Morgan: Water Resources IT Staff ‘Extremely Competent’
April 26, 2023 by Amy Patterson

County Admin Calls Out ‘Unfair’ Questioning of Hacking Response

A week after a meeting in which members of the Geauga County Automatic Data Processing board voted to bring the information technology systems of the Water Resources Department under its authority, County Administrator Gerry Morgan is hitting back on “unfair” treatment of GCDWR staff.

A week after a meeting in which members of the Geauga County Automatic Data Processing board voted to bring the information technology systems of the Water Resources Department under its authority, County Administrator Gerry Morgan is hitting back on “unfair” treatment of GCDWR staff.

A cyber-attack originating in Russia took out a GCDWR email server early in the morning of April 12. Emergency ADP board meetings were held on both April 13 and 17 to address the issue.

It was the first meeting — a tense affair held in Geauga County Auditor Chuck Walder’s office — during which Morgan said members of the ADP board unfairly characterized GCWRD Network Administrator Mike Kurzinger and outside IT contractor Joe Camino, who owns CSJ Technologies Inc. in Mentor.

“I believe that Mr. Kurzinger and Mr. Camino are extremely competent in what they do,” Morgan said in an email interview with the Geauga County Maple Leaf. “I feel the treatment of Mr. Camino (a Geauga County resident, business owner and vendor to the county), who was at the (April 13) ADP meeting at the request of water resources to help answer technical questions regarding the setup of water resources system, was unfair.”

Camino, who said he has worked with GCDWR for 30 years, was questioned at that meeting by Walder and Geauga County Prosecutor Jim Flaiz about the state of the water resources server — which was running a 2012 operating system — prior to the attack.

Flaiz asked whether the system had been updated with the latest service patches, which came out about a month before the attack. Kurzinger said as far as his department knew, they were up to date, except for the latest patch.

“Was there any indication that their Exchange server might have had any vulnerabilities prior to this happening,” Flaiz asked Kurzinger and Camino.

“No,” Kurzinger said. “In 30 years, we haven’t had any issues.”

Flaiz asked whether any GCDWR vendors or partners had faced similar attacks in the past year. Camino said his company, whose servers operate independently of water resources, were attacked by ransomware in December 2022, which Walder said used the exact same webmail vulnerability as the attack on water resources.

“(We) took that server offline,” Camino said of his company’s response to their own ransomware attack, adding they moved to an updated Microsoft 365 Exchange server after the attack. “We hired some forensic guys, dealt with the ransom guys, and we paid the ransom and recovered our emails.”

Flaiz questioned whether CSJ Technology servers were in direct contact with GCDWR servers, which Camino denied.

“What are these questions for? I mean it sounds like you guys are trying to find a link,” Camino asked Flaiz. “What does my servers have to do with what happened the other day?”

“You’re telling us your Exchange server was hacked in December and now theirs was hacked, and you’re asking what (it) has to do with that,” ADP Chief Deputy Administrator Frank Antenucci responded.

“You represented yourself as being their IT expert. The vulnerability exists because you’re running an Exchange server that’s not properly patched,” Walder added.

Camino said GCDWR had not yet moved to an updated server because a conversation in 2022 about upgrading stalled out over budget concerns.

Morgan characterized the exchange, which he said insinuated the attack on Camino’s business was somehow the cause of the attempted attack on the GCDWR system, as a “diversion.”

“When Mr. Camino’s business was attacked, he immediately notified water resources, not because the water resources’ system was the subject of the attack, but to provide water resources (his client) with information,” Morgan said. “Additionally, the water resources network was set up as a standalone system and has been operated as such since the water resources IT infrastructure has been in existence. It has only been within the last couple of years with the demand that water resources be under ADP authority and more specifically on the county network that the water resource system is no longer a standalone system.”

In his comments on the situation, Walder referenced concerns from the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, which considers the wastewater systems sector to be one of 16 critical infrastructure sectors “whose assets, systems and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”

Morgan said GCDWR requested a CISA review of its IT setup in June 2021 and CISA performed another review in August 2022 at the request of the ADP board.

“(GCDWR) even hired an outside company to attack the system to verify if there were any weaknesses,” he said. “CISA found the network to be in good shape and the third party was not able to get into the system or find any vulnerabilities.”

Morgan said there are only two water systems in the county where GCDWR treats water for public consumption and they are monitored daily as required. Both are run on systems separate from the IT system at the water resources office and all remain fully operational.

“A majority of the wastewater plants are stand-alone systems that have no connection to the water resource IT network or the county network,” he said, adding the water-wastewater alert system is managed via another system and the operators and management receive alerts via work cell phones.

In response to accusations from Flaiz during the April 17 meeting that water resources employees spread rumors the cyber-attack was not real, Morgan said he had not heard those rumors.

“There were questions, not just from water resources employees, as to what really happened since information on what occurred or what notices were received was not being provided,” he said. “Rumormongering is never good, whether it is spreading rumors or providing rumors about rumors spreading.”

Morgan said since that meeting, the GCDWR email system had been brought back online and water resources personnel were receiving emails.

At the time of the interview, Morgan said restoration of historical emails and calendars was still ongoing.

Brian Doering contributed to this story.