Cybersecurity threats faced by local governments and municipal authorities were the focus of a public hearing held last week by the state Senate Communications and Technology Committee, chaired by Sen. Tracy Pennycuick, R-24th Dist., and the Senate Local Government Committee, chaired by Sen. Rosemary M. Brown, R-40th Dist.
Recent cyberattacks targeting the Bucks County emergency dispatch system and the Aliquippa Water Authority highlight the vulnerability of Pennsylvania's more than 2,500 local governments and authorities.
"An unfortunate reality of our world is that no organization is immune to a cyberattack," Pennycuick said. "The havoc and serious damage that these incursions can have on local governments, public authorities and the people they serve are not only disruptive but also present a direct threat to public safety."
"We don't often think about cybersecurity until there is a news report of a breach or hack that caused serious disruptions. However, we should all be mindful of cybersecurity," Brown said. "Thankfully, there are individuals who prioritize infrastructure safety. Sen. Pennycuick and I held a joint committee hearing today and invited some of these experts to discuss cybersecurity safety within our municipalities."
One challenge is that more operations are run remotely over the internet, said Mai Abdelhakim of the University of Pittsburgh.
"Systems of operational technology traditionally used to operate in isolated networks that are disconnected from the global internet, but now they are increasingly utilizing internet connections often without having adequate cybersecurity measures," Abdelhakim said.
"Accordingly, adversarial attacks could come from local or geographically near locations or from anywhere in the world. Hence, integrating cyber-and-physical assets introduces unprecedented cybersecurity concerns."
Executive Director of IT and Chief Information Officer for York County Joe Sassano said the County Commissioners Association of Pennsylvania (CCAP) is working with counties to address the growing threat.
"In York County, cybersecurity needs have driven most of our IT-related projects and, subsequently, most of our IT budget for the last several years," Sassano said. "CCAP, counties, other local government organizations and state agencies are already working together closely to improve security definitions and implement vital cybersecurity initiatives, conducting reoccurring quarterly meetings, an annual cybersecurity conference, security resources and other projects."
"The weak spot, we found, is the human element," said John Berti of the Pennsylvania Municipal Authorities Association and the Wyoming Valley Sanitary Authority. He said Wyoming Valley implemented a "KnowBe4" security awareness service to help employees prevent cyberattacks through email.
Multifactor authentication was an emerging topic in state legislatures last year, said Susan Parnas Frederick of the National Conference of State Legislatures. Maryland and Utah passed multifactor requirements. Several states passed legislation addressing state agency cyber incident reporting requirements and Indiana and Washington passed bills establishing advisory boards to establish best cybersecurity practices.
Experts said that vulnerabilities in any system generally stem from three main sources: the network – including vulnerabilities in local and global networking protocols – the software – including vulnerabilities in software applications, operating systems and other programs – and the user – including users who do not follow best practices to ensure the security of the system.
Funding to help local governments prevent cyberattacks – and the more expensive demand for ransom payments that could follow – was also discussed.
The Jan. 23 incident that targeted Bucks County's emergency dispatch has been traced to a ransomware called "Akira." The attack didn't impact responses to emergency calls but did affect the use of cellphone apps for fire call notifications.
In the November hack of Aliquippa's water system, attackers were able to disable pressure monitoring equipment. Federal officials said the adversaries likely gained access to the system by exploiting weak or default passwords and internet connection.
"These incidents are a part of a growing trend and will only become more prevalent in the future," Pennycuick said. "Now is the time to take these threats seriously and work together to find a path to put the commonwealth on a better cybersecurity footing."
"I'm grateful that we were joined by many local government and cybersecurity leaders to discuss the successes and challenges facing municipalities throughout Pennsylvania," Brown said. "It will be an ongoing conversation and I look forward to working to create solutions to minimize cybersecurity issues within local government systems."
The joint panel also heard from representatives of the Pennsylvania State Association of Township Supervisors, the Pennsylvania State Association of Boroughs, the Pennsylvania Municipal League and information technology provider Unisys.