Cities should prepare for cybersecurity breaches, experts say

August 5, 2024
by Stephanie Dickrell, St. Cloud LIVE; reprinted from West Central Tribune, June 8, 2024

 

Imagine this: A city staffer gets an email telling them to send funds to this account number for that new million-dollar fire truck. The staffer does, but the company soon calls asking about the payment.

Or this: A water treatment system is suddenly dumping 100 times the safe amount of a certain chemical into the water supply. This wasn’t an employee error or a technical error. It was the result of an outside hacker messing with the system to cause harm.

These are the scenarios that keep cybersecurity experts up at night.

The threat to local government is small but growing, said Christian Torkelson, cybersecurity loss control field consultant for the League of Minnesota Cities.

At a recent League of Minnesota Cities safety and loss control conference in St. Cloud, insurance agents and city staff watched as Torkelson walked through the types of cybersecurity claims the League is seeing.

There have been about 100 claims over the past 10 years, but it’s trending upward and is likely to grow, he said. And it’s likely that not all incidents are reported, Torkelson said. Cities aren’t getting targeted by highly sophisticated criminals.

“It’s more of the dragnet, shotgun approach to cybercrime,” he said.

 

What data is at risk?

The type of data at risk in city systems isn’t extensive. Other agencies such as health care systems and law enforcement may have more damaging personal data than the typical small city, but they also tend to have better cybersecurity protections. Smaller cities aren’t likely to have full-time IT or cybersecurity experts on staff.

The biggest cache of data is city employee data, which a typical employer collects. But there’s also permitting and licensing data for stuff like liquor licenses, construction permits, burning permits and business licenses. The type of data collected can vary by city but sometimes involves background checks.

If a city runs a utility and bills for services like sewer and water access, the system will also have customer information, such as bank account and credit card numbers.

 

How does fraud happen?

Phishing schemes can give cybercriminals access to email inboxes, and it only takes on person to click a malicious link to compromise a system.

“It’s a strategy that a lot of criminal hackers implement to basically get access to as many accounts as possible,” Torkelson said. “And they’re usually not looking for any particular thing. It’s like a dragnet operation, and so they’re just trying to get access to anyone and everyone they can.”

Cities are particularly at risk to bad actors because they conduct so much of their business in public. Open meeting laws and public document access requirements mean cybercriminals can get a lot of information about what transactions a city is working on.

“So when scammers want to target a city, they’ve got a treasure trove of information that they can use to sort of intercept and get in between the vendor and the city to impersonate the vendor,” Torkelson said.

But the money might be recovered if the fraud is discovered and reported quickly, he said.

“That’s one of the reasons when somebody suspects something’s wrong, it’s important to act on it as quickly as possible,” Torkelson said.

“There’s sort of a natural embarrassment or shame. That’s a human reaction, but we want people to understand it happens and that there are people there who can help. The sooner you ask for that help, the better,” said Dan Greensweig, administrator at League of Minnesota Cities Insurance Trust.

 

Other threats

Other threats, such as ransomware attacks, have happened to cities, Torkelson said. Ransomware is when a bad actor steals or encrypts files, demanding money to unlock files or a promise to not release files publicly. But ransomware attacks accounted for only about 16% of the claims made to the League in the last 10 years, he said.

There are a few ways cities can combat those attacks, he said. One is to have immutable backups to city information, storage that can’t be overwritten for a set period of time. 

Cities should also consider advanced antivirus technologies, which flags suspicious behavior, Torkelson said. Traditional antivirus software searches for known viruses, but these can be easy to fool, he said.

 

Emerging risks

The scarier end of cybersecurity breaches in the realm of critical infrastructure, including sewer/water treatment, traffic and transportation systems, energy generation or distribution, dams and levies, police and emergency services and airports. If access to those is tampered with or blocked, there could be health and safety risks for residents.

“Think about what happens if someone’s able to disrupt power generation. What’s it look like of you can’t deliver water to a community for a while or if you compromise that water treatment?” Torkelson said. “That’s what keeps me up at night.”

These systems haven’t been seen as potential targets in the past but are more vulnerable now.

“You have a whole industry that was really designed to promote simplicity and robustness and availability of systems, and not security at all,” Torkelson said.

Staffing shortages and the pandemic meant that a lot more of these systems were being run remotely via the internet and by fewer people who had less training, he said.

To prevent breaches, critical infrastructure should be isolated from other city IT systems to make them harder to access. Employees should also have the ability to manually operate those systems if automated controls aren’t working.

“Does your treatment plant staff know how to turn the dials and adjust the valves…where they’re running the system manually?” Torkelson asked. That can be used as a backstop if an attack occurs, he said.

 

The X-factor: humans

Data breachers where nonpublic data is accessed can happen in a variety of ways, but in about half the cases the League has seen, it’s due to a staff error, not a malicious cybercrime, Torkelson said. That could simply mean sending an email or spreadsheet to the wrong person or uploading unredacted information to a website.

But city employees are targeted with phishing attempts because playing on human behavior is often the most cost-effective and efficient way to gain access, Torkelson said.

Phishing includes emails with malicious links or attachments that will allow malware to be installed or trick an employee into sending sensitive information inadvertently. They can exploit hierarchical relationships, where an employee wants to impress a boss, or target people near holidays or weekends because employees are more rushed.

“What they’re trying to do is put us on our back feet into a reaction mode, so we’re not critically thinking about it. We’re just reacting,” Torkelson said. “It’s easy to fall into these traps, without a doubt.”

And scams are only going to get more effective and harder to detect with AI manipulations of photos, videos and voices.

But it’s not hopeless, Torkelson said.

“There’s a lot of evidence suggests that it can get better and that if we do regular training and sort of become aware of the tactics and methodology, we–as people–do get better,” he said.

 

What should cities do?

The League of Minnesota Cities has a number of services to help cities mitigate their cybersecurity risk. They include:

  • Creating cybersecurity policy and plans
  • Assess security and risk
  • Procurement assistance, including reviewing vendor proposals and helping create Requests for Proposal on IT/cyber solutions
  • Cybersecurity training
  • Insurance coverage

Cities can mitigate risk by enabling multifactor authentication on city email accounts. this authentication requires a password and other means of access, like a one-time code. It makes it much harder for bad actors to gain access. Multifactor authentication is already built into some software–cities just have to use it.

Torkelson also encourages cities to set up an Electronic Funds Transfer Policy. It’s a validation step or procedure employees must follow if they get a request to change payment information, which could include contacting a trusted source directly to verify the change. This prevents fraudulent payments from being made.

“And there’s no technology you need to implement in order to make this work,” he said.

 

What should residents do?

Residents should ask their city staff or local government officials what they’re doing to protect the security of their technology systems.

And residents have to think smart too. For instance, if you get an unsolicited call from someone claiming to be a city clerk or sheriff deputy, contact the entity directly to verify the validity of the request, Torkelson said.

“I don’t think residents need to be panicked about this…I think they just need to think about it the same way they do if you’re dealing with…a vendor that you’re dealing with online,” he said. “I also think that residents want to be aware of their own cyber hygiene.”

 

More information

For more about keeping yourself and your information safe from cyber attacks, view this resource from CISA.gov. Visit the League of Minnesota Cities website for more information on their cybersecurity services.