Far from being too small for notice, small, less-resourced critical infrastructure operators can be tempting to ransomware attackers. Cyber extortionists often would rather hit an array of easier targets than pursue bigger payouts from wealthier but more robustly defended organizations, said Chris Krebs, former Cybersecurity and Infrastructure Security Agency (CISA) director and currently founding partner of cybersecurity advisory firm Krebs Stamos Group.
“If I’m an economic, rational actor, as a cyber actor … I'm not looking for a whale necessarily,” Krebs said during an April 12 e.Republic* webinar. “I'm probably shopping in volume here and going after multiple targets that may not have had the resources or the manpower to really get the level of security up to what they would have liked” due to budget and revenue constraints.
Cyber extortionists may also count on providers of vital services doing whatever it takes to get back up and running, fast.
And foreign adversaries may target such operations in efforts to cause widespread disruption and panic. Just this week, the Ukrainian government said it defused a Russian cyber attack that would have cut off electricity to 2 million people if successful, per the Associated Press.
TACKLING THE CYBER RISK
Webinar attendees indicated that cyber threats are not abating.
In a poll conducted during the event, 39 percent of 62 respondents said the volume of cyber threats in their district had risen during 2022 and 29 percent said volume remained at 2021 levels. Another 29 percent were “unsure,” and only 3 percent reported threats decreasing.
Krebs said that districts should pay particular attention to how the security of their operational technology (OT) and industrial control system (ICS) configurations. Districts need to ensure they understand exactly how their system integrators, original equipment manufacturers (OEMs) or other vendors are keeping everything safe and to question anything that seems amiss.
“Work through, like, ‘Wait a second, how are these things remotely managed? And why is that exposed to the Internet like that? Why the heck do we have a default password sitting on that box?’” he said.
Districts need to put similar attention on their cloud service providers, too.
“A lot of the providers that are out there right now aren't necessarily up to speed or up to snuff,” Krebs said.
REACTING TO RANSOMWARE
Ransomware attacks remain a high-priority threat, Krebs said. Thirty-eight percent of 68 respondents to a webinar poll named ransomware one of “the most common cyber threats” they face.
Krebs advocated for not paying ransom so as to deny perpetrators profit. Paying also can fail to give victims the expected relief, because extortionists aren’t necessarily strong providers of customer support and because decryption keys may fail to work or may work slowly.
Special districts hit by cyber incidents should contact their lawyers for advice as well as alert their bosses, the FBI and CISA, Krebs said. The latter reporting would become obligatory for critical infrastructure owners and operators under a to-be-implemented law.
“Don't try to hide these events. It only gets worse for you down the road,” Krebs said.
The federal government ranked low on webinar respondents’ lists of who they’d turn to for help following a cyber incident impacting their districts.
The 48 webinar members who responded to this poll question favored reaching out to existing partners: 40 percent said they would contact third-party vendors with which they already had contracts and 40 percent would contact cyber insurance providers.
They were next-most likely to contact state IT or cybersecurity agencies (38 percent), followed by local ones (35 percent) and federal (27 percent). Twenty-three percent of respondents would contract a third-party vendor specifically to help handle the incident, and only 15 percent would turn to federal, state or local law enforcement.
FIGHT PHISHING, NOT EMPLOYEES
Not all important cyber threats are sophisticated ones. Eighty-two percent of 68 respondents named “phishing” as one of their most common threats.
Some organizations try to train employees to be alert to such schemes by sending fake phishing emails and seeing who’s tricked into clicking a risky link. Some penalize employees who succumb or assign them to more cyber awareness training.
But Krebs said a stronger approach is to adopt defensive measures that reduce how much damage could occur from an employee making a mistake.
“You should be able to put your employees in a position where they can't turn over their credentials, or if they do turn over their credentials — like the password — it shouldn't matter, because you have other security processes in place,” Krebs said.
That includes adopting robust forms of multifactor authentication (MFA), such as those using authenticator apps or hardware tokens as the additional authentication measure. MFA that relies on texted one-time passwords risk being intercepted by savvy criminals.
RESOURCES FOR SPECIAL DISTRICTS
The high number of respondents who listed phishing as a common threat underscores that it’s not enough for defensive tools to have been developed against a line of attack, Krebs said. Organizations can still struggle to adopt them at scale.
Federal supports like CISA’s cybersecurity coordinators and various money streams can help, however.
Alongside tapping any remaining COVID-19 funds and money from the Infrastructure Investment and Jobs Act, special districts can likely find a variety of grants from organizations like FEMA that are aimed at cybersecurity initiatives, Krebs said. Special districts can also gain insights from high-level federal strategy documents that may give insights that they can apply to their own setups.
* e.Republic is Government Technology’s parent company.
