Hear the ‘Hacked’ Vermont Utility Manager In His Own Words
Last week, The Washington Post made headlines when it reported that Russian hackers had penetrated the U.S. power grid through a utility in Vermont.
The story was flawed, to say the least. The electrical grid had not been hacked, and neither had the company. In short, a false alarm—an employee checking email—triggered an alert, which the utility reported to the federal authorities. Someone there apparently leaked it to the press, then reporters ran the news based on incomplete information. You can read more about what went wrong here.
Fortune caught up with Burlington Electric Department, the utility in the eye of the firestorm, after the furor quieted down. Neil Lunderville, general manager at the utility, told us he was taken aback by the mayhem that erupted the morning after the utility filed a report to the Feds. Although some commenters have speculated that the leak’s fallout might deter companies from sharing threat information with the government in the future, Lunderville said the experience will not inhibit the utility he manages from sharing intel with the Feds again. He is disappointed by what happened, he said, but still believes that maintaining a good relationship between the public and private sector is vitally important when it comes to protecting national infrastructure.
Get Data Sheet, Fortune’s technology newsletter.
Here what Lunderville had to say, in his own words, lightly edited for clarity and length.
Fortune: First off, happy new year!
Lunderville: I haven’t learned how to say that in Russian yet.
Thankfully, you won’t have to…
So, what happened?
On the last Thursday before the new year—Dec. 29—we received an update from the Department of Homeland Security asking us to look out for certain indicators of compromise. I think most other utilities received this as well. They said they were related to Grizzly Steppe [the government’s codename for an alleged Russian hacking operation].
We uploaded the indicators to our scanning system to look for the types of things specified. Then sometime on Friday morning, when one of our employees went to check email at Yahoo.com, our scanning system intercepted communications from that computer and an IP address listed in the indicators of compromise. When warned of that, we immediately isolated the computer, pulled it off the network, and alerted federal authorities.
So far, so good.
To be clear, that computer was not attached to the grid control systems. It was on our business network, which is separate. There is no indication of compromise of either any of our internal systems or any customer data. The federal authorities have told us they’ve seen traffic—this suspicious kind of cyber activity—in the traffic of other companies. They don’t think it is unique to BED, or even to the utility sector.
We filed the report on Friday. We talked to the federal authorities. They said, Thanks for the information, we’ll get back to you. At that point, we weren’t done with it, but we didn’t expect any other activity to happen on Friday.
What went wrong?
The day after we filed the report, someone in the federal government misinterpreted it as an intrusion into the grid by the Russians and leaked that information to the Washington Post, incorrectly. The Washington Post decided to run with the story before confirming with us. That’s what led to this cascading series of stories that spiraled out into the Twitter-verse with unrelenting speed. We’ve been trying to clean up the mess since then.
Do you know whether the Washington Post knew you were the utility in question?
There are only two utilities in this area of Vermont: us and Green Mountain Power.
Tell me about Burlington Electric.
We’re a municipal utility. We’ve been around 111 years and have 127,000 customers. We serve just city of Burlington, the biggest city in Vermont.
In 2014 we became the first city in the U.S. to source 100% of our power from renewable energy: biomass, hydroelectric, wind, and solar power. We’ve been leading on efficiency for 25 years. We use less power and electricity in Burlington today than we did in 1989.
For more on power grids, watch:
Have you changed any of your protocols or security measures since this “hacking” incident?
As general rule, we don’t talk about our cybersecurity measures. I’ve been disciplined in this process not to get into any of those details. We don’t want to create a roadmap for folks looking to try to poke through our network. Any incident like this provokes a review of our systems, which we’ve done.
Cybersecurity is not a moment in time. It’s an ongoing process that you’ve got to look at every day of the year. We’re always looking to evolve our systems. That certainly has happened since last week, and it also happens every week. We’re always making changes to the system, adding more security.
Will you be more hesitant, or cautious, about sharing information with U.S. officials in the future?
No. We are going to share with the Feds. Somebody used the information we submitted for their own purposes—political or otherwise—and the newspaper went running with it without having the facts right. Still, you should not throw the baby out with the bath water.
We have a good relationship with our federal partners. We’re not going to stop working with them because of this incident. Ultimately, we rely on them for intelligence about cyber threats. We provide information to them. They analyze that information and assess what the source of it is, and what we can do to stop it. We can’t afford to pull back from working with them.
The Washington Post reported in a follow-up story that an itty-bitty piece of malware was ultimately discovered on the laptop in question. Do the ends justify the means?
What do you mean?
Blowup aside, some malware was discovered in the end.
That’s an area we didn’t comment on. We at BED aren’t getting into that because we’re part of an ongoing federal investigation. This was a computer not connected to any of our grid control systems. Whether or not it contained even a little piece of malware does not justify an inaccurate leak that the grid was penetrated by Russians, nor does it justify an inaccurate report to same tune.
The penetration of the U.S. electrical grid would be a serious national security threat that would need to be handled with the utmost of care. The presence of malicious code, whether there or not, on a computer not connected to critical grid systems, is a very different story.
What do you think about the attribution to Russia?
Any threat to the electrical grid needs to be taken seriously, whether by Moscow or Manhattan. The difference doesn’t matter. From a utility perspective, we don’t want any of those threat indicators on our network.