Municipal systems are often vulnerable to attack. Just ask Lowell
Members of the Massachusetts Army and Air National Guard Cyber Team were in Tewksbury earlier this month as part of the DoD’s Innovative Readiness Training (IRT) program. Four members of the Guard’s cyber force spent two weeks working with Tewksbury’s IT staff assessing the town’s security readiness.
Photo credit: Sgt. 1st Class Steven Eaton
IRT is a longstanding federal program that benefits both military readiness and communities. Service members undertake projects to train for their wartime missions while supporting cities and towns by, for example, building a road or providing medical assistance to underserved populations. About five years ago, the Department of Defense included cyber in IRT.
“When they did that, I started working on the program while I was still in the Guard, to figure out how we could leverage this for municipalities,” said Select Board Vice Chair James Mackey, a veteran and cybersecurity professional.
As a result, Tewksbury was first in line to receive the assessment service and a proving ground for its viability.
“It literally took three and a half years to get it here,” said Mackey.
The four service members who took part in the Tewksbury exercise spent their annual two-week active duty deployments performing vulnerability assessments on both IT and OT systems; the latter includes the hardware and software that monitors and controls operational devices, such as the town’s water treatment plant or electricity grid.
“They did a review of incident response plans as well as the cyber program and a simulated attack,” said Mackey.
Overall, the town is in solid shape from a security standpoint.
“There weren’t really any surprises for me,” he said. “We have all of the standard technical controls and protection measures. There were no showstoppers, no major concerns.”
Given that there are 351 cities and towns in Massachusetts and only about 50 cyber soldiers and airmen in the state, it’s clear that the program can’t cover all needs. And often, municipalities are at a disadvantage when it comes to hiring. There are approximately 700,000 unfilled cybersecurity jobs in the United States, and that demand is driving up wages — and pricing out many towns.
Meanwhile, threats are increasing. The City of Lowell announced earlier this summer that it experienced a ransomware attack. Municipal systems ground to a halt, and a huge cache of sensitive information was released. The Sun reports that more than $1 million was allocated just to purchase identity theft protection for current city and school employees impacted by the breach — and that’s before any of the huge costs to recover systems and data.
Mackey says the state is aware of the problem and is standing up resources, such as the MassCyberCenter, which has as its mission bringing together state and local officials and private-sector experts to make systems more secure, while also assisting with cybersecurity workforce development and improving access to resources.
“And then you have organizations like CyberTrust Massachusetts that just launched to provide education and regional security operations centers,” he said. The problem is, it can be difficult for a small city or town to take full advantage of those resources.
“A lot of them don’t know what to even ask,” he said. “IT professionals are not by default cybersecurity professionals, so how do they build programs, policies and procedures? Are they doing regular assessments for compliance? The answer for most municipalities I’ve seen is, no.”
To help bridge that gap, Mackey joined with other experts to launch a nonprofit, the Municipal Cyber Association, or MCA, that works to enable communities to take advantage of the resources that are available.
As to next steps for Tewksbury, the Massachusetts Army and Air National Guard cyber soldiers delivered a report to town staff with recommendations. Tewksbury also launched a successful cyber security internship program that takes technically proficient high school students and trains them on a specific set of tasks that add a lot of value to the town. The first participant, Cian Dawson, just worked part time for the summer before heading off to college.
“The feedback was glowing,” said Mackey of Dawson. “Last year was the proof of concept. I hope that we can expand on that and maybe bring in two interns next year.”
Mackey is also working on having Tewksbury host another, expanded, Municipal Cybersecurity Summit. In 2021, about 50 attendees from more than a dozen local towns and municipal organizations gathered at the Tewksbury Public Library to learn how to protect assets, such as email servers, citizen records, social media accounts and public-facing websites.
In fact, the MCA nonprofit was a direct outcome of that conference.
“We realized that everyone had the same issues and learned where the gaps were,” he said, “So we circled the wagons and found people who were interested in helping solve the problem.”
Security professionals who are interested in helping keep their communities safe can provide services through MCA and get continuing education credits to maintain their certifications. Learn more here.