Innovative Solutions for Local Governments Against Cyber Attacks

South Dakota’s Local Governments need protection from the most common cyber attacks!

In South Dakota and across the country the cyberattacks targeting local governments have grown exponentially in the last few years. Local governments are among the highest value targets for hackers due to the critical infrastructure and public services they must provide without interruption, along with the highly sensitive citizen data stored on their information technology (IT) networks.

The threat of cyberattacks on South Dakota’s local governments and the public they serve is real. The potential impacts of a successful attack are immeasurable. The 452 Members of the South Dakota Public Assurance Alliance (SDPAA) comprise 85% of the cities, counties, and other local governments in South Dakota. Over the last two years, at least four SDPAA-Member cities and counties have been the victims of a major cyberattack. Many others have fallen victim to other cyber incidents. These local governments paid thousands or even hundreds of thousands of dollars to remediate the risk to their IT networks so they could continue serving the public. A recent attack on a South Dakota county’s IT network rendered inoperable their ability to share vital system information among the first responders serving that county, several municipalities within that county, several local schools, and the State of South Dakota. For several weeks this cyberattack greatly impeded all first responder efforts in this region of the state, potentially affecting thousands of people who rely on the rapid deployment of such essential services when needed.

A recent cyberattack on a city in Florida similar in size to many cities in South Dakota demonstrated the life-threatening nature of a cyberattack when their wastewater treatment plant’s IT network was penetrated by a cyberattack. This cyberattack maliciously instructed the treatment plant’s IT network to raise certain chemical concentrations in the public drinking water, which would have exposed thousands of people to possible poisoning or even death. Fortunately, the attack was thwarted by last-minute human intervention.

To help mitigate cyber threats to the local governments of South Dakota, the SDPAA reached out to Dakota State University (DSU) for assistance. DSU has been providing expert cyber forensic services to all local law enforcement for the past several years. DSU enthusiastically agreed to extend its Project Boundary Fence program’s cyber assessment services to all local governments in South Dakota. Since April of 2020, DSU has been providing free cyber security assessments including penetration testing, social engineering awareness, vulnerability assessments, and more to all local governments in South Dakota. These assessments identify risk factors and possible attack vectors for these local governments’ IT systems, then recommend possible solutions. To date, over one hundred local governments have enrolled in the program.

The testing through DSU’s Project Boundary Fence program has confirmed a local government’s email is the most likely cyberattack vector and comprises 90% of the overall risk. South Dakota’s local governments have over 13,000 employees, vendors, and others who are using their local governments’ IT networks through a wide range of email systems. Any one of these “end users” could accidentally click on a phishing email or the like to expose the entire system to a ransomware attack or other attack on the local government’s IT network. A ransomware attack will infect a system and render it inoperable unless an exorbitant ransom is paid. The attack will also acquire and “freeze” more sensitive citizen data and then threaten to release it unless that ransom is paid. These cyberattacks could mimic the cyberattack on the local Florida wastewater system or inflict other unimaginable harms.

Solutions must be identified to protect South Dakota’s local governments and the public they serve from cyberattacks. Key cybersecurity initiatives should include:

  1. Reliable backup systems for every local government.
  2. Install and implement endpoint protection (anti-malware) to protect against viruses and the like.
  3. Centralized administrator role with IT professionals only for any IT networks, especially email systems.
  4. State-wide software licensing program with regular software patches and device upgrades to protect systems from known vulnerabilities.
  5. Use Strong Passwords and Multi-factor Authentication (MFA) to access any IT networks.
  6. Physical security of servers and equipment.
  7. Secure wireless networks.
  8. Security awareness training to bolster the “human firewall.”
  9. Phasing out legacy software and systems.
  10. Control over third-party access, such as vendors.
  11. Additional validations and controls regarding electronic payments and other sensitive areas.
  12. Each local government develops a cyber incident response plan.

A global solution incorporating most of these key cybersecurity initiatives would be the development and implementation of a centralized email system for all local governments like the K-12 Data Center. In 1999, the “K-12 Data Center” was created for South Dakota’s local school districts and their 130,000 end users by the South Dakota Department of Education. These end users include teachers, administrators, and students. The K-12 Data Center hosts a centralized email system and data backup which provides uniform security protocols for all end users with requisite secure email software and timely security patches for all system software. This centralized system is administered by a team of IT and cyber experts at DSU. The K-12 Data Center has proven very successful and cost-effective in protecting our local school districts and their end users from cyberattacks for the last two decades. The annual operating cost for this system is slightly over $1M to benefit 130,000 end users. Experts believe this same system should be created and implemented for the other local governments of South Dakota. DSU is willing to assist in this effort. Another key initiative would be a consolidated statewide security operations center with a cyber incident response team ready to remediate a local government’s IT network from a cyberattack at a moment’s notice.

With the cyber threat landscape changing rapidly, it is critical that local government entities of every size across the state be proactive and take necessary steps to protect themselves and their technology resources. Those resources are important enablers in providing crucial services to the citizens of local entities, and in many cases, the loss of a single critical technology resource can completely disable a mission-critical service. No one wants that to happen. Taking steps now to reduce cybersecurity risk can pay huge dividends in reducing the likelihood and impact of an attack in the future.

Respectfully Submitted By:

Gregory Dias, CGCIO, CISSP, Director, Lawrence County Information Systems & Technology

Laurie Wager, Director Pennington County Information Technology

Chad Ronshaugen, RAZTech, Inc., IT services provider for many SD municipalities

Yvonne Taylor, Executive Director, SD Municipal League

Kris Jacobsen, Executive Director, SD Associations of County Officials and County Commissioners

Dave Pfeifle, SDPAA Executive Director

Postscript: The Cybersecurity and Infrastructure Security Agency (CISA) is providing $1B in cybersecurity grants to state, local and tribal governments over the next four years. South Dakota will be eligible to receive an estimated $2M to $2.5M for FY2022 and an estimated $10M over four years. Local governments in South Dakota desperately need access to this money and the shared cybersecurity services that could be created from it. The CISA Notice of Funding Opportunity is due to be released by mid-August. The South Dakota Municipal League, the SD County Officials and SD County Commissioners Associations, the SD Police Chiefs Association, the SD Sheriffs’ Association, and the SD Public Assurance Alliance respectfully request the State be ready to respond in the affirmative when this CISA Notice is r