TECH INSIGHTS: Water Supply Attack Illustrates Security Lessons for Municipalities
The information contained in this article is not intended as legal advice and may no longer be accurate due to changes in the law. Consult NHMA's legal services or your municipal attorney.
During the first week of February in Oldsmar, Florida, a hacker tried to poison the city’s water supply by increasing the amount of lye to dangerous levels. While the city fended off the attack, it’s still scary to contemplate what hackers can potentially do in 2021.
An attack on your water supply may not be one of your daily worries. However, if we look at some elements of the attack analyzed by a Cybersecurity and Infrastructure Security Agency (CISA) alert, we will see some areas of concern that overlap with your municipality’s cybersecurity strategy—or lack thereof.
Poor, unenforced password policies are one of the most common vulnerabilities for municipalities. Passwords are often simple (“123456”), shared (such as administrative passwords shared among employees), rarely changed, and the same passwords used across many applications. Hackers have long been able to use automated software to hack into systems with common or breached passwords.
A password policy that requires the use of complex, unique, frequently changed passwords strongly positions you against a hack. Even better, Two-Factor Authentication (2FA) will require another step (such as inputting a code sent to your phone) that makes it difficult for a hacker to enter your systems.
Outdated operating systems
As of March 2021, about 16-17% of devices use Windows 7—an outdated operating system no longer supported by Microsoft. That means it’s likely many municipalities still use Windows 7. When you use an outdated operating system, you are no longer receiving security patches to shore up cybersecurity vulnerabilities. Hackers know this. They look for municipalities running outdated operating systems and exploit those systems based on widely known vulnerabilities. Maintaining an up-to-date operating system is critical for your cybersecurity.
In its alert, CISA talks about the malicious use of TeamViewer, a software that allows people to remotely access and control your desktop. Obviously, use of this software can often be legitimate. However, when phishing emails and social engineering tactics are used to trick an employee into giving a hacker remote access to their computer, a lot of damage can occur once the cybercriminal is inside your network. It’s imperative that you regularly train your employees about common phishing tactics, scams, and social engineering tricks while reminding them about policies related to downloading unauthorized software.
Investments in security
Many proactive tools exist to help prevent cybersecurity attacks before they happen. In its alert, CISA recommends strong antivirus software, antispam software, and firewalls. We would go a step further and recommend Advanced Endpoint Detection. Modern antivirus software is often ineffective, by itself, against sophisticated hackers. Advanced Endpoint Detection adds an important layer of protection that helps you more proactively prevent cyberattacks while quickly isolating infected devices so that malware doesn’t spread throughout the rest of your network.
Tools are great but often ineffective without professional oversight. In its alert, CISA recommends audits that cover network configurations, Remote Desktop Protocol (RDP) security, the isolation of unsecure devices from your network, and the observation of user activity so that suspicious access can be quickly suspended. Activities such as user authentication monitoring, intrusion detection/prevention, security scanning, and Dark Web monitoring can all ensure that critical municipal operations are secure.
About Joe Howland
Joe has been in the IT industry for over 20 years and has extensive IT management experience that spans multiple industries. A UCLA grad with a degree in Mathematics Computation with a Computer Specialization, he worked with Computer Sciences Corporation for 10 years supporting defense and financial sector contracts. Joe joined VC3 in 2009 and during his time with VC3, Joe has performed in the role of Virtual CIO for some of VC3’s largest government customers. Joe is currently VC3’s Chief Information Security Officer and is responsible for VC3’s IT security as well as advising on security for VC3’s customers.
VC3 is a leading managed services provider focused on municipal government. Founded in 1994 with offices across the east coast, VC3 forms partnerships with municipalities to achieve their technology goals and harness their data. In addition to providing comprehensive managed IT solutions, VC3 offers cybersecurity, website design, custom application development, and business intelligence services. Visit www.vc3.com to learn more.