The Bucks County Emergency Services Center CAD system spent nine days offline last month after hackers crashed it. Delaware County had a security breach in 2020. Hackers targeted the Aliquippa Water Authority in western Pennsylvania in November and disabled pressure monitoring equipment.
And over the weekend, Pennsylvania’s court system was hit with a disabling cyber attack.
In response to these and other threats to public agencies, the Senate Communications and Technology Committee and Senate Local Government Committee met with representatives of municipal governments, industry, and academia last week to discuss threats to vital systems and infrastructure.
“An unfortunate reality of our world is that no organization is immune to a cyberattack,” said Sen. Tracy Pennycuick (R-Montgomery/Berks), who chairs the Communications and Technology Committee. “The havoc and serious damage that these incursions can have on local governments, public authorities, and the people they serve are not only disruptive but also present a direct threat to public safety.”
Sen. Frank Farry (R-Bucks), who also serves as fire chief of the Langhorne-Middletown Fire Company, said the Bucks County CAD system automatically dispenses first responders to addressees.
“Our dispatchers literally had to do it manually,” said Farry. “They did a fantastic job.” But it was not as fast as the CAD system and also impacted record-keeping, he said.
Executive Director of IT and Chief Information Officer for York County, Joe Sassano, said the County Commissioners Association of Pennsylvania (CCAP) is working with counties to address the growing threat.
“In York County, cybersecurity needs have driven most of our IT-related projects and, subsequently, most of our IT budget for the last several years,” Sassano said. “CCAP, counties, other local government organizations, and state agencies are already working together closely to improve security definitions and implement vital cybersecurity initiatives, conducting reoccurring quarterly meetings, an annual cybersecurity conference, security resources, and other projects.”
“The weak spot, we found, is the human element,” said John Berti of the Pennsylvania Municipal Authorities Association and the Wyoming Valley Sanitary Authority. Wyoming Valley implemented a “KnowBe4” security awareness service to help employees prevent email cyberattacks, he said.
Unisys, a corporation based in Blue Bell that provides security consulting services, sent two representatives to the hearing.
Unisys Regional Director John Alwine said many counties, cities, and other municipal entities “have learned the cost of not doing cyber security” and then trying to do damage control.
“The legislature and administration must seek out increased coordination amongst state IT users, foster greater recognition of security risks for state agencies, hold government IT leaders accountable in establishing a security path forward, and provide the resources necessary to implement such a strategy,” Alwine said.
Unisys Managing Principal Clifford Shier said, “There is a need for a statewide baseline.” The state, counties, and municipalities are all connected, as well as various vendors that log into systems.
Also, entities need to know what they have.
“Identification of what you have is key,” said Shier. He has “heard many times (someone) didn’t know this end-of-life piece of equipment is on (their) network or where (their) data was.”
Because protection may not be perfect and hackers, including hostile governments like Iran, try to break in, they must also plan for recovery.
“There will be a time you need to recover,” said Shier. “Don’t get rid of backups.”
Alwine said, “We need to develop a plan, fund it, execute it, and update it on a continual basis.”
Sen. Tim Kearney (D-Delaware), minority chair of the Local Government Committee, said, “It’s important for our communities to stay on top of this issue.”
“It’s going to require people to agree to the baseline (of security measures),” he said, and called on people to work together on the issue for the “public good.”
“Somebody in York County might have an effect in Delaware County. We, as a society, have trouble with that. My county had a security breach, ransomware. They had insurance for it. They tried to keep it as quiet as possible. Nobody wants to talk about it,” Kearney said.
The Communications and Technology Committee recently approved a bill to protect information on state-owned devices from downloading and using TikTok. The full Senate passed that bill.