All Episodes

July 6, 2024 15 mins
You may not think about your local water, sewer, or electricity department when you think about hackers and cybersecurity problems. Unfortunately, federal officials say they're starting to see more and more of our utilities getting hit by cyber threats, often from hackers connected to places like Russia, Iran, and China. The Mass Cyber Center works with utilities, schools, businesses and government agencies to make sure they are protected against threats and train the next generation of cybersecurity professionals. Director John Petrozzelli returns to the show to detail these threats and talk about the resources in place to secure our systems.
Mark as Played
Transcript

Episode Transcript

Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:07):
From WBZ News Radio in Boston.This is New England Weekend. Each week
we come together right here talk aboutall the topics important to you and the
place where you live. It's sogood to be back with you again this
week. I'm Nicole Davis. Whenyou think about hackers and cybersecurity problems,
cyber attacks, stuff like that,you likely think about government offices, businesses,

(00:27):
or schools. You're probably not thinkingabout your local power greater water department.
Trouble is, the FED say they'restarting to see more and more of
our utilities getting hit with cyber attacks, often from hackers connected to places like
Russia, China and Iran. Iwanted to know how we around here in
Massachusetts are keeping ourselves and our utilitiesprotected. I reached out to our friends

(00:48):
at the mass Cyber Center. Thisis right up their alley. The director,
John Petrozzali's been here before. We'vetalked about cybersecurity. You might have
heard that episode. He's back herenow so we can get some education and
learn a bit about this. Sothank you so much for your time.
You're a busy guy. Give usa bit of insight if you could,
about how these hackers in the firstplace are getting into our utilities. So
I want you to just outline,you know, in a utility system,

(01:11):
there's not only our IT systems thateverybody would have at home or in the
office, but there's also the operationaltechnology systems, and those are the industrial
control systems, and a lot ofthose are really hard to lock down because
they're based on in generally, generallythey're based on older technology, and so

(01:34):
they might be protected and insulated bythe IT systems that are in some of
these utilities, but it's a reallydifficult balance, and so when we look
at trying to protect it, thestate and utilities have a very challenging task
of doing that in today's technology environment. But in the case of what the

(01:57):
state's doing, the state is regularcollaborating with utilities and with state and federal
authorities to protect our electricity and ourwater. And when I talk about water,
I'm talking about our public drinking wateras well as wastewater, and they
do that interaction daily. For depwho is Mass Department of Environmental Protection,

(02:20):
they work with the water districts andthe utilities to improve the cybersecurity of the
public water systems routinely, and theyactually have developed the cybersecurity strategy to provide
information and tools to support systems cybersecurityefforts and try to mitigate those cyber threats.
Sometimes the infrastructure there needs a littlebit of work to keep it up
to modern standards, but what exactlygoes into protecting those utilities? Sure,

(02:45):
so I'm just going to use bestpractices. That's a cybersecurity and infrastructure a
security agency, but their best practicescan really be translated almost to any environment
because generally the threats coming in,unless they're an insider threat or some type
of internal human threat inside the network, there's going to have to be some

(03:07):
level of Internet connectivity from an attackerforeign attacker to be able to get in
there. So since's best best practicesessentially start with reducing your exposure to what
you have in a publicly facing Internet, and that could be through closing down
ports and protocols, which are justtwo different ways that firewalls communicate with other

(03:29):
firewalls on the Internet. And conductingregular cybersecurity assessments is another way. So
that's their second. Changing default passwordsas soon as you get new equipment is
really critical, and you'd be amazedat how many places have the default passwords
on their switches, routers, hopefullynot firewalls, but that's a really big

(03:52):
thing, and that's that's an easything to do, right the low hanging
fruit. Conducting an inventory of whatyour operational technology systems look like as well
as your information technology systems, allthose assets that you have, so that
you can really do a good identificationof what the risks are to your organization

(04:13):
and then put finances or personnel hoursbehind protecting those assets. So that's their
fourth one. Developing and exercising acyber incident response and recovery plan is really
critical and that can be anybody.You know, everybody should have one of
those put in place. Backing upyour OT systems and your I T systems.

