What Happens if Pittsburgh is Targeted By a Cyberattack?

Issue Date: 
May 18, 2017

Moderator Matt Butkovic of CERT poses questions to four panelists, (left to right) Fred Hintermister, David J. Hickton, Matt LaVigna and Grant Ervin.

On a cold, December evening in Pittsburgh with heavy snow falling, house and streetlights suddenly begin to flicker. Online banking screens time out. Traffic lights begin to act erratically. Soon, area hospitals switch to backup power systems. Are all these items a coincidence? Or is Pittsburgh falling victim to a major cyberattack?

That was the scenario laid out at Cyburgh, PA — an all-day meeting on May 10 of academics, government representatives and members of the private sector. The event was sponsored by the Pittsburgh Technology Council and CERT, a division of Carnegie Mellon University’s Software Engineering Institute.

A four-member panel around the topic, “What Happens if Pittsburgh is the Target of a Major Cyberattack?” included David J. Hickton, director of Pitt’s Institute for Cyber Law, Policy, and Security.

So, how should Pittsburgh respond? “First, you identify the scope of the crisis,” Hickton advised. “Law enforcement can be left for later innings.”

Panelists added that it’s important all parties readily share information and that, ideally, they have preparations in place beforehand as much as possible.

“If we would have had the luxury of having meetings prior to the Three Mile Island accident, we would have been in a better place,” said panelist Fred Hintermister, manager of Electricity Information Sharing and Analysis Center at the North American Electric Reliability Corporation. He was referring to the 1979 incident at the Pennsylvania power plant, which caused a radioactive meltdown and the voluntary evacuation of about 140,000 people.

Incidents like that and Hurricane Katrina have led government and industry officials nationwide to conduct regular tabletop exercises and constantly strive to improve communication and coordination.

Several panelists mentioned the PA Region 13 Task Force, a group of emergency management representatives from 13 regional counties whose members meet regularly to prepare and plan for potential domestic terrorism.

Matt LaVigna, president of the National Cyber-Forensics and Training Alliance, called the organization “a well-oiled machine,” but he added that its cyber component is lacking.

Grant Ervin, chief resilience officer for the City of Pittsburgh, said the city has been beefing up its response capabilities, such as having a civil engineer on-call to provide community response to a disaster involving infrastructure, for example. 

In reacting to such attacks, panelists advised the audience not to wait and rely on the government to help them.

“The cavalry isn’t always called in to help industry,” said Hintermister. “Sometimes the arrow goes the other way.”

They also referred to a “Cyber 9/11” — a potential cybersecurity breach of huge proportions — and advised corporate representatives in the audience to plan and prepare for it.

In fact, just two days after the Cyburgh panel, the WannaCry ransomware attack froze computers in more than 100 countries, including computers in Britain’s health system. During the attack, hackers demanded users pay to regain control of their computers. That global emergency is one large-scale illustration of the need for plans against future cyberattacks, citywide and beyond.