Targeting Public Services: How Municipalities and Gas Pipelines are Vulnerable to Cyberattacks

While the Facebook / Cambridge Analytica scandal has captured the public’s attention, two significant attacks on the City of Atlanta and natural-gas pipeline operators illustrate risk to fundamental human services, including law enforcement and consumer energy.

On March, 22 2018, the City of Atlanta reported a ransomware cyberattack on government network servers, including servers hosting data for the Atlanta Police Department, preventing government employees from accessing information necessary to perform their duties. In particular, the police department was effectively handcuffed, and unable to access evidence relating to criminal investigations, or to assist citizens in recovering seized property. While the city’s information management team is hopeful that it will restore all interrupted data, the attack has caused, at the very least, a short term interruption of services.

Four of the nation’s natural-gas pipeline operators also fell victim to a separate incident earlier in April 2018, when a shared data network was attacked by unidentified hackers. The network attack forced the operators to temporarily shut down all customer communications and transactions for a period of time. While the attack did not interrupt gas service, the vulnerability of entities providing critical services raises significant questions regarding overall company security. It is unknown whether customer data had also been stolen during the attack.

Even before these most recent attacks, the federal government has been aware of the growing risk of web-based threats to our energy supplies. In March 2018, the Transportation Security Administration (TSA) issued Pipeline Security Guidelines applicable to “operational natural gas and hazardous liquid transmission pipeline systems, natural gas distribution pipeline systems, and liquefied petroleum gas operators” among other pipeline operators. The TSA recommends that each pipeline operator establish a risk-based corporate security system to address and document the operator’s “policies and procedures for managing security related threats, incidents and responses.” The Pipeline Security Guidelines contain a number of recommendations for pipeline operators.

Resources are available for small business operators as well as large corporations. For example, the Federal Communications Commission (FCC) issued a Cyber Security Planning Guide, “a tool for small businesses to create customized cyber security planning guides.” As the number and scope of cyberattacks continue to increase, savvy business owners are wise to implement a cybersecurity plan to protect themselves and their customers.