Last May, the worldwide cyberattack from the "WannaCry" malware temporarily crippled the United Kingdom's National Health Service (NHS), leading to canceled appointments, diverted ambulances and patient data being temporarily inaccessible.
Despite a scathing report from the government's National Audit Office, which said the NHS “need[s] to get their act together to ensure the NHS is better protected against future attacks,” it emerged without having to pay the ransoms of $300 or $600 in bitcoin, unlike some private companies that did pay.
Instead, Motherboard reported local NHS trusts had prepared for such an event with a full backup of data and files — a process that kept it cyber resilient.
In these days of increasingly sophisticated cyberattacks and cities that rely more on technology for everyday functions, they can learn from a big, bureaucratic organization to not only protect themselves from hacks, but prepare for keeping things running when they are hacked.
"It's not enough to say, 'We're going to protect ourselves from attacks,' because that's one way of thinking about it," Andrew Salkin, senior vice president for City Solutions at 100 Resilient Cities, told Smart Cities Dive.
"When I think about cyber, that's what I begin to think about. It's beyond critical infrastructure, but it starts there, and it starts to think about the services that the city has that are connected to technology that can be enhanced, protected and leveraged to help the city do a lot of different things."
The city of Rotterdam in The Netherlands leads the way internationally on cyber resiliency in its port operations, with that being one of the seven pillars of its strategy for becoming a fully resilient city.
The city's port system now relies extensively on automation and digitization of its logistics operations, as ships have become bigger and carry more freight into a major European entry point. Container cranes are automated and lift freight off ships and put them onto automated trucks to be transported into a storage area before being taken away by traditional vehicles.
"They even know when their battery is almost empty: they then drive to the battery swap station where a robot equips them with a new battery," Niels Dekker, a spokesman for the Rotterdam World Gateway terminal, state on the Port of Rotterdam's website.
Due to digital innovations, the Port of Rotterdam Authority had a 12.3% increase in container throughput, and a total growth in cargo throughput by 1.3%.
Such digital innovations have become necessary as the port has become busier importing and exporting goods, and includes the use of driverless ships. The Port of Rotterdam Authority, which controls the terminals and distribution parks, announced earlier this month it had a 12.3% increase in container throughput, and a total growth in cargo throughput by 1.3%.
"Together with customers, our partners in the chain and digital platforms, we are making sure that the most promising digital innovations are being developed in Rotterdam," Port of Rotterdam Authority CEO Allard Castelein said in a statement.
"The Port Authority assumes an active role in the collection of data and information, and in making them available. The ultimate goal is to make the port and the logistics chains smarter and to safeguard the seamless throughput of traffic and goods," according to Castelein.
To keep everything moving smoothly and to ensure the digital systems are less vulnerable to attack, the city and the port authority developed a plan for cyber resiliency with Microsoft.
It includes having a Chief Resiliency Officer responsible for overseeing the cybersecurity activity at the port, as well as a Cyber Resilience Co-op and other ways to encourage businesses and the port authority to work together. That can be as simple as alerting each other about the still-common phishing attacks, or recommending ways to insulate themselves from ransomware.
"Individual companies and organizations can have their own security in order, but they are also dependent on other companies, organizations and government services," the plan reads. "The resilience of Rotterdam to cyberthreats will be increased by enhancing awareness, sharing knowledge and experience and joining forces to improve responsiveness and ICT products."
"The folks in Europe, mostly through Rotterdam's leadership, they're a little bit ahead of where the conversation has been in the United States."
Andrew Salkin
Senior Vice President, City Solutions, 100 Resilient Cities
While Rotterdam has led the way on cyber resilience, Salkin said cities in the United States have been slower to catch up, but are starting to think about it. He said cities that have large ports that have a lot of trade in and out could learn plenty from their peers in the Netherlands in the coming years as their infrastructure evolves.
It can also be broadly applicable as cities store data centrally, have more autonomous vehicles and integrate FirstNet, the federal communications network for public safety.
"The folks in Europe, mostly through Rotterdam's leadership, they're a little bit ahead of where the conversation has been in the United States," Salkin said.
"There's a similar entry-point for U.S. cities, but I think they haven't quite gotten there. What we hope to do and what we plan on scaling is as Rotterdam creates their cyber resilience plan for the port, how do we take that and share it with Los Angeles, how do we take that and share it with Oakland, New Orleans and Norfolk," said Salkin.
Perhaps the biggest drawback for city leaders enhancing their cyber resiliency would be the costs associated to add redundancies that would increase spare capacity and keep technology working even if it comes under a cyberattack.
While it may be expensive initially to keep and maintain a full backup of data, provide ways for collaboration on cybersecurity, or employ a Chief Resiliency Officer, it is worth it in the long run if that data is potentially compromised in a ransomware attack.
"We're trying to get cities to think about redundancy if it has other costs, does it have other benefits, and if it's a cost you can't afford how do you think about how you're going to manage it so even when you go down you're able to come back very quickly in a way that's consistent with expectations," Salkin said.
At the root of everything, Salkin said given the way cities are evolving to rely on more automation, more technology and cloud-based storage of data, they must be both secure and resilient.
"If we really become a city full of automated mass transit and automated vehicles and new use of space and everything hooked up on the streets and all we're thinking of is cybersecurity, we're missing an opportunity to think about the resiliency of how this new technology changes the way we exist," he said.