Best Practices for Securing Critical Infrastructure for State & Local Governments


Government agencies are increasingly finding themselves as targets for cyberattacks. Summarizing some of the best practices these agencies can use to stay secure and highlight some of the possible consequences to having vulnerabilities. Our elections systems have been a strong focus in recent years; we are drawing upon lessons learned in that realm and extending them across the government IT infrastructure. Above all, this should be reference architecture for Security Officers and CIOs, for all government entities and departments.

Read how to do more with less in government >>


Today’s world is dramatically different than just five years ago. Ransomware attacks used to make global headlines. Now, they are commonplace. Cybercriminals have historically targeted large enterprises. Now, almost every day, we learn that a new city, county or state government entity has been attacked.

“Island hopping” attacks are also becoming more frequent, meaning that attacks are proliferating to suppliers and customers and becoming harder to stop.

Newer, sophisticated cyberattacks are bypassing traditional, signature-based antivirus solutions at an alarming rate. More than 60% of attacks are not malware based. Even malware is much more sophisticated than ever before, and phishing attacks that used to be laughably detectable by misspellings and incorrect graphics are now quite convincing.

In recent months, we’ve seen high-profile attacks against major U.S. cities. These attacks have included ransomware variants and permanent data loss. The damages have totaled in the millions of dollars. Some cities are still recovering from these attacks and the lessons learned have been sobering.

Attackers will often introduce an attack via a spear phishing email, which is opened by a city employee, exposing the entire infrastructure to an attack. In some examples, ransomware has been able to encrypt all city data, computers, workstations, phones, and dispatch systems for first responders. For example, the City of Pensacola, Florida was hit with a ransomware attack in early December, 2019. The Maze ransomware variant was used, and the hackers threatened to release data if $1M in ransom was not paid. True to their word, they did release a small percentage of the data to prove they could. Making this especially damaging – this occurred days after a shooting at a nearby Naval Base. Experts estimate that it may take six months to a year for the city, which was mostly shut down, to recover from this hack. No one knows if the city paid the hackers or not, but we do know they paid the consulting firm upwards of $140K to fix the issue.

Other cities in the news for December attacks include New Orleans, the city of Galt, CA near Sacramento, and St Lucie, Florida. All attacks are costly in terms of productivity, city image, and potential privacy concerns. What is “new” is how often attackers are taking advantage of smaller, more vulnerable entities. We continue to see new attacks on state, city, county and local governments, which the need for more comprehensive cybersecurity protection and awareness.


After the widely publicized Target attack of 2013, many enterprises and retail businesses saw the importance of moving away from outdated security solutions and realized the potential cost of a breach. They put into place more sophisticated solutions to stop attackers. In many cases, government entities did not follow suit; they were often hampered by limited budgets and a lack of solid security staff.

Some data to ponder:

The International City/County Management Association, better known as ICMA, released the results of a survey conducted in 2018 and found that municipalities cited the following as severe barriers to implementing cybersecurity in their patch:

  • 58.3 percent cited the inability to pay competitive salaries for cybersecurity personnel
  • 53 percent cited an insufficient number of cybersecurity staff
  • 46.5 percent cited a lack of adequately trained cybersecurity personnel
  • 52.3 percent cited a lack of funds for cybersecurity

In addition, more than 50% had not performed any cybersecurity training for personnel.

Government agencies are adding Internet-connected services and technology at a rapid rate, often without securing that new technology. This provides new and attack surfaces for cyber criminals and nefarious nation-state actors. The risk of an increased attack surface is compounded by the reality that organized crime groups have adopted cybercrime as an emerging business model with help from the dark web.


