Granite Geek: Cybersecurity for your sink and toilet is no laughing matter
Considering that he’s one of the state’s most important cybersecurity folks whose organization is helping to secure vital government facilities, there are times when Jason Sgro gives some unexpected advice.
“We’ve run into wastewater and drinking water facilities that don’t have any internet connection … and the recommendation is not to plug them into the internet,” he said.
Wait – not plug in?!?
“I’ll say, what for? You’ve already got good security. Just lock the door on the way out.”
After decades of hearing about the benefits of going online, it is startling to hear about the benefits of staying offline. But I have to say that it’s less startling these days, after endless reports about even the most sophisticated companies having their data stolen or being held for cyber-ransom, not to mention how small mistakes can cripple connected businesses globally as we’ve seen in the CloudStrike mess.
I talked to Sgro in his role as chair of the Overwatch Foundation, which has a state contract to spend federal money helping water and wastewater facilities protect themselves from hackers, and also to help state and local governments switch to the “dot-gov” domain that is harder to impersonate. Sgro is also a managing partner of the Atom Group, which helps coordinate the state’s response to cyberattacks.
Overwatch Foundation is winding up a six-month pilot project involving five aquatic facilities of various sizes and five domain changes. It is moving into the first year of the contract, with three more years of renewal possible. The work is free to the communities. The foundation, with a dozen employees based in Concord, will probably spend about $1 million annually for the dot-gov work, $1.2 million for water systems, Sgro said.
They’re concentrating on drinking water and wastewater plants partly because these are so important, partly because there is federal money available for securing them – New Hampshire loves spending federal money – and partly because these plants are often old. Their internet connection and SCADA software, which controls industrial processes, are often tacked on after the fact, leaving lots of gaps for bad guys to exploit.
“We’ve been in some places I never knew existed,” said Sgro, who as a Manchester West graduate is hardly a recent New Hampshire import. “We’ve run into people where they’re the water system operator but they’re also the town’s plow driver, they cut the grass at the cemetery on the weekends. These are people that are tremendously dedicated to their communities. … I say, we’d like to come see what you’ve got and we hear: ‘Come on over, we’re here every day.’ ”
While Overwatch Foundation may advise smaller facilities to stay offline, at least until they can install necessary safeguards to go online safely, he isn’t telling connected sites to unplug their router and return to paper-and-pencil operations. That’s not feasible for reasons of employment, cost and technical complexity.
Instead, the group is moving cybersecurity from the bottom of most operational priority lists and making it higher, responding to increasing concern about hacking attacks from other governments or criminal groups.
“What we’re really doing is using best practices for cybersecurity and applying them to critical infrastructure,” he said.
Part of the complication is that SCADA systems are so expensive. Cities and towns can’t cough up millions to replace them with more secure versions. “They can’t just upgrade, so we focus on the outer wall” of software and employee practices, working with everything from personal devices to firewalls. “Updating is important. A firewall that is three years old is fundamentally broken,” he said.
“We need to keep out not just a few hackers but, say, the Chinese government. This is a real problem.”
To an extent, the problem comes from the way the internet was built. Security was on nobody’s mind in the days of Archie and Usenet and Lynx and other long-gone systems, as we all cried “Information wants to be free!” and lusted after 1200-baud modems. The only thing that mattered was making it easy for everybody to connect to everybody else.
It didn’t seem to occur to us that conmen and thieves and villains would take so much advantage of the openness. We’ve been trying to fix that oversight ever since.
Those repairs can be a pain – I hate passwords as much as you do – and they’re expensive, but if they help keep our water flowing and our toilets working I think you’ll agree they’re worth it.
David Brooks can be reached at 603-369-3313 or [email protected]