Spring is a time for hope, so I want to be hopeful here. But we also don’t want to be irrelevant Pollyannas. So my “hope” at the moment is that our HPAC audience is paying attention to what happened in Atlanta last month, and what may be happening in their neck of the woods very soon, if not already.
In short, a major American city with 8,000 municipal employees and the world’s busiest airport was held hostage for a week by a ransomware cyberattack that shut down city websites, blocked e-mail communications, stifled services and even cut off free Wi-Fi for travelers. And the ransom demand was ingeniously smaller than the cost of a criminal investigation: $51,000, payable only in Bitcoin. A March 28 headline in The New York Times hinted at the event’s significance: Cyberattack Hobbles Atlanta, and Security Experts Shudder.
At press time, as local and federal law enforcement authorities continued to investigate, the city had not admitted whether or not it paid the ransom. But city employees were once again working at their computers, and Atlanta was largely back to normal. Still, which community will be next?
In recent months, “digital extortionists” have visited the suburbs of Dallas, Denver, Birmingham AL, and Albuquerque NM. “The assault on Atlanta’s computers is a vivid example of the perils local governments face in the internet age,” noted the Times. “They are seen as more vulnerable than private businesses, both in their technology and in their limited ability to tolerate system failures and down time.”
Think about that...
If you are an HVAC contractor working for a local municipality, or school district, your cybersecurity defense systems likely are better than theirs. That should give pause to quite a few of you. In other words, if you are not the weak link in any cyber business chain that you may be part of, then you may actually be working for the weak link, and therefore, just as vulnerable. So, what to do?
Well, don’t despair. But do act.
As cybersecurity expert and keynote Nick Espinosa told the MCAA Convention in San Antonio last month, “If I am trying to hack a massive corporation, I am going to go through the HVAC company, the plumbing company, or anyone with access that does not have a cyber defense strategy as effective and as expensive as the massive corporation’s. Hackers are always going to exploit the easiest way to get into a network.”
Is that you? Recall that it was a mechanical contractor that was the weak link in the epic Thanksgiving Eve breach of Target Corp. in 2013. That event ultimately exposed more than 70 million customers to hackers and caused the owner to pay $18.5 million in damages to 47 states attorneys general just last May.
Unfortunately, that was a wake-up call that not many in our industry heard. But the message is even louder today. As our own cybersecurity columnist Michael Chipley noted earlier this year, “All DoD contractors and vendors are now required to have a Cyber Risk Management Plan in place for their IT business systems… Are you ready?”
Answering ‘Yes’ to that question does not have to break the bank, but it does require common sense proactive measures that can no longer be put off.