
Rapid City SD – When the screens go dark at the county auditor’s office and property lien payments grind to a halt, the disruption feels entirely local. But behind the public-facing “closed” signs, the response to the Pennington County network breach has escalated far beyond municipal IT departments.
The cyber incident affecting Pennington County remains an active situation. County officials have stated that staff, working alongside state and federal partners, are continuing to investigate the cybersecurity incident while taking steps to secure county systems and protect data.
While critical public safety operations like 911 dispatch, the Pennington County Jail, and the Care Campus remain fully operational, major administrative services are still heavily restricted. The Auditor’s Office, for example, is presently unable to process lien payments.
The situation has grown serious enough that the City of Rapid City has initiated an extensive review of its own networks out of an abundance of caution, as the city and county share some infrastructure.
County officials confirmed they are working in tandem with a triad of specialized forces: the South Dakota National Guard Cyber Incident Response Team, the South Dakota Fusion Center, and the Cybersecurity and Infrastructure Security Agency (CISA).
The county maintains a strict public silence, stating they are unable to comment on specific details in order to protect the integrity of the ongoing investigation. However, understanding the specific mandates of these three agencies reveals exactly what is happening inside the county’s digital war room.
The Ground Infantry: South Dakota National Guard Cyber Incident Response Team
When a municipal network is compromised, the National Guard’s cyber elements operate as the digital infantry. Deployed under state authority, these highly specialized defensive units are not there to fix a standard software glitch; they are called in to secure breached infrastructure.
Behind closed doors, Guard cyber specialists conduct emergency network terrain audits. They hunt for the initial point of entry and attempt to quarantine the infection before it spreads further.
Their immediate objective is tactical containment: isolating compromised servers so local IT staff can safely begin the arduous process of rebuilding databases without the threat of a secondary attack.
The Intelligence Broker: South Dakota Fusion Center
While the National Guard secures the perimeter, the South Dakota Fusion Center acts as the critical intelligence hub.
The Fusion Center is a collaborative task force designed to aggregate and disseminate threat intelligence across local, state, and federal law enforcement.
In a localized cyber crisis, the Fusion Center is the bridge. They take the raw digital forensics recovered by the Guard’s units on the ground and run those digital fingerprints against known cybercriminal syndicates and ransomware groups.
Simultaneously, they funnel high-level federal intelligence down to county officials to help them understand the scope and sophistication of the threat actors currently occupying their network.
The Federal Partner: Cybersecurity and Infrastructure Security Agency (CISA)
Operating as the nation’s risk advisor, CISA brings the weight of the federal government’s cybersecurity apparatus to Rapid City. CISA does not take over the local jurisdiction; rather, they provide advanced analytical support and a “whole-of-nation” perspective.
If the National Guard finds a specific strain of malware or a newly exploited vulnerability within Pennington County’s systems, CISA analyzes that data to determine if the attack is an isolated incident or part of a coordinated national campaign targeting other local governments.
CISA has made no public statement on the Pennington County incident specifically, consistent with its posture during active local investigations — but the intelligence extracted here will ultimately inform how the agency helps secure municipalities nationwide against similar exploits.
The Path to Reconstruction
The recovery process is not as simple as flipping a switch. Rebuilding a compromised municipal network requires close coordination between these three entities.
The National Guard must successfully purge the threat actors from the environment.
The Fusion Center must verify that the attackers have not left hidden backdoors.
Finally, under CISA’s guidance on system architecture, the county must reconstruct its databases — either by restoring from isolated backups or rebuilding from scratch — before they can safely reconnect their public-facing portals to the web.
Until that coordinated mission is complete, the county will remain locked down, and the public will be left waiting in the dark.
Leave a Reply