CLOSING THE RANSOMWARE READINESS GAP
POLICY BRIEF
Objective
In 2023, the Florida Center for Cybersecurity (aka Cyber Florida) conducted a statewide analysis to assess the cyber-readiness of Florida’s critical infrastructure (CI) providers across 16 key sectors 1. The study –which was conducted on behalf of the State Legislature in fulfillment of Appropriation 2944B2 – offered several recommendations aimed at improving cyber-resilience within the state and protecting Florida’s people, property, and prosperity. Among these recommendations was a call to “close the maturity gap for basic ransomware readiness by 2025”. Since those recommendations were offered in July 2023, subsequent ransomware attacks against CI providers in Florida have led to data breaches and service disruptions across several critical infrastructure sectors, including healthcare, education, the judicial system, and essential government services.
In recognition of the substantial threat that ongoing ransomware attacks pose to Florida’s critical infrastructure, this Policy Brief provides a more in-depth summary of ransomware readiness among the state’s CI providers and proposes a comprehensive course of action through which the state can ensure that all CI providers meet the threshold for “basic ransomware readiness” by the end of 2025. Given the urgency of the issue, Cyber Florida strongly encourages state leaders to accelerate these efforts in 2024. In the pages that follow, this report provides (1) a brief overview of the ongoing threat that ransomware poses to the state’s critical infrastructure services, (2) an analysis of current vulnerabilities among Florida’s CI providers, and (3) recommendations for closing the ransomware readiness gap moving forward.
The Ransomware Threat
Ransomware attacks are among the fastest growing and most common cyber threats facing the United States today3. These attacks use specific forms of malicious software (malware) to access computer networks for the purpose of obtaining sensitive data or gaining control over critical systems. Having done so, attackers will typically hold these assets for “ransom,” demanding payments in exchange for relinquishing the illegally obtained data and/or control over sensitive systems. These network intrusions are often achieved through rudimentary and unsophisticated methods, such as convincing users to open infected links/email attachments or inadvertently disclose their login credentials (i.e. user ID’s and passwords)4. The effectiveness of ransomware attacks lies in their potential to disrupt essential services and operations, as well as the strategic use of “ransom demands” that are relatively small in comparison to the cost of regaining or rebuilding the affected systems.
In recent years, Americans have seen a glimpse of the potential havoc that ransomware attacks can wreak on critical systems. For example, a 2021 attack on the Colonial Pipeline led to gasoline shortages throughout much of the eastern seaboard, while sparking significant panic on the part of consumers and citizens5. Just one month later, the world’s largest meat processing company (JBS) paid an $11-million-dollar ransom after an attack temporarily halted the company’s North American operations, threatening supply shortages and an abrupt rise in food prices6. Given their potential for such dramatic and pronounced impacts, the Department of Homeland Security (DHS) has noted that while most ransomware attacks are financially motivated, they nonetheless represent a direct threat to America’s national security7
Here in Florida, critical infrastructure providers across a range of vital sectors have experienced similar attacks, with the frequency and severity of these incidents increasing over recent years. To highlight the scope and import of these trends, the following list provides some examples of ransomware attacks against Florida’s critical infrastructure providers during the 2023 calendar year, including their impacts on critical services that Floridians rely on every day:
• Tallahassee Memorial Healthcare (TMH) suffered a cyberattack in February 2023 that forced the organization to take its computer systems offline and led to the cancellation of scheduled (non-emergency) surgeries. Moreover, the hospital was forced to divert emergency patients to other facilities during the incident, resulting in a potentially dangerous disruption of emergency medicine services for patients in the region8. While TMH declined to disclose whether it had classified the cyber-intrusion as a “ransomware attack,” cybersecurity experts noted that the incident bore the hallmarks of a traditional ransomware attack9
• The Washington County Sheriff’s Office experienced a ransomware attack in February 2023 that disabled computer systems associated with the office’s finances as well as the county jail. Discussing the severity of the attack – which lasted several weeks – Sheriff Kevin Crews noted that “… we are operating blindly… we can’t run a tag, we can’t run a driver’s license and a big safety thing, we can’t check to see if somebody is a fugitive or committed a heinous crime somewhere”10
• The City of Fort Lauderdale was victimized by a phishing scam in September 2023 when a fraudulent invoice was paid in error, resulting in a loss of $1.2 million in tax-payer funds11
