City: Cyber attack against Baltimore’s 911 computer-aided dispatch system was ransomware

Ransomware perpetrators were behind Sunday’s cyber attack on the Computer Aided Dispatch (CAD) system that supports Baltimore’s 911 operations, according to Baltimore City Chief Information Officer Frank Johnson.
In a statement released Wednesday, Johnson said federal investigators are working with the city to determine the source of the attack, which forced the CAD system offline for 17 hours on Sunday. Officials have said that service was not disrupted during that time, as calls were dispatched by voice.
A ransomware attack often involves encrypting parts of a network, and a demand of payment in bitcoin to free it back up. It’s in the same category as the WannaCry attack.
It’s one of the most common types of attacks to target public safety systems, said Tim Lorello, CEO of Anne Arundel County–based SecuLore Solutions. The company specializes in cybersecurity for public safety, and, with a Pennsylvania firm, is set to begin a review of 911 systems across the state. Some cyber attacks involve stealing data, but ransomware only requires breaking in.
“With ransomware they have to infiltrate but they don’t have to exfiltrate,” he said. The attack “simply encrypts it in such a way that the victim can’t use the system.”
While he’s not involved in the Baltimore investigation, Lorello said that, in general, “The reason that the 911 center is a particularly interesting target is because they are a mission critical” function. Specifically, Lorello, said, “That CAD system is incredibly crucial to the proper 911 response.” But he added that dispatchers are trained to work in manual mode.
There’s been no indication of a payment demand in the Baltimore incident. Johnson characterized it as a “limited breach.”
“We were able to successfully isolate the threat and ensure that no harm was done to other servers or systems across the City’s network,” Johnson said. “Once all systems were properly vetted, CAD was brought back online. No personal data of any citizen was compromised in this attack.”
The move to isolate the computer infected by the attack is key, said Lorello, as it limits the attacker’s ability to move laterally into other parts of the network.
On the city’s side, the network was left exposed during troubleshooting.
“Upon further investigation, we have determined that the vulnerability was the result of an internal change to the firewall by a technician who was troubleshooting an unrelated communication issue within the CAD System,” Johnson said.
The attack in Baltimore city comes against the backdrop of a much more wide-ranging ransomware attack in Atlanta which took functions for police, courts and bill pay offline. Initially, city employees couldn’t send emails.
When it comes to public safety agencies specifically, Lorello said his company has identified 184 incidents at the state and local level in 45 states over the last two years. Not all of those were ransomware attacks.
Johnson indicated the city is well aware of the threats, and cybersecurity is part of the city’s strategic tech plan that is currently being finalized.
“It’s important to understand that each day, our network systems – as those of cities across the country – face constant manual and automated threats, in much the same way that individuals, companies, and institutions face in safeguarding their personal computers, servers, and IT networks,” Johnson said.