AUGUSTA — Maine may be known for its rugged, off-the-grid charms, and its people may pride themselves on their resiliency in the face of any number of natural forces: wind, snow, ice, black flies. But even Mainers aren’t immune from the risks of a world increasingly interconnected by the internet and other infrastructure, according to the speakers at a two-day conference on emergency preparedness that kicked off Tuesday morning.

Cybersecurity was the theme during the first day of the eighth annual Maine Partners in Emergency Preparedness Conference, which is taking place at Augusta Civic Center and has more than 500 registered attendees.

There is no shortage of reasons for Mainers who haven’t thought about cybersecurity to start doing so now, said those who spoke during a keynote panel discussion and in smaller workshops throughout the day.

Police departments across the state have had to pay anonymous hackers not to destroy their computer files. Residents’ banking information has been stolen and money transferred in their name. Data breaches at big-box stores have led to Mainers having their credit card information sold online.

“If you’re a first responder, you may not think of cyberattacks as part of your job, but while you may not be in charge of guarding the computer systems, you’re definitely going to feel the impact of a massive cyberattack,” warned Chet Lunner, former deputy undersecretary for intelligence at the U.S. Department of Homeland Security, during the keynote talk.

Should such a devastating cyberattack happen, Lunner said, fire alarms could stop working, radio and cellphone networks could shut down, people could lose their heat in December, hospitals could be cut off from the outside world and the breakdown of sewage systems could make it hard to dispose of human waste.


The conference’s first day was attended by a mix of people with backgrounds in emergency response, information technology and other fields. Attendees came from the public, private and nonprofit sectors.

The second day, Wednesday, will focus on a separate but related topic: catastrophic power outages, such as the one that followed the ice storm of 1998. The conference has been organized by the Maine Emergency Management Agency, the State Emergency Response Commission and the Maine Association of Local Emergency Managers.

The Maine Emergency Management Agency, or MEMA, does not have a robust plan for responding to cyberattacks, according to Cameron Wellman, the agency’s cybersecurity coordinator, who gave a presentation in the morning. But Wellman — who has been in that role for three months and emphasized that he is “not a cybersecurity expert” — said the department is drafting a set of protocols for reacting to cyberattacks.

“MEMA has a great reputation for planning for natural hazards, whether it be floods or hurricanes. We’ve even been doing tsunami planning,” Wellman said. “However, cybersecurity is a pretty new thing.”

There have been two executive directives that are now guiding Wellman’s work.

In the summer of 2014, Gov. Paul LePage had the information officers for various state agencies come together in a working group that meets several times a year to discuss cybersecurity objectives. In 2013, President Barack Obama made a presidential directive recognizing 18 infrastructure sectors that should be protected from cyberattacks, chief among them energy, water, communications and transportation.


While Wellman was not able to describe the protocols his agency is drafting in great detail, he said they will include a mechanism for organizations and agencies who think they have been exposed to a cyberattack to report the incident. From there, the protocols will identify the steps state agencies should take to respond, communicate with the public and seek assistance from higher levels of government.

“We still have a lot to work on,” Wellman said. “I know several municipalities, especially in the most rural parts of our state, might have one IT person; they might not. They might have a person that wears 13 different hats, so this is going to be completely segmented.”

Tuesday’s conference also included keynote talks from Tammy Plummer, executive vice president and chief information officer at First National Bank, and Marshall Tracy, head of information security at IDEXX Laboratories and an executive board member of the Maine Cyber Security Cluster.

Plummer described how the email account of one of her bank’s customers was hacked by someone who then rooted around for personal information, ultimately finding enough to make a fraudulent wire transfer from the customer’s account to an account bearing another name. In that case, the bank recovered the money.

“The customer would have been made whole anyways, but the bank got the wire transfer back from California,” Plummer said. “The only thing that thwarted this scheme was that the bad guy had not gone to pick up the money in time, so we got lucky on that one.”

That was just one type of fraud people in the banking industry face, Plummer said, and she and other members of the Maine bankers network regularly share information to prevent similar incidents.


Plummer recommended several practices for blocking would-be cyberthieves: not clicking suspicious or unsolicited links and attachments in your email inbox, not downloading questionable games and other files from the internet, creating a password that is hard to guess, and installing the latest software updates.

According to Tracy, hackers usually are motivated by financial gain but sometimes can break into computer networks for ideological or political reasons. While there are plenty of complicated information security programs, he stressed that avoiding cyberattacks boils down to a “mindset.”

“It requires a consistent focus on vulnerabilities,” he said. “You need to be cynical.”

Charles Eichacker — 621-5642

[email protected]

Twitter: @ceichacker

Only subscribers are eligible to post comments. Please subscribe or login first for digital access. Here’s why.

Use the form below to reset your password. When you've submitted your account email, we will send an email with a reset code.