The Colonial Pipeline ransomware attack was a jarring reminder that organizations providing critical infrastructure and services to the public could easily be the next target. Ransomware operators have long targeted industries such as energy, healthcare, education and government. The incident underscored how organizations in these sectors and others are vulnerable to ransomware attacks that can not only shut down their operations, but also adversely impact citizens.
Preparing for an inevitable cyberattack should be a high priority for public entities, like state and local governments, because this threat isn’t going away. Ransomware operators have been especially busy during the COVID-19 pandemic and are seeing lucrative returns from their exploits. According to the 2021 Ransomware Threat Report from Palo Alto Networks Unit 42, the average ransom paid by organizations in the U.S., Canada and Europe increased from US $115,123 in 2019 to US $312,493 in 2020. That’s a year-over-year increase of 171%.
When crafting an actionable incident response plan for a ransomware attack, state and local government organizations need to consider what the broader impact to society would be if the system or service they provide isn’t available for an extended period.
That requires state and local governments to ask, “What is the business of government?” More than likely, the answer isn’t IT, which is why IT alone can’t develop an incident response plan. IT must work closely with the business to answer other vital questions:
- What are the different departments that our organization supports (e.g., utilities, emergency services, transportation systems)?
- What are their dependencies?
- What are their tolerances for risk?
- What is their tolerance for downtime?
- Who is the “principal” responsible for each of those departments?
Determining the “who” of incident response is a must, even within the state or local government organization itself. It falls under the process of defining the incident response roles and responsibilities:
- Aligning the core IT team for incident response and the trusted third-party vendors that might be called in to provide support.
- Determining who has authority on decision-making outside of IT to communicate the status of a security incident.
- Identifying other external parties that need to be involved, including cyber insurance providers, outside counsel and public relations teams.
Before a state or local government gets to the point of defining roles and responsibilities for incident response, it needs a charter that will set everything in motion and serve as a foundation for building an effective response. This needs to occur early in the process, as part of gathering leadership buy-in and commitment for developing the continuity of operations plan (COOP) itself.
The IT organization, in cooperation with the departments, creates the charter to establish a formal incident response team, which outlines the team’s mission statement and goals, among other things. In addition to the charter, an effective incident response team should have a set of authorities signed by executives, which will allow them to align the resources and cooperation they need to execute their mission.
From there, IT and the departments should define how the organization will respond to specific types of incidents (e.g., ransomware, DDoS, data breach). What types of attacks are most concerning and could interfere with the business of the government? At what point is an attack considered severe enough that others must be notified, such as regulatory authorities, the FBI and constituents?
Training and testing are also core components of an effective incident response plan. This includes conducting tabletop exercises designed for the public sector that simulate incidents, such as ransomware attacks, that these organizations are most likely to face in the current threat landscape. In addition to building security awareness among employees, business owners should be educated on the risks to their specific departments and understand their role in incident response.
It’s critical that the government is prepared for the inevitable cyberattack. It isn’t a question of “if” but “when.” The government sector is a prime target for ransomware operators looking to create disruption and profit from it. Several ransomware variants discussed in Unit 42’s recent report are known to target government entities. The operators of one variant, Doppelpaymer, count state and local governments among their victims. Their ransom demands are also relatively high.
While cyber insurance can help cover ransomware payments, many insurers are now expecting their clients to show that they’re taking measures to protect themselves from this well-known threat. They want to be confident an actionable incident response plan exists. Like fireproofing a building, these plans and controls can help reduce damage and loss, while ensuring quicker recovery even if a fire remains inevitable.
Is your state or local government operation ready to meet the challenge of a ransomware attack? Learn how Palo Alto Networks can help your organization become more effective at threat responses and more resilient following an attack, starting with our Ransomware Readiness Assessment.