Meeting Details: The Automatic Data Processing Board (ADP) met in regular session on August 2, 2022, at
2 p.m. in the Appraisal Office at 231 Main Street, Suite 1A, Chardon, OH. Virtual access was available via MS Teams. The Agenda was provided in advance. This observer attended virtually.
Call to Order: Due to technical difficulties the meeting did not start until 2:15 p.m.
Board members present in person:
- Chuck Walder - Auditor/Chief Admin
- Joe Cattell - Engineer
- Scott Hildenbrand - Sheriff
- Celesta Mullins – Recorder
- Jim Flaiz - County Prosecutor
- Jim Dvorak - County Commissioner
- Tim Lennon – County Commissioner
- James Hickock - Treasurer
- Michelle Lane – Board of Elections
ADP Staff present in person:
- Frank Antenucci - Chief Deputy Admin, ADP
- Alan Keener - Chief Technology Officer, ADP
Others present in person:
- Gerry Morgan, County Administrator
- Adam Litke, Director, Board of Health
Virtual attendees included:
- Pam McMahon - Fiscal Office Manager
Minutes: Meeting minutes for April 12 and May 31 were approved.
I. Dragos Agreement - McFarland Wastewater Treatment Plant
In July, ADP Board approved an agreement with Dragos Inc. for services from July 22, 2022 up to $49,000. Mr. Antenucci stated that 90% of services have been provided. Dragos will provide a report when they are complete. Deputy Chief Auditor Ron Leyde reported there had been a “hiccup” with the Wonderwear data from McFarland Wastewater. They are working with Ron Kurzinger, Network Administrator for Water Resources to determine why the data was corrupted.
Reviewer Note: Dragos was hired to prepare a schema of the McFarland Wastewater Plant’s systems after the Water Resources Department refused to produce this documentation.
II. Technology issues at new County Administration Building
Observer Note: Concerns about cell phone service, server security and key card access were also discussed at length in March. See LWV Geauga Observer Report for March 15, 2022.
Reviewer Note: Lack of cell phone service was cited by the Board of Elections (BOE) as a deficiency of the space in their March 31, 2022, letter to Secretary of State LaRose.
A. Lack of Cell Phone Service - Several county departments have moved into the new facility and are operating with very limited cell phone service.
- Alan Keener (ADP) stated a drawing is being prepared by an outside vendor for Donley’s (building contractor) regarding the lack of cell phone access. Donley’s will be working to get this done. They need 4 weeks to install once equipment is received. There will be devices on all floors to correct connectivity for all 4 major carriers.
- Prosecutor Flaiz asked the Sheriff if the radios had been tested and if they were working, even in the basement. Sheriff Hildenbrand confirmed they were working.
B. At-Risk Servers
- Servers are not physically secured - Building access is controlled by the Maintenance Department which established a single block of key card users.
This means that anyone with key card access to the building can access the spaces where sensitive servers and tech equipment are housed. It was noted(and not disputed) that cardboard is being used to make the inside door to the servers always open.
- Inability to Partition Departmental Data - the ADP Board specified and requested cloud-based servers in the new office building as these are widely regarded as being more secure and can be easily partitioned to ensure access to data is appropriately controlled. The request was disregarded, and hard drive servers were installed. Currently, any user with access to a network server has access to ALL data, not just the data relevant to their department.
- Mr. Flaiz stated that this will be a huge problem.
Reviewer Note: the ADP Board specifies and approves technology for Geauga
County entities and forwards their recommendations to the Board of County Commissioners (BOCC). The BOCC then decides whether and how to implement ADP recommendations.
C. Key cards and Keys - The access control server manages key card entry to the building and is currently accessible only to the Maintenance Department. ADP has no login credentials for this server.
- On Monday, August 1, the card access system was not functional for over an hour during the afternoon. Employees were unable to enter the building and those inside could not leave for fear they would not be able to re-enter. It was determined that Director of Maintenance, Mr. Glen Vernick, had removed access.
- Mr. Walder asked if there is a key back-up system in place.
- It was noted that some doors are hollow core and therefore cannot be properly secured.
- Mr. Flaiz opined that the Commissioners need to turn over control of the access control server to ADP.
- Mr. Walder stated that ADP has no access to the server in the new building, but even when that happens, it will be an issue since there is no way to partition. Mr. Leyde stated that he will look into the access issue.
- Adam Litke, Director of Geauga County Health District, noted that under state and federal (HIPPA) rules they must have a way to control access to their offices. He asked for a key card or fob system so that anyone opening a door can be documented, as required by law.
- Mr. Flaiz stated that he is getting a new system in his office. Mr. Walder stated that in his office they have key cards, as required by the State Auditor.
Observer Note: Geauga County Health District is located in the new Administration Building. The Prosecutor and Auditor offices are located on Chardon Square.
D. Cameras in the new Building - camera installation was discussed:
- Mr. Walder asked when the cameras will be going up in the new building. Per Ron Leyde that they are mostly installed but some key components are o
backorder so not functioning yet. Mr. Walder clarified that this is not a security system because they are not being monitored.
- Mr. Flaiz stated that in the Prosecutor’s office they have 3 cameras that are monitored.
