Cybersecurity for Urban & Suburban Municipalities – Part 1: An Overview
6 min read
In the past few years, the Biden Administration has repeatedly demonstrated that infrastructure cybersecurity is a national security priority through the Federal Emergency Management Agency (FEMA) and Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA), as well as multiple pieces of legislation, including the Bipartisan Infrastructure Deal which was signed into law by President Biden in 2021.
“The Bipartisan Infrastructure Deal is the largest investment in the resilience of physical and natural systems in American history.” – White House briefing – 2021.11.08
While there are several prominent cybersecurity frameworks developed by different organizations, the consensus among them is that IT security professionals should focus on protecting the confidentiality, integrity, and availability of IT assets: data, networks, devices, and systems, widely known as the CIA Triad.
Confidentiality refers to the idea that only authorized users can access specific assets and data.
Integrity requires that the data is accurate, authentic, and reliable.
Availability of data and assets mean that they are accessible to authorized users when access is necessary.
Municipal governments, like counties, cities, and towns, have a number of assets that must be considered when developing their unique cybersecurity strategies:
1. Municipal Government Systems: A municipal government typically relies on a variety of IT systems for managing various services such as public utilities, taxes, local rules & regulations, health and human services, elections, and more. These systems often contain sensitive information about both its residents and its operations, making them attractive targets for attackers.
A loss to critical county systems could have a serious impact on the ability to provide critical services to residents.
Securing these systems is a crucial step in mitigating the risk of a breach, and any resulting fallout.
2. Public Safety and Emergency Services: Public safety and emergency services technology include systems related to fire, emergency medical services, and other first responders. Any disruption to these services due to a cyberattack could have serious, potentially life-threatening consequences.
Furthermore, if a threat actor is aware that emergency systems are down, they may be incentivized to engage in other types of criminal activity, knowing that response times will be affected. This threat actor could be the same one behind the original cyberattack, an accomplice, or an unrelated third party seeking to take advantage of an exposed vulnerability.
3. Infrastructure: This involves public works, transportation, water, and power infrastructure which could be vulnerable to attacks, especially if they are based on older technology.
In recent years, attacks on public infrastructure have been rising, with attackers attempting to disrupt essential services or hold them until a ransom is paid.
The $1.2 trillion Infrastructure Investment and Jobs Act signed by President Biden in 2021 allocated ~$2 billion to cybersecurity, including $1 billion to be distributed to state and local governments, making it “the largest investment in the resilience of physical and natural systems in American history,” according to the White House.
4. Data Protection and Privacy: A municipal government likely stores substantial data and information about its residents, employees, vendors, contractors, and local businesses.
A loss of this data could be could result in lawsuits, litigation, and settlements because it likely would include sensitive information, including personally identifiable information (PII), and potentially even protected health information (PHI).
Protecting this data from theft or loss is crucial, both to protect all stakeholders, public officials, and to maintain trust in local government.
5. Community Services: Public libraries, schools, community centers, and other public spaces often provide high-speed internet access and computers for public use. Many cities even provide free public wifi.
These systems and the supporting infrastructure need to be secured to prevent the spread of malware and to protect users from online threats.
6. Education and Awareness: It’s important to educate county staff and the public about basic cybersecurity practices. This can reduce the risk of attacks succeeding due to human error or ignorance.
Robust and ongoing education and training programs can increase vigilance among municipal employees, local businesses, and the general public, alike, which is the best first line of defense against cyberattacks.
7. Vendor Risk Management: City and county governments often contract with third-party vendors for various services. These relationships often necessitate these vendors having access to sensitive systems and data.
Additionally, public officials likely have neither the bandwidth nor the technology to maintain day-to-day visibility over vendor operations.
The best way to mitigate these risks is to ensure that any public contracts, through the open request for proposal (RFP) mandate that contractors follow certain SOPs, best practices, and are subjected to regular audits.
8. Incident Response: It is impossible to completely eliminate the risk of cybersecurity attacks. As such, any organization, especially municipal governments, must have contingency plans in place to respond to cybersecurity incidents.
These plans should include identifying and closing security gaps, investigating incidents, recovering from attacks, and communicating about incidents with the public and with any relevant authorities.
9. Internet of Things (IoT) Technology: The Internet of Things (IoT) refers to the series of interconnected and network-connected devices that collect data and interact with cloud applications.
Municipal governments generally utilize many types of IoT devices, including smart streetlights, traffic lights, and traffic sensors.
The 2003 remake of The Italian Job featured Lyle (played by Seth Green) as the larceny team’s resident hacker. In one scene, he is sitting in the baggage claim area at Los Angeles International Airport (LAX) and using his computer to hack into and remotely control traffic lights to route the target armored truck to a specific location.
While this example may be a dramatized, Hollywood-version of an IoT attack, the threat remains.
10. Election Security: Cities and counties are almost always involved in managing elections. Ensuring that election systems are secure to protect the integrity of the electoral process is a critical cybersecurity concern.
Election security and integrity are even more critical, particularly after the 2020 election cycle when there have been allegations of widespread voter fraud and election tampering. It is difficult to imagine how a company like Dominion Voting Systems would be able to demonstrably disprove such allegations without robust cybersecurity controls and practices, such as logging and monitoring.
Public officials should craft cybersecurity strategies and plans based on the specific needs of their jurisdictions.
These 10 areas provide an overview of cybersecurity concerns for urban and suburban municipalities; however, it is by no means exhaustive. Public officials should craft cybersecurity strategies and plans based on the specific needs of their jurisdictions and constituents. In Part 2, we will explore, at a high level, actions that municipal governments can incorporate into their overall strategies to improve cybersecurity.
Do you work for a city or county? Are you interested in learning more about how you can help improve cybersecurity?
Schedule a time to talk to SOHUM.agency today!
About The Author
3 thoughts on “Cybersecurity for Urban & Suburban Municipalities – Part 1: An Overview”