(04:38):
Again, OT could be more difficultbecause of the antiquated technology in some
of the OT systems out there inthe US, but backing up your I
T systems is going to protect anybodyagainst you know, potentially ransomware or other
types of malware, and so theycan roll back to, you know,
a better better of the system thatthey were using and can help them get

(05:02):
back up if something breaks quickly dueto a ransomware event. And then Lastly,
it kind of is a bookend.We talk about reducing exposure to the
public facing Internet, reducing your exposureto vulnerabilities. That's a really big critical
one because even if you've worked onhardening your ports and protocols, the software

(05:24):
or the hardware you're using has vulnerabilitiesall the time, and as hackers continue
to use AI and other capabilities toresearch those vulnerabilities and exploit what we would
call zero day vulnerabilities which haven't beenidentified by the manufacturers yet, Like,
that's really critical. So if assoon as a vulnerability is identified, updating

(05:46):
your software or your hardware to reducethat exposure is absolutely critical so that hackers
or bad actors can't get into yoursystems. Yeah, and let's talk about
those hackers, because you know,recently the put out a warning essentially saying
cyber attacks against utilities, especially waterand electric, are becoming way more frequent
than they used to be. Andabout these hackers, namely a what do

(06:12):
they want with our water? Ithink people would want to ask that sort
of question, like why would theywant to get into our water systems?
What do they want with our electricsystems? And how are they exploiting these
little areas to get in. Asfar as the hackers themselves, they could
take many forms. Some hackers mightwant to get into a system to explain
it for financially motivated reasons. Inthe case of bolt Typhoon, which was

(06:36):
obviously in the news like for thelast couple of months, that's a state
actor who's trying to get into ourinfrastructure in the event that some type of
hostilities could break out, or inthe event that they want to send some
type of a message, you know. And I've heard people argue that them

(06:57):
getting in and being discovered is amess in and of itself, that hey,
we can do this, we canreach out and touch you. So
you have you know, you're financiallymotivated actors, you have nation state actors,
you have other hackers that are workingmaybe between the criminal and nation state
realm. And then you've got hacktivists. And we saw that recently in Texas

(07:19):
where a water district their water towerwas flooded by hacktavists that were affiliated with
Russia. And so in this war, especially in the environment where you've got
these almost daily or weekly escalations inthe Ukraine war, as cyber starts to

(07:39):
really pick up and it's been apart of the war the entire time.
You could start to see more groupsget involved from a activist perspective, and
that's really concerning, I think,to a lot of people, because it's
a whole different ballgame when you know, when you think of wars, right,
we think of fighting back against people. At this point, it's just

(08:00):
you're you're looking at code, You'reyou're trying to deal with binary things on
the other side that you can't see, that you can't touch, and you
know, they're attacking schools and they'regetting into, like you said, water
systems and everything like that. It'sreally interesting how it's all happening so fast
and we're almost being thrust into thiswhole new world. When it comes to
security, it's utterly and I thinkthe State of Massachusetts is doing a good

(08:20):
job. The Secretary Snyder of theExecutive Office of Technology, Services and Security
and Secretary how of our Office ofEconomic Development. They have a joint task
Force on AI that the Governor established, so we're not only looking at trying
to understand the effects of AI,but also test some of the AI out

(08:43):
ourselves to try to get ahead ofthe threats. As hackers start to test
AI, and so I would referyou to that committee for anything related to,
you know, trying to stay aheadof those those threats when it comes
to the AI space. But you'reright, I mean, there's this state
is trying proactively to try to getahead of some of these threads, which

(09:03):
is really good. So over atthe mass Cyber Center, obviously you guys
are front and center when it comesto a lot of this training and teaching.
Tell us about that and what you'redoing to help keep the state ahead
of everything that comes in when itcomes to hackers and utility, cyber attacks,
all this sort of stuff. Soso far, we've trained about four
hundred students through different community colleges andstate schools across Massachusetts in cybersecurity, and

(09:31):
we're doing that using a range andthen we pair that up with real world
security operations on the job training wherethose students are working in municipalities or nonprofits
or small business to harden their infrastructureand monitor them using state of the art
tools. So that's probably a topicwe can talk about a different day,
but it's something that we put alot of effort into. And then for

(09:56):
people listening from municipalities. The lastI wanted to mention is we just launched
a municipal grant program and we've dedicatedone point four million dollars this year for
that. The application period starts Julyfirst, and it's a rolling application,
so we'll get I'm sure some applicantsby July first, but then there'll be

(10:18):
more. We'll review the applicants probablyquarterly to take a look at what those
needs are. But essentially that's that'spart of what we're trying to do is
harden those Internet facing vulnerabilities specifically formunicipalities, and that could be municipal utilities,
but it's also the town halls themselves, the schools, and it's basically

