect Their Network and Critical Systems
With the ever-changing regulations and ever-increasing cyber threats, you must prepare your organization. But how do you do it, and where do you start?
Fortunately, there are free resources available that you can use to protect your municipality or utility:
- Multi-State Information Sharing & Analysis Center (MS-ISAC) of the Center for Internet Security (CIS)
- NIST Cybersecurity Framework
- Public Power Cybersecurity Score Card
- DOE’s Cybersecurity Capability Maturity Model (C2M2)
These resources will assess your risk and give you a road map to help your organization create a cyber disaster recovery plan.
Having a cyber disaster recovery plan will reduce the time you spend scrambling around trying to sort out who’s supposed to do what after a breach. By using just one of these resources to assess your systems, you’ll have a baseline that you can determine your risk and vulnerabilities. Once you have a risk assessment in place, you’ll be able to decide on what steps you need to take to protect your system proactively. Since cybercriminals think of utilities and municipalities as soft targets (those that are underfunded, under-protected, and under-prepared), you’ll be doing your part to create a defensive and offensive posture and keeping your community safe.
11 Affordable Ways to Keep Your Utility or Municipality Protected
Once you’ve assessed your risk, then it’s time to go on the offense and protect your system. You might think that it’s going to cost you a lot to put a security plan in place. Still, the suggestions below are affordable, and most are easy to implement and maintain:
- Create a strong password management policy.
- Enact multi-factor authentication.
- Encrypt your data.
- Update all software and hardware regularly.
- Back up your data.
- Have a recovery plan in place.
For more affordable ways to keep your network secure, read our complete blog post 11 Affordable Steps to Take to Protect Your Municipal Utility’s Network and Critical Systems.
This is a guest post from Kathy DeGlandon, Digital Marketing Specialist for NorthStar Utility Solutions.