SIOUX FALLS, S.D. (KELO) — The cyber-attack on the Colonial Pipeline, the largest gasoline pipeline in the U.S., led to gasoline shortages across the eastern and southeastern United States. It took the pipeline, which supplies 45% of the gasoline consumed on the east coast, eight days to resume operations after being crippled by the May 7 ransomware attack.
This attack has highlighted the importance of cyber-security in guarding critical infrastructure, and draws to mind other similar attacks including a 2013 Iranian cyber-attack on a New York dam and a February 2021 incident in which a hacker attempted to poison the water supply in a Florida town by briefly increasing the amount of sodium hydroxide added during treatment.
Such attacks prompted KELOLAND News to take a look at the measures protecting critical infrastructure in South Dakota.
What is critical infrastructure?
“Critical infrastructure includes the vast network of highways, connecting bridges and tunnels, railways, utilities and buildings necessary to maintain normalcy in daily life. Transportation, commerce, clean water and electricity all rely on these vital systems.”U.S. Department of Homeland Security
When looking at this list of infrastructure, clear examples of systems relying on technology stand out including dams, power plants and water treatment centers.
According to South Dakota’s 2021 Infrastructure Report Card, the state has 90 high-hazard dams, will require $730 million in drinking water infrastructure needs in the next 20 years and experienced 162 power outages between 2008 and 2017.
On the Missouri River, South Dakota houses four major dams; the Gavin’s Point Dam at Yankton, the Fort Randall Dam, the Big Bend Dam near Fort Thompson and the Oahe Dam north of Pierre.
Combined, these four dams hold a storage capacity of 30,803,000 acre-feet of water. Lake Oahe alone is the fourth largest reservoir in the U.S. Together, these dams can generate a maximum output of 1,732,650 kilowatts of energy.
An official from the U.S. Army Corps of Engineers spoke briefly on the matter of cyber security, telling KELOLAND News in a statement that “cybersecurity is part of our dam safety initiatives and not providing specific details on those is an among our Operational Security measures.”
Wind energy is another major source of power generation in South Dakota. According to the South Dakota Public Utilities Commission, wind projects in the state produce more than 1,837 megawatts of power, or 1,837,000 kilowatts.
The SD PUC lists 20 main wind farms within the state and mentions smaller projects in the areas of Chamberlain, Howard, Gary, Canova, Carthage, Oaklane Colony and Rosebud.
In terms of power generation, over 80% of South Dakota’s electricity in 2020 came from hydro and wind power.
Due to the share of power created by wind and hydro, any interruption to the generation process could lead to major problems. Beyond supply issues, damage caused by an uncontrolled release of water from one or more of the Missouri River reservoirs could be catastrophic.
Cyber security in South Dakota
So how does South Dakota’s cyber security stand up to the threat of such attacks?
In short, we don’t know.
KELOLAND News reached out to the South Dakota Office of Homeland Security and received a response via Tony Mangan, the Public Information Officer for the Department of Public Safety (DPS). Mangan told us at the time that he was not able to discuss security, and later provided us with the following statement:
“The official response from the Department of Public Safety and its Office of Homeland Security is that it is the department policy not to discuss security issues.”South Dakota Department of Public Safety
After further prompting, Mangan explained that while there are many ways in which the DPS works to protect the people of South Dakota, they do not discuss specific tactics or practices.
KELOLAND News also reached out to the Governor’s Office to ask about Gov. Kristi Noem’s concerns about vulnerable critical infrastructure in South Dakota and what measures are in place to prevent attacks such as that directed at the Colonial Pipeline.
We received this response from Noem’s communications director Ian Fury:
“The attack on the pipeline highlights how critical cybersecurity is today in all organizations, especially those that citizens rely on for the daily staples of life. Cyber-attacks are not always focused on stealing personal information. We are seeing more attacks on critical infrastructure and industry-focused attacks that disrupt supply chains.
Governor Noem has prioritized strengthening South Dakota’s cyber security, which is why she worked with the legislature to invest $10 million in the BRITTLE fund this year. There’s more work to be done, but thanks to our partnership with Dakota State University, South Dakota continues to lead the way in improving our cyber security. “Ian Fury, Office of the Governor
BRITTLE refers to House Bill 1281, a bill that would allocate $10 million to “replace or update applications and programs that are difficult or costly to fix or that have a propensity to fail regularly, as well as to improve digital access to state agency information for the public.”
The fund would be managed by the Bureau of Information and Telecommunications.
HB 1281 was tabled on March 3, 2021. KELOLAND News has reached out to Fury, asking if the tabling of the bill has affected funding.
“The funding for BRITTLE, also known as the State IT Modernization Fund, passed in the General Appropriations Act for fiscal year 2021, SB 64.”Ian Fury, Office of the Governor
We also asked whether the state contracts out for cyber security, what elements of critical infrastructure the state is responsible for protecting and whether there have been any notable cyber security breaches or attempted breaches. Fury provided us with the following statement from Jeff Clines, Commissioner of the Bureau of Information & Telecommunications (BIT):
“BIT has a dedicated Cybersecurity team that works with state government on the protection of state information and systems. BIT is responsible for securing State Networks, systems, applications, and protecting state data. BIT does not have responsibility over monitoring or securing private utility providers. BIT Defends the state networks and systems from millions of cyber attacks per day, and billions per year. We have had no notable breaches that have impacted state systems or data, which we would consider a huge victory.”Jeff Clines, Bureau of Information & Telecommunications
In a disclosure published on Open SD, South Dakota’s transparency website, KELOLAND News found one contract relating to cyber security with the Bureau of Information and Telecommunications. The contract, worth $33,500, is dated November 2020, and is for cyber security training from Riverside Technologies Inc., a North Sioux City, South Dakota-based company.