New York State Comptroller reports on cyber attacks that have potential to shut down critical infrastructure systems

New data released by the New York State Comptroller have identified that cyberattacks are a serious threat to America’s critical infrastructure and can adversely impact day-to-day lives. These cybersecurity incidents in New York have risen 53 percent between 2016 and 2022, jumping from 16,426 incidents in 2016 to 25,112 in 2022, with ransomware and data breaches third highest nationwide over six years. Estimated losses in New York from cyberattacks in 2022 totaled over US$775 million, while losses nationwide totaled $10.3 billion in 2022, a figure being seven times greater than in 2016.

“Cyberattacks are a serious threat to New York’s critical infrastructure, economy, and our everyday lives,” Thomas DiNapoli, State Comptroller, said in a media statement. “Data breaches at companies and institutions that collect large amounts of personal information expose New Yorkers to potential invasions of privacy, identity theft, and fraud. Also troubling is the rise in ransomware attacks that can shut down systems we rely on for water, power, health care, and other necessities. Safeguarding our state from cyberattacks requires sustained investment, coordination, and vigilance.”

In an accompanying report, titled ‘Cyberattacks on New York’s Critical Infrastructure,’ DiNapoli added that data breaches expose New Yorkers to invasions of privacy, the possibility of identity theft, and other types of fraud. “Even more troubling are incidents such as ransomware or distributed denial of service attacks that have the potential to shut down systems that we rely on for water, power, health care, and other necessities.”

The report detailed that in New York State from 2016 to 2022 complaints for business email compromise (BEC) attacks grew the most, 91 percent. Relative to other states, New York had the third highest number of ransomware attacks (135) and corporate data breaches (238) in 2022, trailing only California and Texas for ransomware attacks and California and Florida for corporate data breaches. 

The New York State Comptroller report disclosed that the three most attacked critical infrastructure sectors through ransomware and data breaches in New York were healthcare and public health with nine attacks, financial services with eight attacks, and commercial facilities and government facilities were tied at seven attacks. It added that the preliminary figures from the first six months of this year (through June) show that attacks on critical infrastructure in New York have already nearly doubled from 48 in all of 2022 to 83 in the first half of 2023. 

Securing critical infrastructure from cyberattacks will require sustained investment, coordination, and vigilance. In 2022, the Governor appointed a state chief cyber officer to lead cross-agency efforts to combat cyber threats and improve the state’s critical infrastructure assets’ cybersecurity. 

The cyber chief leads a newly created Joint Security Operations Center, a multi-agency cybersecurity coordination hub linking New York state, New York City, local and regional governments, and critical infrastructure stakeholders, and federal partners for information sharing, cyber threat detection, and incident response. In August, the Governor released the first statewide cybersecurity strategy, which will allow the state to access new federal funding.

The federal Cyber Incident Reporting for Critical Infrastructure Act of 2022, for which rules and regulations are being developed, will require cybersecurity reporting for critical infrastructure sectors. The creation of a centralized repository of data breach reports from across the critical infrastructure sectors would also aid in identifying new attack vectors or exploits before they become widespread and for coordinated responses to emerging cyberthreats. Encompassing local governments in this database would be important.

When it comes to the protection of critical infrastructure, the New York State Comptroller report said that it is the responsibility of multiple layers of overlapping agencies, organizations, and regulatory authorities. “The requirements for effective cybersecurity are frequently established by regulatory bodies at the State and federal level. Law enforcement, primarily on the federal and State level, investigate crimes after they occur and issue alerts and warnings about emerging threats or patterns of attacks. Preventing cyberattacks typically falls to other specialized government agencies, as well as the owners of critical infrastructure (public and private).”

The report also pointed to timely and accurate reporting of cyberattacks and data breaches as important. “Without comprehensive reporting and tracking of incidents, the entities charged with protecting our critical infrastructure cannot respond, investigate, protect or notify affected parties.”

It also identified the need for robust reporting requirements that are necessary for the protection of critical infrastructure, but the value of the information collected through data breach reporting is limited if that information is siloed. Information sharing and collaboration among critical infrastructure owners, law enforcement, State and federal regulators, local governments, and other public and private entities is necessary for the collective protection of critical infrastructure.  

In New York, the Office of Information Technology Services (ITS), the Division of Homeland Security and Emergency Services (DHSES), and the State Police work together to prevent and respond to cyberattacks. It is responsible for establishing standard security requirements and ensuring the reliability of the cybersecurity infrastructure for the State’s executive agencies.

In August, the report pointed out that the Executive released the first statewide cybersecurity strategy to meet the cybersecurity plan requirement to access State and Local Cybersecurity Grant Program funding. “The strategy aims to coordinate the efforts of state, county, and local governments with the Federal government and private industry, to expand the scope of regulations, requirements, and recommendations to protect critical infrastructure, and to provide advice and guidance to empower New Yorkers to take part in their own security.”

The statewide strategy focuses on five areas operating state government networks securely and resiliently by modernizing state networks and systems according to zero-trust principles and implementing multi-factor authentication; increased collaboration and support among state and local governments and federal agencies on cybercrime prevention and response; and development of the State’s cybersecurity workforce. It also included regulating critical infrastructure sectors to heighten their cyber defenses, and educating New Yorkers about cybersecurity by communicating guidance and advice to help them know what threats are present and how to protect themselves.

As part of the Infrastructure Investment and Jobs Act (IIJA) of 2021, the federal government announced the State and Local Cybersecurity Grant Program (SLCGP), committing $1 billion over four years to help states, local governments, rural areas, and territories address cybersecurity risks and improve their critical infrastructure resilience. Each state or territory that applies must establish a Cybersecurity Planning Committee and a Cybersecurity Plan.  

DiNapoli’s cybersecurity audits of state agencies and public authorities have found several common technical weaknesses and risks across its audits, such as entities’ misunderstanding of security risks, unsupported applications, unknown data on systems, poor access controls, and a lack of monitoring of changes to systems, among others. Recommendations are provided to each agency to enable them to begin corrective actions immediately to strengthen their networks.

The report also identified that the Enacted Fiscal Year 2023-2024 State Budget included $42.6 million to expand the State Police Cyber Analysis Unit and create a new specialized Industrial Control System (ICS) Assessment Team within DHSES. 

The funding is aimed at providing new hardware and software cybersecurity tools, and additional cyber personnel, for state and local government systems. It also included a new $500 million capital program to support upgrades to healthcare IT infrastructure. This builds on last year’s $61.9 million investment for cybersecurity in the State Budget, adding enhancements to statewide services and providing funding to help local governments bolster their cyber defenses.

The Office of the State Comptroller (OSC) works to help avoid cyberattacks by auditing and uncovering weaknesses in State, local government, and school district cybersecurity systems, and making recommendations intended to help protect against more sophisticated future cyberattacks.

In conclusion, the New York State Comptroller report identified that critical infrastructure is indispensable to the functioning of modern society, and understanding each sector’s significance, functions and associated risks is essential for effective preparedness, resilience, and response efforts. Securing this infrastructure from cyberattacks will require sustained investment, coordination, and vigilance.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.