Hamilton cyberattack shows municipalities need to shore up digital defences: expert

By Paola Loriggio

A recent ransomware attack that knocked out several online services in one of Ontario’s largest cities has brought into sharp focus the need for municipalities to have a plan to respond to what’s become an unavoidable – and increasingly sophisticated – threat, a top cybersecurity expert said.

The breach in Hamilton is the latest example of the seriousness of such cyberattacks, which have increasingly targeted municipalities in recent years, said Charles Finlay, executive director of Toronto Metropolitan University’s Rogers Cybersecure Catalyst.

While Hamilton’s critical services have not been affected, cyberattacks on municipal networks can lead to dangerous situations if they tamper with emergency, water and wastewater systems, Finlay said in an interview.

Municipalities of all sizes are being targeted because they often hold large amounts of data that can be leveraged to extort significant ransoms, he said. Those behind the attacks also know municipal services are important to residents and governments can’t afford to be offline for long, he said

Every municipality needs to establish “how they will respond to that kind of crisis,” Finlay said, stressing it’s not something that should be improvised once the damage is done. Governments also need to beef up training for staff to ensure they follow best practices such as two-factor authentication, regular software and password updates and not clicking on links in emails from untrusted senders, he said, noting breaches can often stem from employee mistakes.

“It’s no longer a question of if a municipality is going to be attacked – it’s only really a question of when they’re going to be attacked,” Finlay said.

“I would urge us all to recognize that these attacks on municipalities are a wake-up call and we really need to do more now, before we have even more dangerous situations emerge.”

Officials in Hamilton said last week that they have engaged experts, insurers, lawyers and others in their efforts to restore the city’s systems following the Feb. 25 attack, though no timeline has been set.

Systems used for online payments or licence applications have been affected, and municipal staff are processing routine transactions manually or accepting cash wherever possible, they said. An investigation is also underway to determine if any personal information was accessed or compromised.

Over the weekend, Hamilton’s website was down “due to precautionary system changes made by staff in response to the ongoing cybersecurity incident,” the city said on social media. The main site was back up Monday morning, but two related sites were still out of commission.

Hamilton’s city manager, Marnie Cluckie, declined to say whether the city had paid a ransom related to the attack, or explain what it is doing to shore up its digital defences.

“The cyber criminals are sophisticated. We cannot divulge information that could be useful to them. This includes, for example, what we are doing to protect data and our systems. It also includes not discussing specific ransom demands in public nor our decision criteria for such demands,” she said in an emailed statement last week.

“Once systems are up and running again, the city will conduct a full review to identify where changes and improvements may be needed and to help prevent a similar incident from happening in future.”

The Hamilton breach comes on the heels of similar attacks on two city-owned institutions in Toronto: the public library and the zoo, two incidents that exposed sensitive employee information. The library’s system was affected for months.

The three recent cyberattacks stirred pangs of sympathy in Dan Mathieson, the former mayor of Stratford, Ont., which was hit by a ransomware attack almost five years ago.

It took the southwestern city about two weeks to restore full service on its systems after hackers installed and activated malware on several of its servers in April 2019. The city also paid about $75,000 in ransom, and included those costs in its cyber insurance claim, it said at the time.

The insurance company set out cybersecurity standards that the city had to meet in order to stay covered, Mathieson said in a recent interview. It also helped lay out a path for them following the breach, he added.

“If I was to look five years from where we were to where we are today, awareness (of cyber threats) is much higher” among elected officials, municipal staff and the public, said Mathieson, who chose not to seek re-election in 2022 after nearly 20 years in office.

“Municipalities are finally realizing we need to do far more work in that area.”

The provincial government has also given the issue more attention, though both Ontario and Ottawa should do more to support municipalities, Mathieson said. One of the options to consider would be provincial or even federal cybersecurity standards, alongside necessary funding, he said,

“It is a national security risk. Our water systems, our wastewater systems, our hydroelectric power grid – all of this is run at local levels, but has national and international implications if there is a problem,” he said.

In a report released in the fall of 2022, Ontario’s Cybersecurity Expert Panel said cybersecurity initiatives in the broader public services sector were moving forward without a centrally co-ordinated strategy or model. The panel suggested the province “reinforce existing governance structures to enable effective cybersecurity risk management” across the broader public services sector.

The Association of Municipalities of Ontario, meanwhile, released a set of best practices for members, urging them to approach cybersecurity policies and protocol as an “expansion to emergency preparedness.”

“Just as municipal governments routinely prepare plans for the continuity of operations in the event of a natural disaster, they must also prepare plans to restore critical computer systems and networks as quickly as possible in the event of a cyberattack,” the document said.

Municipalities should conduct a comprehensive risk assessment across all departments to identify potential risks, then create “actionable and appropriate solutions to address weaknesses in their system and direct resources to bolster security,” it said.

The organization is holding a cybersecurity workshop for municipalities in partnership with the Rogers Cybersecure Catalyst later this month.

This report by The Canadian Press was first published March 11, 2024.