- The Board of Elections has cameras but no access. The Sheriff is going to look into this. Mr. Litke stated that in Lake County the Sheriff does this monitoring.
- Mr. Flaiz stated that the Commissioners need to decide who will monitor cameras.
- Mr. Lennon asked if there is a Sheriff’s room in the new building and was told that there was but that no one is stationed there at present.
III. Water Resources Department/McFarland Wastewater Treatment Plant
Reviewer Note: Prosecutor Flaiz has determined that ADP has authority over technology at the
Water Resources Department, including control systems at the McFarland Wastewater
Treatment Plant. To date, Water Resources has refused to give ADP access to their servers and
the Board of County Commissioners has not compelled their compliance.
A. Cameras, continued: The focus turned to a camera placed in the McFarland Wastewater treatment plant by ADP. This discussion was long and contentious and covered some topics previously reported.
- Mr. Lennon inquired why the camera was installed in the plant without the approval of the plant operator, who is the person authorized by the EPA to oversee everything in this plant.
- Mr. Ron Leyde stated that ADP had installed a switch and as is their usual process, they installed a camera to view this switch to make sure that there was no tampering with it. It was stated by several ADP employees that this camera is not working yet.
- Mr. Lennon stated that Bainbridge Police were investigating this camera, which Mr. Lennon said was pointed at the desk of the plant operator. Mr. Lennon
stated that in the report it says that the Bainbridge Police talked with Mr. Frank Antenucci. Mr. Antenucci stated that no one had contacted him, that the camera has no feed as of yet and that to his knowledge it is pointed at the switch and not the operator’s desk.
- As part of this discussion it was stated, and not contradicted, that cameras purchased by Water Resources and not vetted by ADP, were transmitting data to China. It appears that the passwords for the cameras were unchanged from the original passwords that came with them when they were built in China.
- It was also acknowledged that someone had hacked into the system.
- The camera discussion ended when Mr. Flaiz stated that this camera in the plant operator’s office was a non-issue since the camera was not on and, contrary to assertions that no one from McFarland Wastewater knew it was being installed, that there were numerous people in the room when the camera was installed – both from ADP and from McFarland.
B. Water Resources Department/McFarland Plant Shutdown: Discussion continued regarding the shutdown of the plant during the weekend of July 16/17.
- Mr. Walder stated that, contrary to assertions by Water Resources, monitoring by Crowdstrike could not have caused the shut-down since they had been monitoring since June 27 with no issues.
- Mr. Gerry Morgan (County Administrator and Sanitary Engineer) stated that ADP was lying and that no one had accused ADP of causing the problem.
- Mr. Walder referenced an email from Mr. Morgan that stated that there had been “a hostile takeover” by ADP.
- Mr. Morgan again stated in an agitated voice that Walder lied to the Board (presumably the ADP Board)
- Mr. Flaiz called for a pause and stated that he had reviewed the contract with Dragos which was set up to get to the bottom of what had happened at McFarland.
- Mr. Walder stated that it couldn’t have been password issues because when ADP got there Mr. Kurzinger (chief IT administrator for Water Resources) was already into the system. He noted that two hours before the shutdown the system had rebooted and that less than 2 hours later the process didn’t work. Something went awry following the reboot. He also stated that “as mysteriously as it occurred, it also miraculously got cured”. To this day the plant is running fine and Crowdstrike is also still running. He did say that data is corrupt, and they are hoping for an answer to why that is the case from the Dragos report.
C. Water Resources Department/IT Integration with ADP: Mr. Lennon asked if going forward ADP would be the tech support.
- Mr. Walder stated that it was supposed to be the case now, and that the turnover date from Water Resources to ADP was supposed to be when the new building was done. Mr. Walder further stated that pursuant to that agreement, ADP had changed passwords but as soon as the passwords were changed things started to happen. Mr. Walder again reiterated that this was not a hostile takeover but was planned.
- Mr. Flaiz said that the transition had not happened because Water Resources was not permitting it.
- Mr. Walder recommended allowing Dragos to complete their review and see what happened. He clarified that there is a difference between OT and IT and ADP only intends to oversee IT.
Observer Note: From an April 12, 2019, blog post:
“What is the difference
between Information Technology (IT) and Operational Technology (OT)? In
short, IT deals with information, while OT deals with machines. The former
manages the flow of digital information (read: data), while the latter manages
the operation of physical processes and the machinery used to carry them
out.”
The meeting ended by coming back to the discussion of key cards. The discussion concluded with Mr.
Morgan saying he would have Glen Vernick (Director of Maintenance) show Frank Antenucci the key
card system the new building was using.
Meeting adjourned: at 3:45 p.m.
Next regular meeting: September 13, 2022, at 2 p.m.
More Information about ADP
ADP Minutes are posted online through May 31, 2022
Virtual Meeting Information: contact Pamela McMahan at pmcmahan@gcauditor.com
Observer: Gail Roussey
Reviewer: Shelly Lewis
Submitted 08/05/2022
Reviewed 08/08/2022
The League of Women Voters of Geauga is a 501(c)(3) nonpartisan political organization that encourages
informed and active participation in government, works to increase understanding of major public policy
issues, and influences public policy through education and advocacy. They do not support or oppose
individual candidates or parties.