State

Securing water utilities a top priority for Vermont’s new cyber chief

John Toney, Vermont's new chief information security officer said he's taking a proactive approach to securing the state's critical infrastructure.

By Sophia Fox-Sowell

May 7, 2024

(Getty Images)

John Toney, Vermont’s new chief information security officer, starts his day with threat intelligence briefs — reading, watching or listening to the latest cybersecurity news.

“My morning cup of coffee comes in the form of cyber threat intelligence,” Toney told StateScoop in a recent interview. “It really frames my approach of how I look at things during the day.”

Toney, a former Secret Service special agent, joined Vermont’s Agency of Digital Services last month, at a time when more sophisticated cyberattacks against state and local governments across the United States are on the rise, especially from foreign cybercriminals targeting critical infrastructure in rural communities, such as water facilities.

“Russia and Iran, they are picking random, rural, suburban water systems around the country, playing ‘Whac-A-Mole.’ We need to take that seriously,” Toney said.

Last month, a Russian hacking group disrupted operations at a wastewater treatment plant in Tipton, Indiana. The Biden administration issued a warning in March to state governments and industry leaders that local water systems and other critical infrastructure are especially vulnerable to cyberattacks.

“It’s no secret that everyone is facing increasing cybersecurity threats, including state government,” Vermont Gov. Phil Scott said about Toney’s appointment in April. “It’s critical we are vigilant and prepared, and John brings a wealth of experience to help lead our efforts.

Proactive cybersecurity

Toney said he’ll take a proactive approach to finding security vulnerabilities throughout Vermont’s critical infrastructure sectors. For example, last week his team used a tool called Shodan, a tool that lets users search for internet-connected devices, to find every exposed water system in the state.

“We were able to find a firewall that was exposed and I was able to call the locality and say, ‘Hey, it looks secure, but we can still see it,'” said Toney, adding that he was relieved to only find one security flaw in his scan. “We didn’t see what I feared we would see, that all kinds of systems for water systems, whether it be a fluoride treatment, reverse osmosis or pipe systems would be exposed to the internet, and we were not finding those things. So that’s very good.”

Toney said he doesn’t mind if some of Vermont’s water facilities still use manual, analog systems.

“If there’s a person in the water system, flipping a switch or adding something, that’s beautiful,” he said. “The simplicity of the analog lights and defending something. If it works, and the water is safe and the communities are getting what they need, I’m all for it.”

After spending 10 years as a special agent with the U.S. Secret Service, specializing in network intrusion crimes and critical systems protection at the White House, U.S. Naval Observatory and Department of Homeland Security, Toney said he understands how to protect industrial control systems used by the critical infrastructure sectors and wants to coach Vermont municipalities on how to shore up their cyber protections.

In a separate statewide scan of local government websites in April, Toney said, he discovered a flaw in one municipality’s bill payment system that revealed user email addresses. He said he immediately called the mayor.

“I said, ‘Hey, this is just a courtesy call. There’s this concern I have,’ and the mayor was really receptive,” Toney said. “Anywhere we find new information like that, my team has a duty to warn, and if they don’t have the resources, see if we can follow up.”

Reducing redundancy

Toney said another of the big issues he’s focusing on is ensuring that Vermont is meeting security compliance standards set by the Cybersecurity and Infrastructure Security Agency.

“My first priority is working on some of these compliance issues to make sure that we’re accountable to the government’s and that we have the controls in place,” Toney said, adding that his team is automating certain functions to reduce redundancy. “What I want to spend more time on is security program building so my team can get back to security work rather than answering questionnaires and working with a client.”

Beyond improving operational efficiency, Toney said he also wants to reduce the state’s number of cybersecurity vendors.

“I want to consolidate the stack and have less tools, so everybody knows how to use the tools,” he said.

The new CISO said he’s also adjusting to the pace of the state’s procurement process.

“Vermont is very transparent, which I think is an excellent thing,” he said, “but it just means it takes longer to get some of the procurement things.”