On Thursday, Sept. 18, South Lyon schools opened back up after 3 days of closure, not from a weather event or outside threat, but from a new problem: a cyberattack.
South Lyon Community Schools’ phone and security camera systems were disrupted in what Scott Endicott, Director of Technology at Huron Valley Schools, called a “cybersecurity incident”. And despite having occurred almost a month ago, the investigation into the event is still happening, according to Steven Archibald, superintendent for South Lyon Schools. Because of the ongoing nature of such an investigation, says Endicott, school districts are always advised not to release information to anyone aside from those involved legally (investigators, lawyers, etc.)
Most of what we do know has come from Archibald, and his correspondence with families, administration, and news publications. “We currently have the inability to call in or to call out of a building” Archibald said at a school board meeting, “which includes our E-911 notifications” (E-911, or Enhanced 911, is similar to ordinary 911 calls, but it typically allows the police department to see the caller’s phone number and location automatically). While school can still hypothetically take place without these systems, Archibald went on to explain that, in the event of an emergency, their ability to alert or coordinate students and staff would be severely hampered; thus, it wasn’t safe to operate school.
Leading the investigation is Michael Bouchard, the Oakland County Sheriff, alongside the cyber firm Arctic Wolf. So far, the investigation seems to point in the direction of a certain culprit; as said by Archibald, in correspondence with South Lyon families, “this incident was the result of a ransomware infection carried out by a well-known ransomware group.” He went on to say that there was no indication that the schools had been specifically targeted- he did not, however, name the group that the investigation pointed to.
This is largely the extent of the information released, much to the dismay of those who hold cybersecurity positions for nearby school districts; two such individuals include Gerry Perrett, Lead Technician at HVS for 26 years, and Austin Hunter, Media Service & Support Technician. They, with Endicott, protect our school district from similar threats, and while they reached out to South Lyon’s tech director to offer perspective and assistance, they were respectfully denied. “I’m dying to know what [the specific security issue] was,” said Endicott, “because we want to know if we have that vulnerability or not.”
No small effort is exerted by the districts to protect their digital assets. According to Perrett, Hunter, and Endicott, there exists a 28-page Incident Response Plan, well known to those in the field, complete with the names and phone numbers of people who would help to resolve the issue; many of the protocols within would only take effect in the case of a bad actor, meaning that South Lyon may have relied on such a thing after the attack. Michigan districts also receive a sort of list from a cybersecurity-in-education organization called MiSecure, which details safe cybersecurity actions to take as a district. One such rule is not to give out any unnecessary VPN’s, and to make sure that any kept have multifactor identification; said Endicott, “I don’t know if that’s what happened in South Lyon, but I imagine that they’ve closed the hole.”
But what about the Huron Valley School District? What protects our servers from the same fate as the South Lyon School District’s? The answer came in the form of an informative and specially prepared presentation, courtesy of Endicott. Aside from the same Incident Response Plan and protocols, Huron Valley approaches cybersecurity in terms of both the organization’s systems and people. When it comes to people, district members are prepared with cybersecurity videos, fake phishing emails, and staff training, as well as specialized, role-based training for, say, those who work in IT. Even administration gets in on the action, according to Endicott, who remarked about an upcoming “tabletop exercise” that HVS leaders would do with the state police.
In terms of systems, standard procedure includes the maintenance of multiple firewalls, as well as several weekly Network Penetration Tests- which is when outside technicians are allowed to try to hack our own servers in order to find and assess any security problems, sometimes by plugging a laptop right into them).
Similarly, HVS receives voluntary security audits from the Michigan Cyber Command Center (or MC3), an organization run by the Michigan State Police that specializes in cybercrime investigation and prevention. And, should the servers somehow be breached, each of them has immutable backups, which is to say that, even if all servers were ransomed or otherwise ‘died’, they have sealed-off backups.
There’s kind of a third aspect to the district’s cybersecurity- that is, the students. Each student in Huron Valley Schools, even every elementary schooler, has an HVS email and account. Students are also, at least at Milford, lent small personal laptops for any and all digital schoolwork- plus, an odd unblocked game or two. How, then, are so many individual computers, and so many individual accounts, kept secure? Well, aside from the mighty and inconvenient GoGuardian (which seems mostly tailored at keeping school laptops from running social media) Milford relies on a certain part of its Datacenter, a room that contains Milford’s servers, backups, and network technology. According to Endicott, Hunter, and Perrett, there exists a piece of hardware in the Datacenter that tracks all HVS computers that commune with ‘dangerous’ sites (such as Russian or Chinese ones). Any computers flagged like this get confiscated, or even wiped, by school administrators, making it unwise to use a school device for non-school activities. However, a coming change will impact all students, not just flagged ones.
As a part of upcoming security measures, the passwords for all student accounts will be changed, ‘in the next couple months’ – potentially before the end of the calendar year. “We’re working on how to do that”, Endicott noted, “but just be aware that all student passwords are going to change.” While this has obviously yet to be implemented, it certainly appears to be planned for sooner rather than later. However, this raises several questions. Would seniors have to memorize a new password for one semester before graduating? Or elementary students, those who’ve only just memorized their current logins, if at all? It remains to be seen how this will be tackled, though it is undoubtedly something to keep an eye on going forward.
What can be seen, though, is the ramifications of a security breach, and that impact is still felt even now in South Lyon. Doubtless, future cybersecurity developments, even on the student end of things, are intended to keep the same thing from happening any closer to home.