• Akumin Diagnostics, a medical imaging company based in Broward County, was forced to shut down its computer systems due to a ransomware attack in October 2023. The outage lasted for multiple weeks, disrupting radiology and oncology imaging services for both patients and their doctors. Some patients noted that the outage led to longer delays in service with surrounding providers as well, while officials with the company noted that the attack “likely” resulted in the loss of “personal data and Protected Health Information”12
• The First Judicial Court of Florida (serving Escambia, Santa Rosa, Okaloosa, and Walton counties) suffered a ransomware attack in October 2023, which resulted in hackers gaining access to the social security numbers of employees, as well as a “detailed map of the court’s systems.” The attack rendered several key systems inoperable – such as the court’s audio recording software – and impaired judges’ ability to access “certain electronic capabilities”13
• Fidelity National Financial (FNF), a Jacksonville-based insurance provider, was attacked in November 2023 by a criminal ransomware organization known as BlackCat14. The attack had significant operational impacts on the Fortune 500 Company, including disruptions to services “related to title insurance, escrow and other title-related services, mortgage transaction services, and technology to the real estate and mortgage industries”15
• The St. Lucie County Tax Collector’s Office was attacked by the same organization (BlackCat) in November 2023. The attack led to a shutdown of the Office’s computer system, and while the locally elected Tax-Collector noted that the threat to taxpayer’s most sensitive information was minimal, he also acknowledged that some data had been compromised and taken from the tax collector’s office16
While these examples highlight the scope and impact of ransomware attacks against critical infrastructure providers in the state, it’s been suggested that most ransomware attacks go unreported17, particularly when the victimized organization is a private service provider with less stringent disclosure requirements. With these examples in mind, the next section looks more closely at the current ransomware “maturity gap” among Florida’s critical infrastructure providers.
The Ransomware Maturity Gap Among Florida’s CI Providers
Data collected as part of Cyber Florida’s 2022-23 CI Risk Assessment help to highlight the extent of the “ransomware maturity gap” among Florida’s critical infrastructure providers. In conducting the statewide risk assessment, Cyber Florida used the industry leading Cybersecurity Evaluation Tool (CSET)®, which was developed by Idaho National Laboratory (INL) on behalf of the U.S. Department of Homeland Security. Within the CSET, a specific module called the Ransomware Readiness Assessment (RRA) measures how well organizations are “equipped to defend against and recover from a ransomware incident”18. The RRA module includes 48 questions, which cover Basic, Intermediate, and Advanced steps that organizations can take to improve their ransomware readiness. As part of Cyber Florida’s statewide risk assessment, 216 providers from across 12 critical infrastructure sectors completed the ransomware readiness self-assessment. (For a more complete description of the data collection methodology, please see the Final Report of the Statewide Cyber Risk Assessment available upon request).
Basic Ransomware Readiness Among CI Providers
This Policy Brief focuses exclusively on the Basic level of ransomware readiness, as Cyber Florida’s 2023 report recommended that the state take steps to ensure all CI providers achieve and exhibit Basic Ransomware Readiness by the end of 2025. As measured in the CSET, Basic ransomware readiness includes 18 key criteria that cover organizational policies and behaviors such as password requirements, networking settings and monitoring, employee training, hardware/software maintenance, the use of updated “blocklists” to block potentially malicious software, and the regular testing of incident response plans by exercising at the organizational level. Table 1 provides a complete list of the Basic ransomware readiness criteria, along with the percentage of responding CI providers who answered “yes” to each prompt.
As shown in Table 1, 85% or more of responding CI providers are practicing several key behaviors, such as (1) the use of “strong and unique passwords,” (2) regular training of employees to recognize malicious threats
such as phishing schemes, and (3) filtering to block malicious content via web browsers and email. However, the data also highlights several key areas of vulnerability among CI providers. For example, less than half of the responding providers report conducting annual incident response exercises that include ransomware scenarios, while less than 60% conduct annual tabletop exercises that include phishing response scenarios (the attack vector that cost the City of Fort Lauderdale $1.2 million in a 2023 attack). Additionally, less than 60% say that they have removed all unsupported hardware/software from the organization’s operating environment.
Other significant areas of concern included the use of a “blocklist” to identify and block malicious software (62.5%), the use of documented and approved software configurations (68.5%), and the development of incident response plans (69.9%). Collectively, incident response planning stands out as an aggregate area of concern for CI providers, as many have not developed or practiced incident response plans for ransomware and phishing scenarios, despite these being the most common attack vectors facing CI providers.