The above is very concerning when considering all the points of vulnerability in government and the potential impact to the public at large. Criminals and domestic and international terrorists can now manifest an asymmetrical cyberattack in the following ways:

  • Municipal Airports can have critical safety interruptions, which would create chaos and provide a way for malicious nation-state actors or hacktivists to cause accidents in a new form of warfare.
  • Smart city controls could be compromised or shut down, with chaos ensuing in the form of missed snow plowing, parking garages shut down, court houses and DMV centers with no compute power, and widespread smart meter malfunctions.
  • Court house records could be exposed or altered.
  • Critical patient data from public hospitals could be exposed or altered. One such case involved the deletion of a patient allergy from a chart, and the patient died on the operating table.
  • Prison inmate data could be hacked and/or changed.
  • 911 systems could be brought down during major emergencies.
  • Government contract award data could be compromised.
  • Key governmental communications could be altered or changed.
  • Sealed juvenile arrest records could be reached and exposed, or altered and exposed.
  • DMV records could be altered, used for identity theft, and/or exposed.

Given the heterogeneous architectures of state and local systems (and the stark reality that many of these systems are older and unmanaged), it is imperative that we learn from the security exposures of another critical infrastructure. The most visible use case study is election security. A great deal of study has been done in this area. It pays to review lessons learned as well as the types of attacks and vulnerabilities so that this knowledge can be applied to the above scenarios and help to keep our cities, towns, counties and states safe as well as our elections fair.

Study of these attack surfaces by white hat hackers, security experts, lawmakers, and companies such as VMware Carbon Black have led to the formulation of a set of best practices codified by the U.S. Department of Homeland Security – CISA and a questionnaire for State and Local Governments to use to determine their vulnerability, which can be found here:


  1. As many government entities are using outdated security methods and products, it is critical to get a baseline on where vulnerabilities lie. A baseline “Red Team” or “Purple Team” (use of a third party plus in-house security experts) audit and/or Cyber Hunt exercise can help expose where systems are vulnerable and where increased controls need to be applied. PEN tests and general audits are also recommended.
  2. Multi-factor authentication with “just in time” administration should be deployed to web servers, and servers holding key data. Websites that are accessible to the general public should be reviewed for accuracy continuously.
  3. Deploy application control (whitelisting) on critical servers, ensure they do not touch the raw Internet, and place them in high enforcement and only allows approved programs to run, stops all unauthorized file or memory modifications, and has been used for many years by universities and financial institutions to protect critical data.
  4. Create a comprehensive micro-segmentation strategy for your network and then execute it – flat networks are much more easily hacked and more of your critical network will be exposed during that attack. Micro-segmentation is simply the practice of isolating segments of your network or data center into “enclaves” that are separate from each other. This limits the expansion and reach of an attack if one occurs. If you don’t have expertise in house for this task, money spent for a consultant will be well worth the extra expense.
  5. Deploy endpoint detection and response (EDR) technology as well as non-signature based NGAV (next generation antivirus) that uses unfiltered data to detect and remediate advanced attacks (even zero day attacks.) Remember, the endpoint is the easiest attack surface for hackers.
  6. Integrate your critical security systems across your network. (NOTE: VMware Carbon Black integrates with most firewalls (although firewall integration is not necessary for endpoint quarantine and isolation. Most SIEMs can be integrated with VMware

Carbon Black’s RESTful APIs, and integration with cloud security providers such as NetSkope can help ensure that the cloud doesn’t become a point of ingress for bad actors.)

  1. Continually work to attract, hire, and retain the best security talent in order to ensure you are not only protected, but know how to remediate if an attack happens.
  2. Stay up to date on the latest attack methodologies as well as attack vehicles. VMware Carbon Black’s Threat Analysis Unit (TAU) provides customers with the latest knowledge and information. Our User Exchange also is a rich source of data and intelligence. Take time to attend conferences, and network with other government security teams.
  3. Use a product that allows the integration of third party threat feeds. This way, you can stay on top of the latest innovations by bad actors.
  4. EDUCATE! EDUCATE! EDUCATE! Make sure that everyone in your network, your administration, and your leadership understands the importance of cybersecurity, how not to fall for phishing attacks, and how to maintain a secure environment.


Business shut down. Airports are empty. Hospitals are full. Many Governors (21 states) have issued “Stay-At-Home” Executive Orders closing all non-essential businesses and eliminating all public meetings. How does government and education provide “Continuity of Operations” (CooP) in this pandemic?

