On Feb 5th, 2021, a hacker gained remote access to a water treatment plant in Oldsmar, Florida, and was able to adjust the amount of sodium hydroxide in the water from 100 parts per million to 11,100.
Thanks to the physical fail-safes and alarm systems put in place by the county, operators were able to quickly reduce the levels back to the appropriate amount, and no permanent damage was done to the city’s water supply. As of the writing of this article, both the FBI and the Secret Service are treating the investigation as a national security issue.
Over the last year, I’ve spoken with state IT teams throughout the U.S., and discovered that, while states responded effectively by enabling the move to a virtual working environment, the race to establish remote operations has exposed huge cybersecurity vulnerabilities within local municipalities: the struggle for adequate funding, the challenges in attracting skilled IT workers, and the widening cyber threat landscape are pushing municipalities to the brink.
The canary in the coal mine
In the last year, RDP attacks increased by over 768%. For cybercriminals looking for vulnerable targets, local governments and municipalities with lax remote work security protocols are perfect targets for ransomware and other malicious actions.
According to the 2020 Deloitte-NASCIO Cybersecurity Study, most states still allocate less than 3% of their total IT budget to cybersecurity. This lack of funding for secure infrastructure has left many states unprepared to address security issues during COVID-19. Just 40% of state CISOs feel somewhat confident that their state information assets are adequately protected from cyberattacks targeting local government and public higher education entities.
For local governments and municipalities, the security challenges are even greater. According to the same study, only 28% of states reported that they had collaborated extensively with local governments as part of their state’s security program during the past year, with 65% reporting only limited collaboration.
This lack of coordination between states and local governments comes at a major cost. Almost 60% of state CISOs say the cybersecurity capabilities and controls of local government and public higher education entities are unknown. Essentially, local municipalities and governments are running fully remote while completely blind.
The challenge for municipalities and local governments
Unlike many businesses, the majority of municipalities have a high dependency on on-premises infrastructure, either for their servers, central switching, core communications, or workspaces. The lack of state oversight has allowed local governments to lag behind when it comes to investment in secured network infrastructure and administrative tools. All too often regular audit logs are not kept for remote activity, and many local governments do not engage in regular security audits.
Instead of each state trying to come up with their own framework, State governments need to rapidly adopt general industry frameworks such as NIST 800 and provide much-needed resources and manpower to update the IT frameworks and systems used by municipalities and local Governments. This same standardization should apply to all third-party government contractors.
Until standards like NIST 800 become statewide mandates, individual IT leaders need to focus on creating IT environments that adhere to standardizations across the board, from NIST, to their operation and technology stacks.
The specific Framework that state IT leaders immediately need to focus on is NIST 800-171. For municipalities that are lacking the manpower or expertise to meet this framework, there are many third-party services and platforms that can provide these critical controls, from the physical datacenter, to the user’s virtual login. Professional, trusted platforms can help offset many of the challenges facing state IT departments, freeing up valuable IT resources.
It is my opinion that unless local municipalities are given both the resources to invest in secure IT infrastructure solutions as well as clear guidelines from states mandating general industry frameworks, we will see the number of cyber intrusion incidents such as what happened in Oldsmar dramatically increase over the next year.