Utilities not watching networks close enough, former officials say

As cities and other local government agencies connect more devices into their infrastructures, including the computer systems that run public utilities, cybersecurity awareness in non-technology agencies becomes of critical importance, two former government officials said last week.

Local governments are increasingly at risk of cyberattacks, such as ransomware, which can cripple citizen services or control systems for electricity, water or public transit. Government must safeguard those physical systems and educate all members of their organizations to do the same, said Pete Tseronis, the former chief technology officer for the U.S. Department of Energy and Department of Education.

The cybersecurity risk facing those physical systems is often higher than that of fully digital systems operated by local governments, he said at a meeting convened by the Control System Cyber Security Association International in Washington D.C. on Thursday.

“What’s in it for [chief information officers and CTOs] is that this is about mitigating risk to somebody’s life, whether they’re in a car, drinking water or in a pool,” Tseronis said.

Too often, he said, the cybersecurity of these systems is left untouched so long as they meet the minimum standards of consistently delivering service on time. Because agency officials are more concerned with service delivery than cybersecurity risk, he said, many potential problems are never addressed. Dave Jordan, the former chief information security officer of Arlington County, Virginia, said that attitude needs to change. 

“Basically, everybody has a cybersecurity component in their job. I don’t care what your job is,” Jordan said. “If everybody thinks about cyber in their work, that’s going to reduce the cost.”

This laissez-faire approach to cybersecurity in many local governments has positioned utility companies to be prime targets for hackers. A ransomware attack led one water utility in North Carolina last year to rebuild its entire computing infrastructure and caused a “catastrophic” amount of data loss. A report released last year from Connecticut Gov. Daniel Malloy’s office found the state’s utilities had “adequate” cybersecurity, but also said that “[internet of things] devices often fall outside of established, traditional vulnerability scanning and security patching procedures for computers and network devices.”

Tseronis, who spent eight years with the Education Department and seven with the Energy Department, said that he often spent time with agency leaders to ensure they understood IoT devices are more than just an analog switch or piece of equipment — they can connect to the internet and therefore pose a security risk.

“Know what’s in your environment, what you support, and just because it works, just because the light switch is on, doesn’t mean it’s the safest and most eloquent way of providing electricity,” Tseronis said.

Tseronis said he used to print out diagrams of the networking equipment for each building in the Department of Energy, coloring each device red when it was no longer supported by its vendor. When “98 percent” of the devices were colored in, he said, he was finally able to convince agency leaders to take action.

“While standards take a little bit of time, and we’re in an age of ‘buy something, deploy it and show that it works,’ my message is: [vendor] neutrality or not, you want to do technology due diligence,” he said.