No excuses, reflects industry, after trio of Florida cities are hacked and held to ransom
There should be few excuses for cyber attacks, and the buck stops with senior managers for failing to prevent and minimise their impact, even as the volume of connected ‘things’ spirals upwards and the threat landscape spreads outwards.
This is the view of industry commentators, reflecting on the recent spate of three cyberattacks on Florida IT systems and over $1 million in ransom payments.
The Village of Key Biscayne, a town of about 3,000 residents off the tip of Miami-Dade County, discovered a data security “event” at the end of June, according to reports. Weeks prior to the Key Biscayne, the Florida towns of Lake City and Riviera Beach had both paid about $460,000 and $600,000, respectively, to hackers to hand back control of email and other servers.
It emerged last week that Lake City, a town of just 15,000, had fired an IT staffer, a director of information technology, following the cyber attack and bitcoin ransom. But analysts said responsibility for proper security procedures should go to senior city management, even if planning and execution is carried out by IT departments. There are no excuses for getting it wrong, they said.
Michela Menting, research director of digital security at ABI Research, commented: “Ransomware demands are becoming so commonplace. In large part, the city managers are to blame.
“In smart systems, security and safety are a pair, and failure to provide adequate cybersecurity measures when implementing any such infrastructure is bound to lead to problems, whether caused by malicious threat agents, as is the case in Florida, or simply due to employee misconfigurations or other mistakes.
“Clearly, those managers have failed to undertake the appropriate cyber-risk assessments in their smart-city planning, or, if they have, they have ignored the imperatives. Firing an IT employee just shifts the blame, and makes a scapegoat. Managers and city administrators are equally to blame for the failure.”
Tanner Johnson, senior analyst in cybersecurity technology within the IoT division at IHS Markit Technology, called the Florida ransomware episodes as “simply the most recent examples of a quickly-growing trend.”
In the end, the firing of the Lake City IT manager was logical, suggested Tanner, but he said also that more senior-level managers in cities, especially as cities grow ‘smarter’, must put in place training and audits to minimise human error
Johnson said: “The [Lake City] employee was effectively a ‘man-on-the-inside’ for the hackers without realising it. Actions like these, from legitimate users, cannot be easily mitigated through traditional security products or services. The only steps that can protect an organisation from the negligence of its own staff is regular education, security audits, and training.
Eric Woods, research director at Navigant Research, said: “These events are a reminder that while there is a growing focus on the cybersecurity threats associated with IoT and smart cities, there are also more fundamental vulnerabilities that cities and other public agencies need to address.
“Rigorous security procedures – such as timely deployment of the latest patches, strong password protocols, device management, user education on viruses – are the bedrock of any cybersecurity strategy. Organisations need to ensure these are in place. This will also provide a strong foundation as they address future issues around broader IoT deployments for example. Otherwise any IoT cybersecurity system will be built on sand.”
Lake City’s IT systems were infected with malware on June 10, after an employee opened an email attachment infected with a trojan virus, which triggered ansomware that spread to the entire network and encrypted files. City leaders agreed to the ransom on June 24 to releases the town’s IT systems.
Riviera Beach, a coastal suburb of 35,000 in Palm Beach, paid hackers a $600,000 bitcoin ransom in mid-June to get its computers working again, after a simiar virus disabled its systems, on May 29.
Menting at ABI Research said senior management teams are complicit in security failures, as much as in good practices.
“Securing operational systems such as those employed in smart-city settings requires knowledge not just in IT and cybersecurity – two different, albeit related, disciplines – but also knowledge in operational technologies, which requires a completely different skillset and expertise than either IT or cybersecurity. As such, IT employees are not always likely to be versed in cyber and OT,” she said.
“Smart city planners not only undertake proper cyber risk assessments, but train IT staff in cybersecurity and OT or hire the right professionals. The weakness of smart city security – and payment of ransoms – only encourages criminals. Cybersecurity planning permissions should perhaps be required for smart city implementations – and certainly city managers and administrators should be held responsible for their cybersecurity failures.”
Johnson at IHS Markit reflected that security and convenience are mutually exclusive, and the tradeoff is being brought into sharp relief by the multiplication and complexity of interconnected sensors and systems, being deployed to bring automation, efficiency, and intelligence to enterprise systems.
“The more checkpoints that exist in a given system, the more secure that system is from compromise. Each security step in place represents a hurdle that requires additional time and effort for users to navigate. This is the core tenet behind the practice of ‘defense in depth’, so if one security mechanism is circumvented, others remain. But these same security measures can be viewed as roadblocks that hamper efficiency within an organisation,” said Johnson.
The only surefire defence is to back systems and files up, and keep them in isolation, so they cannot be taken hostage. “The only true defence against a ransomware attack is an effective data backup solution,” he said.
“By regularly backing up data, and segmenting systems on networks, organisations can more rapidly respond to any extortion attempts from hackers. Sadly, hackers have been known to refuse to cooperate with their victims even after receiving their payment. It’s far easier to have a comprehensive data backup plan in place, than to rely on a criminal to ‘keep their word’ during a ransom negotiation. The saying that ‘an ounce of prevention is worth a pound of cure’ is as applicable in the world of technology as in any other.”