Security and Resilience (Cyber and Physical)

More than 20 Texas entities hit with ransomware attack

More than 20 entities in Texas reported a ransomware attack on the morning of Aug. 16, the majority of which were smaller local governments. There are no known impacts to any public power electric utilities in Texas.

In an Aug. 17 update on the event, the Texas Department of Information Resources (DIR) noted that it is leading the response to the ransomware attack.

The Texas Division of Emergency Management is assisting by coordinating state agency support through the Texas State Operations Center, the DIR noted on Aug. 16.

The DIR said that on the morning of Aug. 16 the State Operations Center (SOC) was activated with a day and night shift and that as of Aug. 17, the evidence gathered indicates the attacks came from one single threat actor.

“Investigations into the origin of this attack are ongoing; however, response and recovery are the priority at this time,” the DIR said, adding that it appears all entities that were actually or potentially impacted have been identified and notified. 

A total of 23 entities have been confirmed as impacted and responders are actively working with these entities to bring their systems back online, the DIR noted.

The State of Texas systems and networks have not been impacted.

The DIR said that the following agencies are supporting this incident:

Bernie Acre, Chief Information Officer for the City of Bryan, Texas, noted on Aug. 19 that The City of Bryan/ Bryan Texas Utilities first learned of the incident via a statewide IT group email. 

“We received an email via the Texas Association of Government Information Technology Managers (TAGITM) list serve stating the following ‘DPS is reporting that there is a current ransomware campaign specifically targeting Texas law enforcement agencies,’” Acre noted. 

Acre said that early on the morning of Aug. 19, he circulated a message to all managers and supervisors. Included in the message were details provided by Jerry Henry, the City of Bryan’s Emergency Management Coordinator.

In his message to managers and supervisors, Acre underscored the point that the City of Bryan is not vulnerable to this particular attack.

Meanwhile, Texas Public Power Association Executive Director Russ Keene said he was first contacted on Saturday morning, Aug. 17 via email from the state Public Utility Commission’s Cybersecurity Division, and he immediately requested a phone update.

“We appreciated the notification and vigilance of the PUC regarding any potential breach of the state’s municipally owned utilities,” he said. “Working closely with the state’s Department of Information Resources and many other agencies, the Texas PUC had alerted our membership via email early on Saturday morning.  While this ransomware breach targeted law enforcement agencies at the county and municipal level and was quickly contained, TPPA members are nonetheless on point for enhanced cybersecurity planning and system reinforcement.”

“While public power utilities were not affected by this incident, the events in Texas offer a good reminder that utilities have to remain vigilant when it comes to ransomware and other forms of cybersecurity attacks,” said Mike Hyland, Senior Vice President, Engineering Services, at the American Public Power Association.

The Association has recently released a Public Power Cyber Incident Response Playbook to help utilities respond to cyberattacks, including ransomware. It is available here.

The Association is hosting a Cybersecurity Summit Nov. 18-20 that will cover a wide range of topics including ransomware attacks.

Additional information about the summit, which will take place in Nashville, Tenn., is available here.