(10:41):
all they have to do is getan assessment from someone and a scope of
work from like an Internet A managedservices provider or their own IT team,
and we'll pay for them to hardenthose that infrastructure with that one point four
million. So it's a good programout there. We tried to make it
pretty easy to apply for and againpeople can go to our website to look

(11:05):
at that grand program and the detailsfor applying to that. A lot of
what we do is collaboration across thestate government. And so for example,
in this case, you know,knowing that you wanted to talk to us
about this, I talked to Departmentof Environmental Protection, I talked to EOPS.
I talked to EOPS the different stateagencies out there, so that we

(11:26):
could speak with the kind of aone one voice for government type of perspective.
And you know, so so weget some of those insights from them,
from our partners who can give usreally good information, and but but
doing so so that we can understandit and then pass it to you know,
the private sector or the nonprofit sectoror other members of the public sector.

(11:48):
And so in this case, forexample, like DEEPS are primary person
in the state for doing this,and they're the ones who primarily focus on
you know, at least the waterthe water sector and their program I would
just like to highlight is one ofthe best in the country. They the
mass drinking water cybersecurity plan was actuallyhighlighted by the EPA is one of two

(12:11):
states in the whole country for theircybersecurity program and they were invited to talk
at a national program that was sponsoredby EPA and SISA, which is pretty
awesome. That was back in March. So they're doing really good things and
they're also submitting their plan to theNational Security Council based on a Security Council
review of what other states are doing, what all states are doing essentially.

(12:37):
But for us with the Cybercenter,we have several initiatives our working group,
we do a lot with our CyberResilient Massachusetts Working Group, and that's where
we again do more of this collaboration. We have a Municipal sub working Group,
we have a Critical Infrastructure sub workingGroup and so and we have an
exercise a TTX tabletop exercise subworking andso we're using that working group to try

(13:01):
to really reach out collect partners froma public, nonprofit and private sector to
really talk about some of these issuesand how they can affect anybody from the
everyday citizen to the state infrastructure.And so through that, we built that
a card game recently that's an incidentresponse card game, and that's through that

(13:24):
Cyber Resilient Working Group in conjunction withthe Commonwealth Fusion Center, and that was
really good. We've played it abouttwenty five times. People really like it.
It's available for free on our websitefor someone to download if they wanted
to play it in their own organization. But it's a role playing game and
it's basically eight roles that are prettysynonymous with any type of organization. And

(13:48):
we simulated an organization in Massachusetts thatcould be a nonprofit or public or private
sector entity that has some type ofcustomer data. And there's some scenarios were
created like that, so that canhelp citizens kind of talk through what as
executives they would try to figure out, you know, within their own organization

(14:13):
in a non threatening environment. Becausethis is just a tabletop exercise. Yeah,
of course, and look, itcan be really overwhelming to try to
deal with all the different stuff that'scoming in day in and day out.
You should do this, you shoulddo that, put this in place,
do that. So it's really coolthat you have this game and you have
these systems to help people learn ina way that is easy to digest.
I guess I'll say yeah, Andwe have that minimum baseline and cybersecurity we've

(14:35):
talked about in the past, that'sstill you know, pretty easy. It's
kind of four goals to just helpsomeone think about how they deal with their
cybersecurity system. And that's you know, training, coordination, with other entities
incident response plans and then looking atthe technology best practices. So right now
that's focused for municipalities, but alot of the lessons in there can be

(14:58):
adapt to basically public and private sectorentities as well. So if somebody wants
to find out more about the MassCybercenter, about all this work there that
you're doing there, or maybe findthe game for example, where can they
get to you? Sure? Soyou can visit our website at www dot
Mascybercenter dot org and we are partof the Massachusetts Technology Collaborative, so you

(15:22):
could also go to the mass Techmain page and then go to cyber as
well. Well. John, thankyou for your time, Thank you and
the mass Cybercenter for all you're doingto help keep our systems safe. And
thanks for the education. I appreciateit. Thanks no, thank you very
much for having me Nicole. It'sgreat. Have a safe and healthy holiday
weekend. Please join me again nextweek for another edition of the show.
I'm Nicole Davis from WBZ News Radioon iHeartRadio.
Advertise With Us

Popular Podcasts

1. Stuff You Should Know
2. Start Here

2. Start Here

A straightforward look at the day's top news in 20 minutes. Powered by ABC News. Hosted by Brad Mielke.

3. Dateline NBC

3. Dateline NBC

Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations.

Music, radio and podcasts, all free. Listen online or download the iHeart App.

Connect

© 2024 iHeartMedia, Inc.