Alarmingly, only 15.3% of responding CI providers met all 18 criteria for Basic ransomware readiness (Figure 1), suggesting that the majority of providers exhibit vulnerabilities to ransomware attack that are “basic” in nature and easily remedied through updated policies and procedures. The recommendations offered in this Policy Brief are intended to help the state close this maturity gap. Before laying out these recommendations, the subsection below shows how Basic ransomware readiness varies across organizations based on sector and geographic scope, as this helps to better understand the state’s vulnerability to future ransomware attacks.
Only 15% of Florida’s CI Providers Currently Meet All 18 Criteria for Basic Ransomware
Readiness
Source: CSET® Analysis of Florida’s Critical Infrastructure Providers, 2022-23
Figure 1
the organization conduct annual incident response tabletop exercises that include ransomware
scenarios?
Has the organization removed all unsupported hardware and software from its operating environment?
Are annual tabletop exercises that include phishing response scenarios conducted?
Is there a list of known bad software (a “Blocklistblocklist”), and is the software on that list being blocked?
Are documented and approved secure configurations used to manage the organization’s hardware and software assets?
Is all public-facing software patched for vulnerabilities within 15 days for vulnerabilities rated as “Critical” and 30 days for vulnerabilities rated as “High”?
Are all internal-facing software and firewalls patched for vulnerabilities within 30 days for both vulnerabilities rated as “Critical and/or for vulnerabilities rated as “High”?
Are important systems and data backed up daily to an offsite location with the ability to restore multiple versions back at least 30 days?
Is malicious web content being blocked using DNS filtering via methods like DNS resolvers and DNS firewalls?
email filtered to protect against malicious content?
From Ransomware Readiness Assessment, Idaho National Laboratories: Cybersecurity Evaluation Tool (CSET)®; 2022
Basic Ransomware Readiness Criteria
Basic Ransomware Readiness by Sector
and Geographic Scope
While most CI providers throughout the state are currently not practicing all the standards for Basic ransomware readiness (as established by INL and DHS), there were notable differences in readiness across critical infrastructure sectors, geographic service areas, and those organizations with and without formal cyber training programs. Figure 2 shows that CI providers serving the state as a whole were more likely to meet all 18 Basic ransomware readiness standards than those serving individual jurisdictions (such as a single county or municipality). Among those organizations serving the entire state of Florida, 24% met all 18 criteria for Basic ransomware readiness, compared with only 10% of those serving a single jurisdiction. Those organizations serving a geographic area that exceeded a single jurisdiction (but covered less than half of the state) fell in the middle, with nearly 19% meeting all 18 criteria for Basic ransomware readiness.
Basic Ransomware Readiness by Geographic Scope
Source: CSET® Analysis of Florida’s Critical Infrastructure Providers, 2022-23
Figure 2
Notable differences were also observed across varying CI sectors, as shown in Figure 3 below. Among healthcare and public health organizations (a frequent target of ransomware attacks), more than a quarter of responding providers (28%) reported meeting all 18 criteria for Basic ransomware readiness. In comparison, only 8% of government facilities (comprised largely of local county and municipal governments) met all 18 criteria. Among the responding sectors, government facilities demonstrated the least robust ransomware readiness, which may help to explain the frequency with which these organizations have been victimized over recent years.
Emergency service and information technology providers demonstrated similar levels of ransomware readiness, with just under 19% of providers in both sectors meeting the criteria for Basic ransomware readiness. Among organizations in other sectors (including commercial facilities, critical manufacturing, defense industrial organizations, the energy sector, financial service providers, transportation agencies, and water/wastewater facilities), nearly a third (31%) of CI providers reported meeting the threshold for Basic ransomware readiness.
Collectively, the responses show that significant improvements in ransomware readiness are needed across all CI sectors, though public/government agencies appear to be the most vulnerable.
3
Basic Ransomware Readiness by Sector
Source: CSET® Analysis of Florida’s Critical Infrastructure Providers, 2022-23
Figure
Finally --as shown in Figure 4 – CI providers with formal cyber training programs were two times more likely to be following Basic ransomware readiness guidelines than those without a formalized training program (21% compared to 9%). While those organizations with formal training programs still show significant room for improvement, these data suggest that such organizations are generally better positioned than their peers to respond to and recover from a malicious ransomware incident.
Basic Ransomware Readiness by Presence of Employee Cyber Training Program
n % Fully Compliant n % Non-Compliant
Source: CSET® Analysis of Florida’s Critical Infrastructure Providers, 2022-23
Closing the Ransomware Readiness Gap
The data and examples outlined above underscore the substantial threat that ongoing ransomware attacks pose to Florida’s people, property, and prosperity, as well as the significant improvements needed to ensure that the state’s critical infrastructure providers are prepared to prevent, respond to, and recover from future cyber-events. With this in mind, the Florida Center for Cybersecurity recommends that state leaders adopt a coordinated “allhands-on-deck” approach to ensuring that CI providers throughout the state achieve ‘Basic’ ransomware readiness by the end of 2025, as defined by the DHS’s Ransomware Readiness Assessment.
