Mar 30 2021

Florida Water Hack: Risk Preparedness Lessons State and Local Governments Can Learn

State and local governments can take practical steps to secure their networks and systems following recent cyberattacks including a Florida water system hack.

Cyberattacks have forced website outages, stolen $36 billion in unemployment payments, and have given malicious actors access to millions of residents’ personal information, according to Pew Research.

Beyond exploiting personal information, the recent hack of the Bruce T. Haddock Water Treatment Plant in Oldsmar, Fla., proved the frightening potential of how a small hole in a municipal system could have had life-threatening effects. With many state governments hindered by budget and other priorities or a lack of access to cybersecurity solutions, recent troubling cyberattacks are forcing them to rethink their security posture.

While cybersecurity legislation is making its way through state governments across the country — a step in the right direction — rolling out plans to improve does little to defend against threats that exist right now.

Risk preparedness is a key factor in improving security posture, and it’s something state and local governments can do now, before it’s too late. Here are three lessons state governments can learn from recent cyberattacks that can help them prepare for future intrusions — which will surely come.

It’s Time to Start Getting Serious About Privileges 

According to the Cybersecurity and Infrastructure Security Agency, the SolarWinds breach was one of historic proportions, posing massive risks to federal, state and local governments, in addition to private companies.

With the expertise to gain access to privileges over highly sensitive information, these hackers were sophisticated, patient and ultimately left unchecked.

Anybody who has been following cybersecurity for the past few years can put a few common threads together: First, a hacker gets access to your internal systems through a nonprivileged account. Then, they move from server to server looking for a privileged account to do something more nefarious.

Identity access, governance and privileged account access is a huge area involved in these breaches. Why wouldn’t you be auditing your systems for embedded passwords, like those used in the SolarWinds attack?

FireEye was able to uncover the problem via two-factor authentication for an employee after receiving a notification that a new device had been activated — by someone other than the employee.

Multifactor authentication is one simple way to enforce better governance practices and protect the log-in process. One of the barriers to MFA adoption is ease of use, so be sure that the evidence beyond a password is something easy to remember or that the employee can access at all times, like a unique code sent to a user’s mobile device, rather than a physical token.

MORE FROM STATETECH: How can next-generation endpoint security tools aid agencies?

Oldsmar Florida Water Supply Hack Shows Network Visibility and Self-Auditing Are Crucial

Having open ports or the capability to allow open ports, as was the case at the Oldsmar water treatment plant, presents a big vulnerability to state-run IT systems. Investigators suspected a desktop sharing software was likely used to access the Oldsmar facility system, which was running on Windows 7.

According to Florida Agriculture Commissioner Nikki Fried, Florida comes in fourth when it comes to the number of local government cyberattacks it has faced relative to all states, with the median cost of cyber breaches as high as $1.8 million. This is simply not a cost that’s sustainable to keep up with.

At a federal level, we have red teams that attack and test the safety of our own systems. On a state, municipal, and even private sector level, that’s not happening as readily as it should be.

Penetration testing can help safeguard against these intrusions by assessing the risk exposure of servers and identifying other holes in a system and before someone less desirable does. It’s crucial to maintain visibility into all of the systems and devices that make up a control system operating critical infrastructure.

Being aware of what devices are on your networks, how they are configured, who is making changes and when is vital to getting to the root causes of any issues and resolving them before worse activities occur.

DIVE DEEPER: New forms of ransomware could target state and local governments.

We Need to Centralize Cybersecurity Efforts

Accellion, a collaboration technology and one of the Washington State Auditor’s software vendors, compromised millions of constituents who filed for unemployment benefits during the pandemic.

While the extent of the breach is not yet fully understood, having a decentralized IT security division rather than one cohesive entity is partly to blame. Washington hasn’t been the only state grappling with pandemic-related IT complications; the state of Nevada reported that its IT capabilities are six to eight years behind those of other states, according to its top technology official. Again, this is in part due to siloed IT protocols being used by different departments within the government.

As a response, many states have made serious strides in centralizing their IT departments, consolidating their IT under one single entity. With all corporate IT functions under the care of one agency, it’s arguably easier to control consistency, cost, vendor relationships and the customer experience.

While other states have opted for a federated hybrid model, it’s important that there’s collaboration among all departments — or an investment in software that can monitor activity across servers — to make sure everyone is working together and adhering to the same security practices and protocols. After all, if attackers find their way in, there’s no telling what else they’ll be able to gain access to.

Unfortunately, with the increasing sophistication of attackers and the pace of new technology, it’s not a matter of if, but rather when cyber criminals will strike. Whether for financial gain, espionage or to cause real harm to government infrastructure, breaches will continue to persist and will likely become more severe in nature.

That said, we understand the threat landscape and already have tools in our arsenal to build better security practices and guidelines. The question is which states will actually implement them, and which will wait until it’s too late?

metamorworks/Getty Images