Investing in workforce training and education will go a long way in stopping attacks that target state and local agencies, a cyber expert said.
As cybersecurity attacks grow more sophisticated and technologies allow more remote access, it’s critical that state and local agencies ensure their employees can spot and report potential attacks before they spread laterally through the network, an expert said.
With limited resources to protect themselves, smaller governments and municipalities are relatively easy targets for nation-state actors and criminal organizations, Cyber Florida Associate Director Ernest Ferraresso said during NextGov and Route Fifty’s Perimeter Redefined event on March 23.
Oftentimes, attacks are geared toward disrupting critical infrastructure components like water treatment plants, transit networks and other facilities that use industrial control systems. Cybersecurity experts recommend keeping these systems separate from IT infrastructure, but such measures may require large investments in fiber, a challenging prospect for budget-strapped entities.
On top of this, many industrial control systems at the state and local level run on custom software, which often does not receive the same level of maintenance and support as other IT or operational technology (OT) systems, Ferraresso said. As agencies look to improve efficiency by connecting more systems to the internet, they will have to be more vigilant against cyber-physical vulnerabilities, he said.
“You have to pay attention to what is actually connected to the internet and … what assets you already have and where they are on your network,” Ferraresso said. Agencies should understand all the physical and logical controls on both internal and external networks that help separate those entities, he said.
While he acknowledged that some convergence of IT and OT is beneficial, especially for expediency and remote access, Ferraresso reiterated that cyber-physical vulnerabilities will surface. Some attackers have entering networks through a phishing scam and then laterally moving through it.
Attacks such as these, sometimes called east-west attacks, bypass firewalls that detect threats from the broader internet. Most security teams devote their resources to protecting their perimeter, but this approach leaves networks vulnerable to attackers who trick users into granting them access.
“You often hear the phrase that humans are the weakest link. I'd like to shift that narrative to humans being the first line of defense,” he said. “We have to invest in people, in the training, education and awareness of all the staff, not just the staff that are operating those specific technologies.”
Making education and training a priority can go a long way, Ferraresso said. Several high-profile incidents started in the form of phishing emails to members of the staff. In 2021, Albuquerque, N.M., fell victim to a phishing scam that almost cost the city $1.9 billion. Residents in Illinois were targeted by identity theft scammers who posed as members of Department of Transportation and asked recipients to validate their name, date of birth and Social Security numbers. Recently in Texas, fraudsters attempted to trick residents into paying for parking through fraudulent QR code stickers on public parking meters.
“I don't think we can underestimate the importance of building a secure workforce, in that people take security seriously across all aspects of the organization,” Ferraresso said. “So, invest in training and look out for your people. That is one step [agencies] can take today.”