At a conference hosted by Champlain College and the US Department of Justice last week, Vermont businesses were warned about the threat of cyber attacks. The event was intended to show organizations in the state how to respond to digital threats – such as the malware that was recently found on a laptop owned by Vermont’s largest electric utility.
Despite the state’s diminutive size – behind only Wyoming in terms of population – Vermont is a consistent target for cyber attacks. According to the Vermont Digger, in the past two months the state government has faced:
- 65,000 malware phishing attacks
- 90,000 remote scans – attempts to identity targets for attack
- 575,000 other “digital bombardments”
However, successful defenses mean nothing if even one cyber threat is able to penetrate an organization’s systems.
Burlington Electric hack
In December last year, a laptop belonging to the Burlington Electric Department was found to contain malware. After investigation, the Department of Homeland Security confirmed it was the same malware code used in Grizzly Steppe, the name the US government has given to malicious cyber activity by Russian civilian and military intelligence agencies.
A spokesperson confirmed that federal officials told the municipally owned electric utility that the threat was not unique to Burlington Electric.
Following the incident, Vermont Gov. Peter Shumlin said people should be “alarmed and outraged” that Russia “has been attempting to hack our electric grid, which we rely upon to support our quality-of-life, economy, health and safety.”
Vermont Representative Peter Welch said in a statement that this attack evidenced Russia’s “systematic, relentless, predatory” hacking. “They will hack everywhere, even Vermont, in pursuit of opportunities to disrupt our country.”
National Cybersecurity Preparedness Consortium
Earlier this month, Vermont Senator Patrick Leahy (D-VT), along with John Cornyn (R-TX) and Ted Cruz (R-TX), introduced an act to authorize the US Department of Homeland Security to work with the National Cybersecurity Preparedness Consortium (NCPC) to help prepare for and respond to cybersecurity risks at the national, state, and local levels.
“The bipartisan legislation we are introducing today will help to ensure continued collaboration between cybersecurity expertise developed at our nation’s finest education institutions and state and local governments,” said Sen. Leahy. “I am proud to support this bipartisan effort.”
The NCPC is comprised of university-based training entities including Norwich University – The Military College of Vermont, the University of Texas at San Antonio, Texas A&M, the University of Arkansas, and the University of Memphis.
Prepare for cyber attacks with ISO 27001
Given the sophistication of the threats facing businesses in Vermont, Heather Roszkowski, the chief information security officer for the University of Vermont Health Network, urged organizations to better prepare themselves for cyber attacks.
To do this, all organizations – in Vermont and elsewhere – should establish a cyber risk management system to help mitigate the risks of cyber threats. The international standard ISO 27001 sets out a best-practice approach to cyber risk management that can be adopted by organizations of any size.
Encompassing people, processes, and technology, ISO 27001’s enterprise-wide approach to cybersecurity is tailored to the outcomes of regular risk assessments so that organizations can mitigate cyber risks in a cost-effective and efficient way.