Why Cybersecurity at CUD Is a Full-Time Job

Cyberattacks are unfortunately part of our new normal. For public utilities, the work involved with building and maintaining strong online defenses is an everyday effort because essential services present an enticing target. The costs and damages from a breach can be extremely high.

With that in mind, we offer this interview with Mike Sumner, Director of Technology for Consolidated Utility District. Mike will provide an overview of cyberattacks and give some helpful tips for protecting your own data online.

CUD: What’s your background in information technology and online security?
Mike: I am GIAC-certified (Global Information Assurance Certification) in cyber defense. That organization is trusted by the National Security Agency. I have also been trained as a CISSP (Certified Information Systems Security Professional). In terms of overall experience, I have more than 25 years of working knowledge with information technology and cybersecurity.

CUD: Without giving away too much inside knowledge, what about our systems makes you confident against intrusions?
Mike: CUD utilizes a layered cybersecurity approach. Before data can be brought into CUD’s network, it has to go through two layers of protection. Once data is inside CUD’s protected network, we have additional security in our email provider as well as our end points (servers, desktops, laptops, and mobile devices). This gives us numerous monitoring triggers so we’re aware of any risk at any point.

CUD: We know that utilities are targeted by hackers. How many attacks does CUD encounter on a monthly basis?
Mike: We average 25,000 attempts at our firewalls monthly, and we deal with an average of 171 daily phishing/malware attempts via email.

CUD: What are vulnerabilities in the average computer that hackers often target?
Mike: The most obvious area is email. More than 90 percent of all cyberattacks begin with an email to an unexpected victim. You’ve got to be vigilant in not clicking on links in an email that ask you to supply your username and password. If you get an email from a company or someone – even if they’re trusted – don’t put in your username and password. If you need to access your data, go to the site directly. Just never click on links sent via email.

CUD: Phishing is another common form of attack. Can you give us some background on that?
Mike: Phishing occurs when someone sends an email to you that’s designed to trick you into revealing sensitive information such as your username, password, financial or health data, and so on.

Phishing can also place malicious software onto your system. It’s really important to back up your data on at least a weekly basis, if not daily.

CUD: We hear a lot in the news about malware and ransomware attacks. How do you define each of these?
Mike: Malware is a computer program that harms your computer and other similar devices by corrupting or damaging files. Over the years, malicious codes have continued to pose serious risks to various computer users — including businesses, individuals, and government agencies.

Malware exists in different types, with each having a different style of attack and damage. Some malware codes steal or destroy data, while others could lock a computer user out and demand a ransom.

Ransomware is malware that locks a computer user out, encrypts data, and demands a ransom before unlocking the computer. This kind of attack has become so vile that hackers will even target healthcare providers, schools, and local governments.

For example, a ransomware attack on the Baltimore City government cost them $18 million before normalcy was restored. The attack lasted for one month and shut down a variety of government services and activities.

CUD: What are some commonsense steps ratepayers can take to protect themselves online?
Mike: I’ve got quite a list. Here we go …
• Don’t open email from strangers.
• Make sure your device updates are current, and back up your data regularly.
• Use strong passwords or passphrases. By that, I mean it needs to be longer than eight characters and preferably longer than 12 characters. You should use upper case, symbols, numbers, and letters. For symbols, try this: substitute a zero for O and @ for A. Add the year and a letter at the end. Each time you update your passphrase, advance the ending letter to the next in the alphabet.
• Change your passphrase periodically – preferably every 90 days.
• Using two-factor authentication can really help your devices Choose something you know – like a password. Then choose something specific to you – like a thumb print or a text verification to your cell phone.
• Never click on strange links you have received.
• Avoid using unsecure Wi-Fi.
• Don’t give out your personal or financial information online.

CUD: When CUD processes online payments, there is a payment processing fee, also called a convenience fee. Sometimes our customers question why they have to pay this. Can you explain?
Mike: Sure – CUD uses a third party to process credit card transactions. This is due to the requirement that payment processors must be PCI-compliant (Payment Card Industry compliance). This is mandated to ensure the security of credit card transactions.

This fee is charged to CUD by the third party, and it’s passed on to customers when they use a credit card to make payments. We don’t keep the fee.