Cybersecurity and Physical Security

A playbook for managing the myths and facts of cyberthreats

No utility wants its name in national headlines linked to a cyberattack, especially when the news is wrong.
Burlington Electric Department in Vermont found itself in this situation in December after the Washington Post ran an article titled, "Russian hackers penetrated U.S. electricity grid through a utility in Vermont." Other news outlets rapidly picked up the story — it spread around the country in minutes. But no media outlets bothered to call BED to verify the information.

On Dec. 29 the Department of Homeland Security issued a national alert about IP addresses and a malware code used in Grizzly Steppe — a Russian campaign linked to recent hacks. The Electricity Subsector Coordinating Council and American Public Power Association helped to distribute the alert.

Burlington responded immediately. "We acted quickly to scan all computers in our system for the malware signature. We detected suspicious internet traffic in a single Burlington Electric Department computer not connected to our organization's grid systems," BED General Manager Neale Lunderville noted in a message posted on the utility's website.

The Washington Post was the first news outlet to report the discovery on Dec. 31. The newspaper later posted a note that the earlier version of the story was incorrect — there was no indication of a hack penetrating the U.S. electric grid. On Jan. 2, the Post reported that as federal officials investigated the suspicious internet activity, they found evidence that the incident was not tied to any Russian government effort to target or hack the utility. All public power utilities can learn from Burlington's experience with this incident.

Lesson #1: Communicate with the federal government
Burlington Electric Department moved quickly to isolate a single laptop on which the suspicious traffic was detected and report the discovery to the federal government. Cybersecurity requires honoring the industry-government partnership in place to share information through appropriate channels.

Lesson #2: Set the record straight
Burlington Electric Department wasted no time in setting the record straight. "We want our community to know that there is no indication that either our electric grid or customer information has been compromised," the utility said in a Dec. 31 statement. The utility also spoke to the Post to get the initial story corrected.

Lesson #3: Reach out to customers and community
Burlington Electric made sure that its customers and community were kept up to date early and often on the situation through multiple channels, including web and social media. Lunderville and his team leveraged the utility's website to provide details on the incident.

Lesson #4: Detail ongoing cybersecurity efforts
As details of the incident unfolded, the public power utility underscored the fact it takes the issue of cybersecurity seriously and routinely assesses its systems for vulnerabilities with assistance from outside experts. All utilities should follow Burlington Electric Department's example and ensure that their cybersecurity efforts take priority.