Cyberattacks are on the rise. Can critical infrastructure weather a ‘perfect storm’?

From Delco to Chesco and Montco to Bucks, what about life in Philly’s suburbs do you want WHYY News to cover? Let us know!

Cyberattacks on critical infrastructures, which manage crucial services, jumped 30% worldwide in 2023, according to a recent House Committee on Homeland Security data snapshot.

Health care, government and education have been a few of the most vulnerable public sectors to such threats. The holiday season only amplifies these threats as information technology staff goes on break and people lower their guard.

Whether it be ransomware paralyzing Bucks County’s 911 dispatch system or a denial of services attack hampering the Administrative Office of Pennsylvania Courts, there’s been no shortage of examples of such attacks in the greater Philadelphia region.

“The risk is 100% real. And unfortunately, the risk profile has been going up for over a decade and these sectors — like critical infrastructure, water, energy, electric and public schools — are things that are very vulnerable to cyberattacks because they don’t get enough funding,” said Leeza Garber, a cybersecurity and privacy lawyer and consultant.

Garber, who teaches information privacy law at Drexel University, believes the risks facing critical infrastructure aren’t getting enough attention.

“The cybersecurity risk that the public sector faces, including schools, is basically a perfect storm,” she said. “You have all of these different puzzle pieces, coming together to create an atmosphere of vulnerability and risk.”

Moody’s Ratings increased the cyber risk score for education institutions from “moderate” to “high” in 2024. According to the Cybersecurity and Infrastructure Security Agency, the technological gain at schools since the height of the COVID-19 pandemic has made learning more effective — and heightened the risks of a cyberattack.

It takes just one vulnerable entry point for hackers to force their way in.

“When you bring that back down to a more local level, whether it’s a school or a municipality government, those vulnerabilities are magnified, because not only do they have some of the same issues that these bigger companies have, but they also have legacy systems, they have very small budgets dedicated to cybersecurity and upgrading technology and then there’s a lack of education,” Garber said.

What can the public sector do to minimize the risks? Delaware County Intermediate Unit has some ideas

Khalid Ayyubov, chief information and technology officer for the Delaware County Intermediate Unit (DCIU), said investment is the key.

“We carry the responsibility of protecting the data of our students and data of our staff.

Therefore, that has to be part of a mindset of school leadership, when they make decisions on figuring out the budgets and figuring out additional funding to invest into proper protections,” Ayyubov said.

Cyberattacks can be financially damaging, legally challenging and devastating to school districts and their students, he said.

Ayyubov said local governments and education institutions should, at the very least, engage with an expert to receive a cybersecurity audit.

“Just like when you fix a car, right? You have to figure out what’s broken first before you fix it,” he said.

DCIU, a regional educational service agency, wants to set a standard in cyber protections.

“About two years back, we started developing cybersecurity programs to help school districts and other local government entities,” he said. “And one unique piece about our services is that they are very high quality and they are, compared to the competition, very low cost.”

The agency has simultaneously developed working relationships with major cybersecurity firms to work on cost-effective pricing models tailored to the area’s school districts, he said.

“On top of that, we developed additional services like a cybersecurity audit service, where our team of professionals would go into a district and perform a complete assessment of the district’s cybersecurity,” Ayyubov said.

He urged school district’s to evaluate their own needs and take advantage of DCIU’s network penetration testing, which is basically a simulated hacking attack.