Andrew Afflerbach, PhD, P.E.
CEO & Director of Engineering
A high-profile “ransomware” cyberattack on Atlanta’s city network last month brought attention to the need for municipalities and other public agencies to understand and take steps to mitigate risks to public networks caused by malicious attacks or natural disasters. Our new “Network Resiliency and Security Playbook” details strategies and best practices for doing just that.
While it is not possible to mitigate all risks—and high levels of protection generally come with higher costs—local governments and agencies can cost-effectively protect their networks by first taking key steps to ensure proper system design and resiliency, and then following best practices to maintain physical and data security.
The National Institute for Hometown Security (NIHS), under a contract with the U.S. Department of Homeland Security’s Office of Infrastructure Protection (DHS/IP), commissioned CTC to write the playbook. The report draws on both independent research and our experience designing and engineering resilient and secure communications infrastructure for public sector clients nationwide.
As our report details, protecting a network against threats requires:
- Ensuring that strategic planning processes take resiliency and security into account, and that decisions are made based on lifetime costs.
- Working regionally by developing formal or informal consortia for information sharing, joint procurement, best practices, and joint exercises.
- Building segmentation and resiliency into infrastructure, such as through virtual separation of different kinds of communications according to sensitivity, departments, or users.
- Making use of widely available security education resources, such as those available from DHS.
- Training for emergencies—both internally (by department or government) and with regional counterparts.
- Developing procedures to back up and restore compromised systems, and having redundant systems and plans in place should the primary system fail.
- Hiring and training appropriate staff (especially individuals who have significant experience with similar infrastructure) and keeping information security functions separate from IT functions.
Some best practices are relatively straightforward and perennial. They include ensuring that software undergoes routine security updates, that data are regularly backed up, that redundant power supplies are in place, and that public agencies have the capacity to manage these processes. But the report is meant also to address larger strategic and organizational issues, and to provide practical, actionable, and cost-effective strategies.
In all cases—and as our report explains—it is incumbent on the government agencies operating or overseeing the networks to understand the benefits and limitations of available solutions, and to properly specify hardware, software, and services.
Read the full report here.