Support 416-591-6711 option 1 or Email Us

Smart Cities Come to a Grinding Halt

Wed, 29 May 2019

It has been two weeks and counting since a ransomware attack crippled the City of Baltimore’s government systems. System by system, city government agencies realized there was a problem when first email, then phone lines, followed by utility payment processing sites, all became inaccessible. No one knew why. Then a ransom message appeared on the network.[i] 

Smart Cities Come to a Grinding HaltIn the ransom message, a cyber threat actor demanded payment of three bitcoins per system (a combined value of approximately $23,600) or thirteen bitcoins (roughly $100,000) for the release of the entire network. The city was warned that if it failed to pay within four days, then the price would increase, and after ten days, the data would become inaccessible.

The hackers wrote, "We've watched you for days and we've worked on your systems to gain full access to your company and bypass all of your protections.” Then added for dramatic effect, "We won't talk more, all we know is MONEY! Hurry up! Tik Tak, Tik Tak, Tik Tak!”[ii]

The ransom note also warned the city against calling the authorities, saying that action would prompt the attackers to cut off all contact. The note also claimed that attempts to use anti-virus software would damage the city’s ransomed files and that the procedures were automated, so there was no room for negotiations. 

City officials chose not to pay the ransom. Their systems are still down. 

It is the second cyber attack to strike Baltimore in the last two years. The previous cyber attack knocked out its emergency 911 and 311 dispatch system for one day. A little over one year ago, Atlanta, Georgia, was impacted by a similar breach and ransom demand. Recovery from the hack was reported to cost Atlanta $17 million.

Atlanta, fortunately, had cyber-insurance, which helped the city pay for its digital recovery. Baltimore didn’t have such a policy in place before this attack.

Baltimore Cyber Attack After-effects

  • The cyber attack halted home sales, delaying more than 1,500 home transactions because the city is rendered unable to notify insurers of whether the sellers have any unpaid liens.
  • Citizens are unable to pay their water bills, property taxes and parking tickets online.
  • 10,000 Baltimore government computers are locked, leaving employees with no email and grinding work processes to a halt.

The ramifications of the latest attack will be felt by the city for a long time to come. Cybersecurity expert and Computer Science Professor at Johns Hopkins University in Baltimore, Aviel Rubin, gives a conservative estimate of months before the government systems are up and fully functional. "It's clear the system was vulnerable," he adds.[iii]

Professor Emeritus at the University of Maryland, Baltimore County, Don Norris, said that Baltimore’s repeat victimization underscores how municipal governments are struggling in the fight to keep networks safe. Norris illustrated, “You’ve got increasingly sophisticated and very persistent bad guys out there looking for any vulnerability they can find and local governments, including Baltimore, who either don’t have the money or don’t spend it to properly protect their assets.”[iv]

Municipal Victimization Closer to Home

Municipal governments close to home have been similarly affected over the past few years. In 2018, there was an outbreak of cyber attacks aimed at Ontario municipal governments. These, like the Baltimore incident, were ransomware attacks where hackers demanded ransom money to be paid to unlock compromised systems. The OPP warned government bodies to be vigilant in guarding against what they deemed a “recent trend.”[v] "In recent months, there have been several ransomware attacks on businesses and municipal government offices within Ontario," wrote the Ontario Provincial Police.

In Midland, town officials discovered that many of the municipality’s servers had been compromised and locked down by a hacker. According to Mayor Gord McKay the cyber attack crippled Midland's financial systems. A few months prior, a similar attack occurred in neighbouring Wasaga Beach. 

Baltimore, Atlanta, Midland and Wasaga Beach’s experiences all suggest that an emerging industry around municipal government cyber attacks is escalating. Mayor McKay stated that he's heard from municipalities both inside and outside of Ontario who've experienced similar cyber assaults. "It's happening a fair bit out there, but obviously people don't like to talk about it," McKay said. "There's an industry being built up about it, both on the bad guys' side and also on the recovery side."[vi]

Smarter Cities Need Smarter Security

Smart cities’ potential is only matched by the potential danger of intelligent threats. The most concerning aspect of Baltimore’s cyber attack is that this city has yet to integrate much of the smart technology that is beginning to transform the utility and sustainability of many urban landscapes. However, even with basic networking technologies in place, ransomware was able to bring Maryland’s largest city's government to a virtual halt impacting the 600,000 plus residents who call Baltimore home. Imagine how catastrophic this incident could have been if traffic and transportation systems and utility delivery was connected to a corrupted smart city system.  

Smart cities function on a technological foundation, making them more capable and more susceptible because digital infrastructure can be attacked or hijacked in numerous ways. According to a CenturyLink 2018 threat report, areas that have fast-growing IT networks and infrastructure remain the primary source of cybercriminal activity. CenturyLink tracks threats and estimates that 195,000 instances occur every day.[vii]

The scale and intricacy of smart cities make them particularly vulnerable to cyber attacks. The massive array of interconnected systems makes weak endpoints and network oversights almost inevitable, a problem that is compounded by a reliance on unsecured IoT devices. 

As cities move towards more connected infrastructure, civic leaders need to make cybersecurity a priority. Smart cities need to be built on a foundation of technology and around a culture of cybersecurity.[viii]

Start by Building a Smarter Workforce

Many cities rely on a workforce made up primarily of trade professionals and administrators. In the past, city governments haven’t needed a large IT department or network specialists. Given the requirements of the smart city, that has to change.

A survey of government officials showed that 40 percent were worried that a lack of technical talent would hold back their smart city initiatives.[ix] In a smart city, IT professionals will need to do everything from managing databases and citywide cybersecurity to maintaining smart roads. If cities hope to make progress both rapidly and carefully, they will need to begin educating the current workforce and adding specialized additions.

Partner with Experts

The job of securing smart cities can't rest on the cities alone. The job is enormous, and it makes much more sense to work cooperatively with a variety of expert partners and stakeholders. Coordinating cities with state and federal governments and with private companies will assist with addressing threats and boosting cybersecurity.

As smart devices spread and cybersecurity vulnerabilities appear more abundant, it's vital that the cities being built —no matter how smart—are cyber-secure as well.

 

 

 


‹ Back