Town Manager Mike Walsh, Board of Education IT person Frank Melanson and Town of Granby IT person Tristen Grouten attended a cybersecurity program on May 28. The Town of Simsbury invited Avon, Canton, East Granby, Farmington and Granby to join in assessing how each town handles the occurrence of a cyber incident.
After being presented with a mock security incident, each town was evaluated on its procedures for detection and response. Walsh noted that Melanson’s responses to questions from the program leaders were excellent, indicative of the work the IT staff has put into the Town of Granby’s security.
Granby has a risk management program that regularly receives cyber threats—up to 1,000 a month—but, so far, none have gotten into its domain, thanks to alerts from the CISA (Cybersecurity and Infrastructure Security Agency), a division of the U.S. Department of Homeland Security and MS-ISAC (Multi-state Information Sharing and Analysis Center). These two agencies scan networks and gather information on recent threats of which towns are informed.
Also, the town works with CTIC (Connecticut Intelligence Center) if there are any fraud attempts, or other illegal activities are noted. CTIC is the designated fusion center for the state, one of 890 such centers in the country. Fusion centers were developed after Sept. 11, 2001 in an effort to increase collaboration and information sharing among state, local, federal and private sector entities. It includes representatives from organizations such as Homeland Security, the FBI, TSA, Connecticut National Guard and state police.
Both Granby’s head of IT, Jon Lambert, and Melanson receive these notifications, which may involve the town’s software, Microsoft programs, email and internet. Granby also uses internal software tools to monitor systems and the internet provider monitors the connection for attacks and abnormal usage. Most of the town’s internal systems are backed up nightly by the town’s cloud provider, Microsoft, or stored in several different town buildings depending on the software platform involved.
Town and BOE staff report threats to Grouten and Melanson. The response to a security issue depends on the magnitude of the threat. The town will gather its emergency center operations staff, much as it does for weather-related emergencies, to decide what the response will be and which department(s) will make that response. Any indications of compromise would be looked at by the technology department and, depending on the issue, could escalate it to one or more individuals including the town manager, police chief, public works director or school superintendent.
Another organization that is contacted in the case of a threat is CIRMA (Connecticut Interlocal Risk Management Agency), the town’s insurance carrier. If the security issue involves financial payment to prevent loss of data, it will help recover the loss and pay the claim. The information would also be shared with the state police, who would also assist in trying to recover any lost money as well as starting any criminal investigation they believe to be merited.
The emergency operations center staff have received training and regularly receive training updates. Those who work for the state are required to have performed updates within 30 days of the update’s arrival, but individual towns are not as stringent. Lambert and Melanson decide the appropriate training frequency for the town and BOE staff.
Depending on the criticality of the issue, reconstitution can take a few days or months. The emergency operations staff tailors the response to the severity. Once all systems are running again and all data is restored, the incident is deemed to be over.