Reducing Cyber Security Concerns for the Small City – Part 1

Reducing Cyber Security Concerns for the Small City – Part 1

What does it take to run a small city these days? Budgets, staffing, and maintenance of city facilities are always a concern. However, we would like to point out a few things related to reducing cyber security concerns and how city administrators and city councils can push their IT staff, IT vendors and Public Works vendors toward reducing these concerns.

Concern #1: Are critical public works control systems connected to the public Internet?

We’ve seen many cases where a public works vendor mistakenly connects critical control systems of water treatment plants, electrical generation plants, and water distribution systems to the public Internet – all without the city’s knowledge.

If your public works employees have “remote access” to any of the city’s systems, then you know those systems are connected to the Internet, but are they connected to the public Internet?

To determine this, you must ask them to document your city’s configuration (preferably in a flowchart making it easier to understand) and look for places where a system is connected to the Internet. The most secure configuration is to have no connectivity from control systems (typically called SCADA systems) to the Internet. To gain remote access functionality for staff members, either proprietary remote access systems or “jump box” configurations are typically deployed. These remote access systems typically include multi-factor authentication and VPNs, making it difficult for a bad actor to break into a SCADA system.

Finally, even if you configure a completely secure remote access solution, the solution should be configured to allow remote access to as little as possible. For instance, maybe you allow remote access to a lift pump and opening/closing a valve only a certain percentage, not completely on/off – reserving on/off for only when the employee is in person at the lift pump.

Concern #2: Is your Police Department CJIS Compliant?

If you have a police department, does the chief have a security plan, and is the plan CJIS compliant? Becoming and staying CJIS compliant is a constant challenge, but with a plan and a good team, it is possible to maintain CJIS compliance.

We’ve seen many small-town police departments good at maintaining compliance as to the access to FBI databases and other electronic systems, but outside of that, they seem to be less responsive to completing the other steps necessary to maintain security of the CJIS system.

Here are a few steps the city council can do to keep CJIS compliance top of mind.

  • Ask city administration for the audit results for CJIS compliance. If they don’t have audit results, that is a place to start.
  • Each state has a CJIS coordinator at the state level, then each police department or entity having access to CJIS data is under that state coordinator. Don’t be afraid to ask the state coordinator for help. They want to help you become CJIS compliant (or maintain CJIS compliance). They have lots of good ideas to help you along with your program.
  • If you are in a city with a police department and assist with managing the IT aspects of the PD (if you are a city employee or IT vendor), read and understand the annually updated FBI CJIS standards. They are easy to understand and loosely based on NIST security standards with add-ons specifically designed to maintain CJIS data security.

In part two of this two-part post, we investigate three additional concerns city administrators and city councils have concerning cyber security.

What are you working on? As always, we’re here to help.