In September 2022, Suffolk County, New York, became the victim of a ransomware attack carried out by the AlphV/BlackCat group. This incident crippled government services for months, disrupted emergency operations, and cost the county over $25 million in remediation. A recent legislative report offers cybersecurity lessons for municipal governments by revealing the failures that exacerbated the attack’s impact. Here’s how these insights can be applied to improve cybersecurity protocols within local government structures:
Chief Information Security Officer (CISO)
The absence of a CISO in Suffolk County left the IT systems disorganized, with various departments operating independently. Without a centralized figure to oversee security protocols, threat responses were delayed or mishandled. Every municipality should appoint a CISO responsible for overseeing the cybersecurity framework, implementing policies, and ensuring communication between departments. This role is important for implementing a defense strategy where multiple IT teams manage different areas of government operations.
Cyber Incident Response Plan
The report explains that Suffolk County lacked a cyber-attack response and recovery plan. This omission led to confusion and delayed remediation efforts, as staff across departments were unsure of how to coordinate their efforts. All municipal governments must have a well-rehearsed incident response plan. This plan should include roles, escalation processes, and actions for both internal IT teams and third-party vendors. Training and table-top exercises will ensure stakeholders are familiar with their responsibilities during an incident.
Firewall Management and Updates
One issue in Suffolk County was the creation of a pass-through in perimeter firewalls for the Clerk’s Office. This allowed suspicious data traffic to bypass security controls, exposing the entire county to risk. Several firewalls had also reached end-of-life status, meaning they were no longer receiving security patches. Firewall rules should be tightly controlled, and no exceptions should be made without documented risk assessments and approvals. Municipal IT teams must also establish upgrade schedules for firewalls and other security infrastructure, ensuring no systems remain unprotected due to outdated software.
Monitoring and Threat Detection
Although Suffolk County used Palo Alto Networks’ Cortex platform to monitor network activity, alerts were ignored or not acted upon effectively. In the months leading up to the attack, the system generated alerts indicating potential malware, which were never escalated. Invest in monitoring tools to detecting anomalies and potential threats. The technology itself is not enough, as organizations need their staff fully trained to analyze and act upon alerts immediately. Automated response systems that can isolate threats before they propagate may be effective here.
Response to External Warnings
The FBI warned Suffolk County about suspicious activity in June 2022, yet the county failed to act decisively. This ignored warning likely contributed to the success of the ransomware attack months later. Never ignore or delay responding to warnings from external agencies such as the FBI, CISA, or other cybersecurity experts. Municipal governments should have a direct line of communication with federal and state cybersecurity entities and respond to any threat intelligence they provide.
Audit IT Infrastructure for Vulnerabilities
The vulnerability that led to the Suffolk County breach was linked to Log4j, a well-known vulnerability in a widely-used open-source logging library. While Suffolk County had attempted to patch the issue, remnants of the vulnerability remained unaddressed. Conduct thorough audits of all IT infrastructure, with a focus on patch management. Implement automated patch management systems to ensure that vulnerabilities like Log4j are addressed across all departments. Penetration testing and vulnerability assessments will also help identify weak spots in the network before cybercriminals can exploit them.
Educate and Train IT Personnel
Interviews from the report revealed that Suffolk County’s IT security team lacked sufficient training, leaving them overwhelmed by the volume of alerts. A lack of training in tools such as Palo Alto’s Cortex left threats undetected.Municipal IT staff should undergo education and training on cybersecurity technologies and best practices. Certification programs and vendor-specific training can allow teams to manage security platforms and respond to incidents with confidence.
The Suffolk County ransomware attack reminds us of the importance of cybersecurity measures in municipal governments. Applying basic principles like appointing a CISO, enforcing audits, establishing response protocols, and providing continuous training is how local governments can protect themselves from the threat of cyber-attacks.
Image credit: Andrey Popov, AdobeStock