More Specifically, we recommend that the state pursue a coordinated but multi-pronged strategy aimed at (1) raising awareness of the ransomware maturity gap among CI providers, (2) incentivizing compliance with desired standards/practices, and (3) employing data driven techniques to measure the effective adoption of these standards. This approach is necessary in part due to the breadth and diversity of the sectors comprising Florida’s critical infrastructure environment. While ransomware represents a universal threat, the diversity of needs, services, delivery modalities, and regulatory apparatuses associated with these varied sectors precludes a “one-size-fitsall” solution. This suggests the need for flexibility, innovation, and networked coordination to achieve the state’s
Figure 4
cyber-readiness goals and ensure the security of its critical infrastructure.
To ensure the effectiveness of this policy strategy, we furthermore recommend that these efforts include, at a minimum, the following key elements:
• Coordination: The establishment of a Florida-specific, state level Ransomware Taskforce to coordinate statewide efforts across all 16 critical infrastructure sectors. Notably, a similar model is currently being utilized at the federal level through the Joint Ransomware Task Force (JRTF). CISA notes that the “JRTF serves as the central body for coordinating an ongoing nationwide campaign against ransomware attacks in addition to identifying and pursuing opportunities for international cooperation”19 A similarly tasked body operating at the state level is necessary to focus on Florida’s unique operating context, while simultaneously coordinating efforts across diverse CI sectors.
• Delegation: Tasking relevant regulatory agencies at the state level with directing sector-specific efforts to promote, incentivize, and verify CI compliance with Basic ransomware readiness standards. These efforts –which will invariably differ across unique sectors – may include regulatory requirements where appropriate, as well as sector-specific communication efforts and financial incentives. For example, where appropriate, regulating authorities may specify that “In order to be eligible to make application for any relevant state level grants or federal pass-through dollars administered by the State of Florida, those entities designated as ‘critical infrastructure’ must demonstrate compliance with Basic ransomware readiness standards to compete for or receive said funding.”
• Tracking: Establishing and tracking benchmark goals and/or key performance indicators to ensure the achievement of the state’s broader policy goals in the prescribed timeframe. In keeping with established standards, the Department of Homeland Security’s 18-item Basic ransomware readiness assessment (shown in Table 1) should guide these efforts.
• Informational Support: Developing and compiling sector-specific and user-friendly resources to assist CI providers in their efforts to achieve Basic ransomware readiness. At present, many organizations –such as the Cybersecurity and Infrastructure Security Agency (CISA) at the federal level and the Florida Center for Cybersecurity at the state level – are currently engaged in such efforts. However, the volume, dispersion, and technical complexity of these resources often undermine efforts to promote their utilization. Based on the findings outlined above, these resources should include and emphasize tools to assist CI providers in developing and practicing ransomware incident response plans.
• Resource Support: Extending targeted financial and personnel support to those CI providers constrained by factors such as organizational size, access to skilled labor, tax-base/financial constraints, and geographic locale. Several micro-grant programs currently exist for these purposes, though a more targeted strategy may be needed to ensure the efficient, data-driven allocation of these limited resources.
Conclusion
While the data presented above show that improvements are needed across all CI sectors, special attention may be warranted in the case of government agencies, which lag significantly behind other sectors in Basic ransomware readiness. Moreover, smaller CI providers (i.e. those serving limited/localized jurisdictions) appear to be more vulnerable to ransomware victimization than their larger peers, which is likely a function of resource limitations. Collectively, the efforts proposed above can help to close the ransomware readiness gap and ensure that CI providers across all critical sectors are able to defend against emerging cyber-threats to protect Florida’s people, property, and prosperity.
End Notes
1. CyberSecureFlorida Final Report, July 2023, available upon request
2. Appropriation 2944B (Under H.B. 5001) directed that: “The Florida Center for Cybersecurity at the University of South Florida (…), and in consultation with the Florida Cybersecurity Advisory Council, [shall] conduct a comprehensive risk assessment of the state’s critical infrastructure (CI) and provide recommendations to support actionable solutions for improvement of the state’s preparedness and resilience to significant cybersecurity incidents.”
