Preventing cyber-attacks needs to be a priority for local governments

Cyber-attacks are a growing threat to America as government entities find themselves vulnerable, even if they think they have systems in place to prevent such occurrences. According to a study from Privacy.org, about 60 percent of cases occur within minutes and about 47 percent of breaches are the result of malicious or criminal intent. Take the Colonial Pipeline attack as an example. Colonial is one of the country’s major pipeline providers, carrying more than 2 million barrels of gasoline and jet fuel from Texas up the East Coast and on to New York daily. The attack has generated a state of emergency in 17 states and counting, as well as fuel shortages in the Southeast. As we’ve learned in recent days, the breach was due to a ransomware attack, in which criminal groups hold data hostage until the victim pays a ransom. This breach has heightened the vulnerability of the nation’s energy infrastructure to cyber-attacks and sounded the alarm for all types of businesses, local and state governments to make cybersecurity a priority, not just a knee-jerk reaction to a single publicized attack.

Ransomware is a form of malware that once deployed encrypts files. It can be a targeted attack or spread across a network infrastructure, hence crippling a business operation, which can be life altering—as is the case here involving our fuel supply, or even life threatening. Such hacks are often initiated through a “phishing” email campaign that contains malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website, which initiates the download and installation of a malware unbeknown to the user.

Sadly, we are seeing this type of attack more frequently, often on a smaller scale, where it goes unreported by the media, but it is happening and more often. This type of breach exposes the fragile state of the supervisory control and data acquisition (SCADA) network and the industrial control system (ICS), which in my opinion have been overlooked for too long, not prioritized and as a result, diminished in importance when the exact opposite should be happening. As the Colonial investigation unfolds, we will come to realize that the attackers were present in the network for a long time prior to initiating this massive attack. It likely began over a couple of days where different controls were being tested, undetected by the network. While there may have been some security solutions monitoring the network it obviously was not enough and may also be inferior in terms of its technology.

An attack of this magnitude initiated by ransomware is usually caused by a staff member’s credentials being compromised through a phishing email, the lack of education and awareness training for staff, and the diminished importance of cybersecurity at all levels from the board, to management to operations and onto the technical team. An isolated SCADA and ICS network is at risk because the threat is from an insider, a trusted employee.

Based on my previous experience and what my team has learned working with a variety of energy and utility companies, we can report that the country is ill prepared to defend against these types of attacks due to a lack of resources in both funding and skill set. There’s no denying that cybersecurity must be a priority for local and state government, as well as all types of businesses. It is important to understand and take responsibility for the guidance and implementation of their cybersecurity needs and how it works.

A recent case study from one client underscores the importance of SCADA and ICS controls. Recently my firm was involved in a cyber risk and resilience assessment and found that the USB drives were being shared from the isolated SCADA network and the corporate network. This alone will introduce malware or potential viruses to the isolated SCADA network, hence launching a breach caused by an insider threat (a trusted employee). This practice has since ended and ports are now closed, preventing the usage of unknown devices. Additionally, passwords were too similar across networks and were not strong enough. A software maintenance package was not renewed after the warranty expired due to cost, leaving patching of software for any vulnerabilities undone. This creates more stress on employees.

To prevent these types of breaches from occurring, we suggest five primary recommendations or “tips” that government organizations can implement to protect against this type of threat:

1. Consult with a cybersecurity expert or company that specializes in these services.
2. Next, conduct a full cyber risk and security assessment across the organization and the industrial network.
3. Consistent, continuous and relevant education and awareness training for employees, staff, vendors and customers is critical.
4. It is also important to conduct a quarterly Pen Testing to properly assess internal and external networks.
5. Finally, conducting a business impact analysis is key to really understanding the pre-and-post effects. Cybersecurity must be a top priority.

Regine Bonneau, CTPRP, is the CEO/founder of RB Advisory LLC, a leader in security compliance and cyber risk management solutions for public and private businesses. Bonneau is a highly sought-after speaker within the cyber industry and recognized leader in several technology industry associations for her extensive knowledge and more than 20 years of experience in the field of cybersecurity, risk management and compliance in a variety of industries such as health care, financial, legal, government and energy sectors from small to large enterprises.