As Executive Management, City Council Leaders and Board of Directors for Municipalities and Public Power, two key parts of your responsibilities are the fiscal health of your entity and risk management for it. One of the biggest threats to both fiscal health and the management of risks today is cyberattacks. Knowing you are well protected from such threats usually falls on your IT department or a third-party IT company. But how do you know they are doing making their best effort within constraints to protect you? Most IT staffers are not cybersecurity experts and odds are you probably are not either.
While important, the difficulty of understanding and implementing a cybersecurity system by the leadership team often causes it to be unintentionally overlooked as leadership places trust in the IT staff to assure the utility is protected against cyber threats. This approach often works well….until a cyberattack occurs. Since public power leadership bears responsibility for overseeing all aspects of operations, they are typically a focal point in the chaos surround the aftermath of a cyberattack. As such, this makes risk management and accountability for a cyberattack not just an IT concern but a broader concern for the utility’s management team and board as well as city government. By understanding your entity’s risks, vulnerabilities and position within the broader attack landscape before an incident occurs, entity leadership can guide decisions to address shortcomings and start mitigating risks.
While the entity’s leadership has a wide range of responsibilities, cybersecurity has risen to the top in magnitude of importance. Are you sure your utility is prepared to detect and quickly respond to cyber threats? The cost and impact of cyberattacks against municipalities and public power is well documented and has affected entities of all sizes.
- Medium Public Power Utility – Ransomware attack delivered via phishing disabled the accounting system, email and customer service phone lines. The utility eventually paid the hackers $25,000 ransom to reopen the network. Cost of the clean-up, aftermath and additional security measures have surpassed over $3M.
- Public Power Joint Action Agency (JAA) – Malware was filling all their servers hard drives using for over two weeks. JAA thought every day they had fixed the issue only to find it being done again the next morning. Through working with N-Dimension Solutions (NDSI) found the issue and helped the JAA fix it. Issue was a hacker was logging into the system every morning using a valid VPN user name and password, releasing the malware.
- Large Municipal Utility – Had their Interactive Voice Response (IVR) system hacked which allowed the hackers access to municipal databases where customer records were breached.
- Small Public Power Utility – Hackers access the utility’s Advanced Meter Reading (AMR) system and access over half of their customer’s records. Several utility directors and city officials lost their jobs.
- Large Municipality – Hit with Ransomware, refused to pay $75,000 ransom and has spent over $23M in clean-up efforts to date.
The American Public Power Association (APPA) has developed a Cybersecurity Scorecard to assist municipal owned utilities with evaluating where they are with their cyber defense and recommended next steps. This is a great starting point for you. The scorecard takes less than an hour to complete and will give you a base line for measurement against as you improve your cybersecurity posture.
To further assist, we have developed key questions you can ask your IT department or third-party IT vendor. These are designed to be straight forward and help you to understand the defenses in place.
- What does your cybersecurity defenses actually protect? All key assets must be protected. Consider all resources that once compromised, could impose risk. This includes assets, customer and employee records, substations controls, etc. and back-ups systems– it all should be assessed and protection in place.
- How good is your entity’s cyber-hygiene? Good cyber-hygiene dictates you are secured by off-line back-ups, timely installation of software updates and patches, IT and information roles and privileges are defined, and proper user authentication employed. Vulnerabilities of assets should be identified and reevaluated on an ongoing basis. There should be an active plan of action to address vulnerabilities. A vulnerability scanning service like the N-Sentinel Vulnerability Scanning Service should be used often.
- What defenses are in place against a cyber attack? Protecting network borders with a firewall is only a first line of defense. Many cyber threats are launched internally and easily penetrate firewall boundaries, for example phishing attacks. Best practices for cybersecurity requires a multi-layered approach that includes technology (firewalls, anti-virus, continuous threat monitoring, periodic vulnerability assessments), policies (passwords, access control) and employee training with testing to assure understanding.
- What is the remediation plan when a cyberattack occurs? Best practices include having a remediation plan in place should a cyberattack occur. IT should have a plan and access to the knowledge needed to take the right measures to shut down a threat quickly, minimizing potential damages. Network maps, network inventory of IP addresses, hardware and software needs to be completed and updated weekly. Contact information for outside agencies (FBI, Homeland Security, National Guard, etc.) to assist if an attack occurs should be known and posted.
- Is your entity’s board actively engaged with cyberattack defenses and a remediation plan? If you are unsure….then it’s time to address your cybersecurity plan. Entity directors can be held accountable for the damages from a cyberattack – protect your utility, protect yourself.
- Is your entity using cybersecurity monitoring from a leading firm like N-Dimension Solutions? Network monitoring is different than cybersecurity monitoring of a network. Network monitoring checks throughput and speed of the networks. Cybersecurity monitoring watches for malware, hacks, and ransomware that the firewall and malware protection software misses. It usually take malware software 230 days or more (per FBI 2019 data) to detect malware on your network. Cybersecurity monitoring often detects and stops ransomware from being released by malware.
Here is a simple free way you can take the first step towards understanding your entity’s cyber risk and improving defenses. N-Dimension offers a free 60-day trial of its cybersecurity monitoring to any entity that is interested. This is a great way to check your IT and OT networks for issues while working with cyber experts on your defense posture. If you work for a public power utility that is part of APPA, there may be DoE grant funding available for you to try the N-Dimension cybersecurity monitoring free for a full year. Please contact Scott Mossbrooks (firstname.lastname@example.org) for additional information and assistance.
At N-Dimension, we have focused on reducing the risk of cyberattacks against utilities and their critical infrastructure for over 17 years. We work closely with utilities and offer a complete solution for ongoing threat monitoring. Customers have access to our team of security experts who guide IT staff and third-party IT vendors on preventative measures to improve security posture and provide expert guidance on actions to take if an attack occurs or malware is detected. Don’t wait until you are attacked –starting cybersecurity monitoring now!