City of Durham Restores Core Business Systems within 5 Days of Cyber Attack
City of Durham
After having city operations severely compromised by a cyber attack in 2009, the city of Durham, NC took measures to institute cybersecurity training and protocols. These measures greatly strengthened the city’s response to a 2020 attack and aided in speeding up its recovery time.
General Fund/Existing Public Funds
State and local grants
Operational since 2020
A 2009 cyber attack led Durham, NC to develop new systems and policies that would prevent future attacks affecting the city's operations.
With cities becoming smarter, the amount of data that is generated is both a strength in allowing cities to better improve service quality but also a vulnerability.
One major reason cities have become targets for these attacks is because many of the underlying technologies running their critical infrastructure are outdated. More than 70% of all reported ransomware attacks in the U.S. target state and local governments, with at least 170 county/ city and state government systems being impacted by ransomware attacks since 2013.
Durham, North Carolina, is one such city that was impacted by an attack. The attack, in 2009, targeted the public-school system and shut down multiple systems managing student grades, phones and other networks for three months. Even after the systems were back online, the attack reduced the functionality of the school system for months and it took thousands of hours to recover information.
Durham officials knew systems and policies had to be developed and put in place to prevent a future attack from having the same disastrous consequences on the city's operations.
The city established a new cybersecurity framework and partnerships with the FBI, the state of North Carolina National Guard, and the MS-ISAC.
In the wake of the 2009 cyber attack, the city of Durham worked diligently to create new policies, procedures and plans to make sure another incident like what happened in 2009 never occurred again.
Along with receiving funding for security enhancements, some of the planning and preparation included:
• Allocating a greater share of technology services budget to cybersecurity
• Performing security audits
• Establishing cyber security insurance
The school district and elected leaders established a cybersecurity framework complete with context, leadership, evaluation, compliance, audit, review, and media plan. They also established partnerships with the FBI, the state of North Carolina National Guard, and the MS-ISAC (Multi-State Information Sharing & Analysis Center).
The opportunity to test the new defenses came in March 2020, when the city became the target of an attack by ransomware called Ryuk. The ransomware gets into networks when someone opens a malicious email attachment and then spreads across network servers. It appears that employees of Durham governments, at the city and county level, separately clicked on links in an email. The virus was targeting their fleet vehicle network, and trying to jump to other agencies. DeWayne Kendall, deputy director of Technology Solutions for the city of Durham, was worried.
“We were on our way to being in the newspaper,” he said.
Protective systems detected the malware very quickly and alerted IT staff, who responded by taking networks and phone systems offline to contain the damage. City staff also reached out to partners at MS-ISAC, whose mission is to improve the overall cybersecurity of state and local governments. The MS-ISAC connected them with staff in Allentown, Pennsylvania, who had just experienced a similar attack, to try and diagnose and identify the attack.
While employees were trying to identify the attack, it became clear that preventative measures Durham had put in place were effective. One of the biggest steps taken by Durham to protect against cyberattacks was regularly backing up their data to the cloud every two hours. Because of this safeguard, the backups for the data center were untouched by the ransomware attack.
This time, instead of taking months to diagnose and identify the attack, they were able to do it in hours. The city's core business systems were back online within 5 days of the attack. Once the attack was shut down completely, the city took less than two weeks to eliminate reinfections of the system.
The city's core business systems were back online within 5 days of the attack
Total recovery from the attack took two weeks, compared to 3 months after the 2009 incident.
City officials, such as the CIO, CTO, and vCISO, hold meetings three times a week to discuss the ever-changing security landscape, security strategy, and new tools.
Full system functionality was quickly restored without a ransom being paid.
Steve Schewel, mayor of Durham, N.C., was selected to testify at a US Senate Meeting on Cybersecurity, based on his city’s response to both cyber attacks.
Who Should Consider
Cities and towns looking for best practices to proactively strengthen cybersecurity defenses.
Last UpdatedMar 22nd, 2022
More resources about this case study