All level of government organizations are trying to find ways to deliver essential services with a remote workforce. Education institutions, k-12 and universities, are forced to close their doors and now expected to deliver the same education through online and distance learning platforms. Some organizations have developed policies, processes and infrastructure to support this new remote demand, but others are trying to keep up.

At VMware, we are seeing hundreds of organizations reach out to us for assistance in building platform capabilities and implementing best practices to support their Continuity of Operations. Below is a list of new business requirements our customers have asked us to help address with Covid-19 and how we have helped.

  • New Remote Branch Office Network Connectivity

With Covid-19 many of our customers now are seeing a need for new service delivery centers close to the citizen for things like child welfare, job centers, community corrections and public health. These customers are setting up Remote Field Offices to provide the needed office infrastructure (copying, printing, video conferencing) without the need to go to large central office. This brings up the need to set up a site with secure internet quickly without waiting 90 days for traditional carrier-based installations. Around the country VMware is helping customers establish new secure internet-based networks which can be strictly controlled and managed by network staff. These new networks, set up in a day, are fully encrypted and managed, enabling government organization departments to meet citizen demand.

  • Remote Access to Mission Critical Applications

Now faced with “Stay-At-Home” orders, many customers are asking for large quantities of Virtual Desktop Infrastructure (VDI) or access to critical applications (BYOD) from non-government owned devices. Organizations are now faced to support 80% of their workforce remotely vs sitting in an office. VMware is helping customers provide highly secure remote access to the mission critical applications, like Child Welfare, to their employees on any device. Remote employees, either issued a government notebook or using their own device, need secure access to published applications and sometimes full access to a VDI desktop. Customers can both publish applications and implement VDI either in the data center or in a public cloud. This remote capability enables our government organizations to continue to provide critical services from anywhere. Some of our customers are able to quickly migrate into a BYOD to meet the remote worker need through VMware’s ability to provide device, network and data security through segmentation.

  • Access to Secure Content from Remote Devices

Universities and K-12 organizations now have closed their doors and had to quickly adapt to online course delivery, changing the paradigm from classroom-based education to a digital-collaborative education. Faculty and administrators are now required to stay home and need the capability to create, manage and deliver digital online education. Additionally, some organizations have very complex physical training lab environments, with highly specialized compute intensive software like CAD, on campus to augment the classroom. These labs are now inaccessible and need to be accessed virtually. VMware is helping our customers establish the virtual environment with the capability and capacity to meet their training needs. We are helping the faculty and administrators gain access to their systems through VDI enabling digital content to be delivered to students. We are helping students gain remote access, from any device, to the content and the sophisticated “virtual training lab” environment remotely enabling them to continue with their education requirements. All of these virtual environments are wrapped with sophisticated security to manage the content, access and data to meet federal requirements.

  • Securing Applications, Data and Devices

The demand for remote access outside of “lock down networks” is high but opens us a large security risk. How do we trust the user, the device and network outside of normal security controls? Now with access from remote devices, opposed to a traditional on-premise network, our customers are faced with having to lock these systems down. New security controls from device, thru the network to the data center and the cloud are required. VMware is helping our customers answer these security questions. VMware is providing customers the ability to implement a zero-trust security architecture to ensure appropriate security controls are maintained even though the scale of remote access has quadrupled. Customers can meet their data and application security requirements through a comprehensive security platform enabling strong device management, controlled user access, application level VPN and application network segmentation.


Data analytics and cybersecurity pushed cloud out of the top spot for increased technology investment by government CIOs. This increased focus on data reflects CIOs’ acknowledgment that artificial intelligence (AI) and data analytics will be the top “game-changing” technologies for government.

Government respondents in 89 countries and across major industries, including 528 government are segmented into national or federal; state or province (regional); local; and defense and intelligence, to identify trends specific to each tier.

Taking advantage of data is at the heart of digital government — it’s the central asset to all that government oversees and provides. The ability to leverage that data strategically in real time will significantly improve government’s ability to seamlessly deliver services, despite increased strain on finite resources.

