As a cybersecurity professional, I work with organizations every day to enhance the various aspects of their cybersecurity programs, from foundational capabilities such as data classification to more tactical functions like incident response. I’ve seen the real-world impacts that various types of attacks have on an organization and the efforts that go into recovery. But aside from the typical phishing emails, I’ve never personally felt a substantive impact of a cyber-attack. That was not until I received a notice from the city of Baltimore, Maryland, regarding my water bill being delayed due to a ransomware attack.
Generally, the goal of a ransomware attack is to keep the data owners away from their data resulting in impacts to business processes, and in many cases stopping business processes altogether. Once the critical resources are unavailable, a ransom is demanded for their restoration. The more critical the business process, the more the organizations may be willing to make the ransom payment. Baltimore is one of the more well-known examples of this growing attack vector, but it is not alone. Ransomware is growing in both frequency and severity, and is becoming an increasing burden on organizations of all types.
Of late, it appears that attackers are increasingly targeting state and local governments and their agencies across the US. In fact, in 2019 there were 140 publicly disclosed ransomware attacks and that trend doesn’t appear to be slowing. These local government agencies have been seen as prime opportunities by attackers as many small, and even some large agencies, typically have older infrastructures with many inherent vulnerabilities. And since many agencies’ key focuses are on serving their citizens and not preparing to address cyber threats, there is typically a general lack of a comprehensive cybersecurity program. In an attempt to address the growing concern of ransomware, mayors across the US signed a resolution in 2019 to not pay a ransom in order to curb the attractiveness to attackers. While this is a good first step to address this growing threat, much more must be done to ensure that organizations are prepared to address ransomware.
The first step starts with identifying the assets (data and systems) critical to the organization’s business processes. By determining the technical resources that support the business process and assessing the impact of those resources being unavailable, appropriate protection requirements and security controls can be implemented. Additionally, manual or alternate data processing procedures can also be developed to ensure greater resiliency. In the example of Baltimore City, one of the critical systems impacted was the city’s water billing and payment system. During the ransomware attack, the city was unable to generate water bills or accept online payments, causing a temporary loss of revenue for the city. The city resorted to in-person processing of water bill payments while the online system was down.
The next critical step is to ensure that the systems that support critical business processes are supported by a sufficient backup and recovery strategy. Based on the criticality of the system and/or data, appropriate recovery time objectives and recovery point objectives will need to be established. These objectives will drive the frequency of data backups, which must then be married to a robust restoration strategy. For the backup and recovery process to be successful in practice, it should be tested on a routine basis so that there are no issues in the event that an organization is impacted by a ransomware attack.
With respect to Baltimore, the city hired security consultants and leveraged resources from the state of Maryland to bring the impacted services back online at a cost estimated to be more than US$18 million – and I was finally able to pay my water bill after a two-month delay in receiving it. While this attack caused impact to the system used for making payments for utilities, it’s easy to see how more advanced attacks could affect the systems involved in the delivery of utilities.
While there are additional steps that may be taken to improve overall resiliency, these initial steps will help organizations to begin focusing their efforts on building resiliency around the resources that support critical business processes.