In December 2021, Lincoln College in rural Illinois suffered a devastating ransomware attack. The attack shut down all systems, including those for recruitment, retention and fundraising. While the college had preexisting fiscal problems due to the pandemic, this ransomware attack proved to be too much for the college to navigate. In the spring of 2022, the school announced it would be closing down after 157 years of serving students.
This sad story demonstrates the devastating impact that cyberattacks can have on an institution. Some in the AV world (particularly those of us who are in education) may still believe that the education industry is not a valuable target. However, according to an Emsisoft report, 62 school districts and 26 colleges and universities were impacted by ransomware in 2021. An attack on Baltimore County Public Schools cost the district almost $10 million to recover.
Ransomware attacks tend to be a concern of the “computing” side of our IT department, but the AV departments still need to be aware. Rooms with podium computers are particularly vulnerable, as they are open to a wide variety of people. A virus or ransomware on a podium machine would spread quickly across a network. Additionally, many AV teams are customer-focused and may butt heads with their own security teams (that we view as making it difficult for our customers to do their jobs). This may lead the AV team to do things to subvert the security, like making users admins on machines or creating generic logins and sharing the passwords. Both of these actions significantly increase the vulnerability of the network.
Ransomware is a clear play to make money. You pay the ransom, and they unlock your systems. However, bad actors exist, their goal to simply interrupt and cause problems. Considering world events, nation-state actors are significant perpetrators of these attacks. They simply want to create havoc and disruption rather than make money. This is where the AV world clearly is a vector for this behavior. We have AV in every classroom, every meeting room, hundreds of offices and many other public spaces. If an attack is set against these systems, they could clearly shut down the main educational function of any college. Consider what happens if technology in all classrooms and meeting rooms stopped working tomorrow. Our modern college classes could not function without this technology. Faculty would need weeks to rework their material in order to deliver it to their students, and even then they would be delivering a sub-par teaching performance.
There is no doubt that if such an attack lasted for a couple of weeks, an institution could suffer a fatal financial failure, as Lincoln College did. This is even more so for colleges that offer remote learning. Creating this type of attack is fairly easy these days, and not only do you need to worry about a nation-state, but a student or disgruntled employee in your institution could also easily create such an attack. The dark web offers services for hire to attack networks with Denial of Service (DOS) attacks. I believe that a DOS attack is probably the largest risk for AV organizations in schools. In a recent talk with the Help Desk Institute, a representative from the FBI pointed out that it is not a question of if you will be attacked; it is when.
While the attacks are very hard to stop and prevent, there are things you can do. The first is to make sure that none of your devices are available on the public internet. This includes Network Address Translation. NAT allows a router to take public internet traffic and route it to an internal device. When you see videos of people hacking into cameras inside of people’s homes, this is what is happening. Those devices are behind a modem and a router. They don’t have public internet addresses, and yet, they can be reached. You will need to work with your network team to be sure NAT is turned off.
Second, you need to be prepared to block internal attacks. This is both easier to stop and more difficult to prevent. It is easier to stop in the sense that your network team should have tools available to them to quickly isolate what device(s) is launching the attack internally. This could be as crude as shutting down network segments one at a time until the attack stops. It is more difficult to prevent because higher ed institutions typically have networks that allow many devices not owned by the institution to be on the network. Additionally, most schools have some type of access for guests (i.e. the public). This is a situation in which you must work with your network team to discuss the best ways to isolate your devices from other devices on the network. AV presents a problem in this area because much of what we do involves bringing in multiple sources. If you have polling software, modern audio reinforcement software or wireless presentation capabilities, all of these require devices to be on your network.
What the Lincoln College story teaches us is that higher ed is not out of the view of money seekers (ransomware), which means that it is also not out of the view of bad actors simply seeking to disrupt. It also tells us that many schools are in a Catch-22 situation. Schools with fewer resources are an easier target, because they may be easier to attack (they use fewer resources on defense). That means these schools are the ones that need to use more resources to protect themselves — they are also the institutions more likely to suffer the consequences of an attack. AV teams in higher ed must communicate with their colleagues and share tips and resources. They must have great relationships with their vendors and manufacturers to understand options and configurations for their systems. Finally, they must make very close friends and relationships with their network and security teams. In a short period of time, possible cyberattacks on AV systems went from a potential annoyance to a devastating ending as Lincoln College experienced. We must take it seriously.