3. Cybersecurity and Infrastructure Security Agency (CISA). Malware, Phishing, and Ransomware. https://www. cisa.gov/topics/cyber-threats-and-advisories/malware-phishing-and-ransomware
4. Federal Bureau of Investigation (FBI). How to Protect Federal Bureau of Investigation (FBI): How to Protect our Networks from Ransomware. https://www.justice.gov/criminal-ccips/file/872771/download
5. Kelly S, Resnick-ault J. 2021. One Password Allowed Hackers to Disrupt Colonial Pipeline, CEO Tells Senators. Reuters, June 8, 2021. https://www.reuters.com/business/colonial-pipeline-ceo-tells-senate-cyber-defenses-were-compromised-ahead-hack-2021-06-08/
6. Reuters, June 10, 2021. Meatpacker JBS Said it Paid Equivalent of $11 million in Ransomware Attack. https://www.reuters.com/technology/jbs-paid-11-mln-response-ransomware-attack-2021-06-09/
7. Department of Homeland Security (DHS). 2022. Ransomware Attacks on Critical Infrastructure Sectors. https://www.dhs.gov/sites/default/files/2022-09/Ransomware%20Attacks%20.pdf
8. Lyngaas S, Rind D. 2023. Apparent Cyberattack Forces Florida Hospital System to Divert Some Emergency Patients to Other Facilities. CNN, February 3, 2023. https://www.cnn.com/2023/02/03/politics/cyberattack-hospital-tallahassee-memorial-florida/index.html
9. Burlew J. 2023. What’s Going on at TMH? Experts Say Incident has Telltale Signs of a Ransomware Attack. Tallahassee Democrat, February 8, 2023. https://www.tallahassee.com/story/news/ local/2023/02/08/tallahassee-hospital-it-security-event-has-signs-of-ransomware-attack/69882843007/
10. Riley E. 2023. Hackers Threaten to Release Washington County Sheriff’s Office Personal Data. My Panhandle, March 20, 2023. https://www.mypanhandle.com/news/local-news/hackers-threaten-to-release-washington-county-sheriffs-office-personal-data/
11. Rodriguez Ortiz O, Aguila G. 2023. Police: Fort Lauderdale, Fla., Duped in $1.2M Phishing Scam. Government Technology, September 22, 2023. https://www.govtech.com/security/police-fort-lauderdalefla-duped-in-1-2m-phishing-scam
12. Krischer Goodman K. 2023. Patients Desperate for Imaging Services, Worried About Health Information, After Akumin Shuts Down Due to Ransomware Attack. South Florida Sun Sentinel, October 24, 2023. https://www.
sun-sentinel.com/2023/10/24/patients-desperate-for-imaging-services-worried-about-health-information-after-akumin-shuts-down-due-to-ransomware-attack/
13. Johnson B. 2023. First Circuit Chief Judge Confirms Personal Data Was Breached in Courthouse Cyberattack. Pensacola News Journal, October 20, 2023. https://www.pnj.com/story/news/local/escambia-county/2023/10/20/alphvblackcat-claim-cyber-attack-on-escambia-santa-rosa-courts/71135573007/
14. DeLisa C. 2023. Ransomware Group Claims Responsibility for Another Florida Attack. The Capitolist, November 27, 2023. https://thecapitolist.com/ransomware-group-claims-responsibility-for-another-florida-attack/
15. Kingsley R. 2023. Fidelity National Financial Hit by Cyberattack. National Mortgage Professional, November 28, 2023. https://nationalmortgageprofessional.com/news/fidelity-national-financial-hit-cyberattack
16. Perlis W. 2023. Hacker Gang Claims St. Lucie County Breach, Tax Collector Says Sensitive Information Not at Risk. Treasure Coast Newspapers, November 14, 2023. https://www.tcpalm.com/story/news/ local/st-lucie-county/2023/11/14/ransomware-group-claims-it-took-sensitive-information-butdid-it/71571855007/
17. De Vynck, G. 2021. Many Ransomware Attacks Go Unreported. The FBI and Congress Want to Change That. Washington Post, July 27, 2021. https://www.washingtonpost.com/technology/2021/07/27/fbi-congress-ransomware-laws/
18. Cybersecurity and Infrastructure Security Agency (CISA). CISA’s CSET tool sets sights on ransomware threat. June 30, 2021. Available at https://www.cisa.gov/news-events/ alerts/2021/06/30/cisas-cset-tool-sets-sights-ransomware-threat
19. Cybersecurity and Infrastructure Security Agency (CISA). Joint Ransomware Task Force. https:// www.cisa.gov/joint-ransomware-task-force