State says no systems were compromised in cyberattack

The state of Nevada on Tuesday issued a statement on the widely reported compromise of SolarWinds Orion software along with advice and information for consumers.

The state continues to work with the federal government and private industry in response to the SolarWinds attack. To date, there is no indication that any state systems or websites have been compromised, and no known attacks from this incident have been directed toward individuals. This is still a rapidly evolving investigation, and as the state learns more, the status might change. It could take a substantial amount of time to have a complete picture of the effects of the attack.

“Even though there has been no known impact on state systems, we are taking this situation very seriously and want to notify the public about it so they can take appropriate steps to protect themselves and so they know how the state is responding,” said Alan Cunningham, chief information officer for the state of Nevada.

Nevadans might want to consider following common practices as a normal course of action to protect their information and online identities, including keeping security software relevant, ensure they are using strong passwords and not using the same password for multiple sites.

Residents are advised to change passwords immediately if a government site or business in which they have an account is identified in a hack or breach, and they should take advantage of sites that offer two-factor or multi-factor identification.

Bank accounts should be monitored for missing deposits or unexplained withdrawals, and consumers should be alert for scams, whether through email, texting, social media or over the phone. A good resource is the Federal Trade Commission’s Consumer Information site at https://www.consumer.ftc.gov/

Nevada does use SolarWinds Orion products in the state enterprise environment and at several agencies. All of those systems were taken offline on Monday, Dec. 14, consistent with guidance from the federal Cybersecurity and Infrastructure Security Agency to federal civilian agencies. When they are put back into service, it will be done in accordance with CISA guidance and with continued monitoring. The state has reviewed communications traffic back through the beginning of the year and found no indication of compromise for any agency or system within the state’s IT infrastructure.

The state continues to monitor its systems for any indications of compromise and engage regularly with CISA, the Multi-State Information Sharing and Analysis Center and IT business partners.