Read how to do more with less in government >>


When it comes to strategic business priorities, the survey found that 18 percent of CIOs across all levels of government have prioritized digital initiatives again this year as key to achieving mission outcomes, compared with 23 percent from all other industries. The next three business priorities for government are industry-specific goals (13 percent), operational excellence (13 percent) and cost optimization/reduction (8 percent).

The data indicates that governments are making deliberate progress toward designing and delivering digital services, achieving comparable maturity to other industries overall. However, government is still lagging other industries (33 percent overall) in scaling and refining digital initiatives. The gap is particularly marked in defense and intelligence, where just nine percent of respondents have scaled digital initiatives. To meet increased demand and evolving expectations of citizens for effective and efficient services, government must continue to enhance its digital maturity. Government CIOs clearly recognize the potential of digital government and have started developing new digital services, but now need to take digital beyond a vision to execution through digital leadership.

Despite the focus on digital, only 17 percent of government CIOs plan to increase their investment in digital business initiatives, compared with 34 percent of CIOs in other industries. While government CIOs demonstrate clear vision in the potential for digital government and its emerging technologies, 45 percent report they lack the IT and business resources required to execute.


Game-Changing Technologies


Government Priorities

% Respondents


Artificial intelligence/machine learning



Data analytics






Internet of Things



Mobile (including 5G)



Business intelligence



Digital transformation









Customer relationship management


AI introduces new insights and delivery channels that will enable governments to scale in magnitudes not previously possible. This will allow reallocation of valuable human resources to more complex processes and decisions.

Among government it appears that 10 percent have already deployed an AI solution, 39 percent intend to deploy in the next one to two years, and an additional 36 percent intend to deploy an AI solution within the next two to three years.


Among all levels of government, business intelligence (BI) and data analytics (43 percent), cyber/information security (43 percent) and cloud services/solutions (39 percent) are the most common technology areas for increased technology investment.



Government Priorities

% Respondents


BI/data analytics



Cyber/information security



Cloud services/solutions



Core system improvements/transformation



Software development/upgrades



Infrastructure/data center



AI/machine learning



Technology integration



Customer/user experience



Mobile applications


The fact that cybersecurity remains an area of projected increased spending reflects government’s recognition of its role as the steward of public data, with secure transactions now table stakes for governments in a digital world.

In today’s digital world, cyberattacks are highly visible, increasingly malicious and costly, and they erode the public’s trust. Government CIOs have steadily increased their prioritization of cybersecurity over the years and have gained executive commitment to vigilance in ensuring that ever-evolving malicious attacks and threats are mitigated to the greatest extent possible.

VMware & Open Source Cloud Government Training

Sample a free training demo of VMware Carbon Black here or get an introduction to What's New with vSphere 7 here. For complete VMware, Red Hat, and PowerShell training courses select from the following government training solutions:

  • VMware Kubernetes Foundations
  • VMware Carbon Black Cloud Enterprise EDR
  • VMware Carbon Black EDR Administrator
  • VMware Carbon Black Cloud Audit and Remediation
  • VMware Tanzu Mission Control: Management and Operations 2020
  • VMware Workspace ONE: Unified Endpoint Management Troubleshooting [V20.x]
  • VMware® Kubernetes Cluster Operations
  • VMware Carbon Black App Control Administrator
  • VMware Cloud on AWS: Deploy and Manage 2020
  • VMware Site Recovery Manager™ - Install, Configure, Manage V8.2
  • VMware Tanzu Kubernetes Grid: Install, Configure, Manage [V1.0]
  • VMware vSAN: Management and Operations [V7]
  • VMware vSphere: Design v7.0
  • VMware vSphere: What’s New v6.7-7.0
  • Red Hat Automation with Ansible I (DO407)
  • Red Hat Microsoft Windows Automation with Red Hat Ansible (DO417)
  • 10961 Automating Administration with Windows PowerShell
Jan 2021

By: William Jordan