Utilities beef up cybersecurity

Neither Eversource, the regional power company, nor any other Connecticut utilities this year reported being among those in the nation that the Federal Bureau of Investigation or Department of Homeland Security notified of cybersecurity penetration, according to a state report.

However, all of the utility companies in the state understand they face that danger and all take cybersecurity seriously, according to the Connecticut Critical Infrastructure 2018 Annual Report, released last week by Gov. Dannel P. Malloy.

It is a comprehensive review of the state’s electric, natural gas, and large water companies’ efforts to detect and prevent cybersecurity threats. The report stated that while Connecticut’s utilities faced more frequent and sophisticated penetration attempts in the past year — millions actually — they were met with “adequate defense capabilities.”

The review and report are the result of a 2014 cybersecurity strategy and 2016 cybersecurity action plan, both products of Connecticut’s Public Utilities Regulatory Authority (PURA) and announced by Malloy.  Connecticut’s utilities had worked with PURA to reach agreement regarding the scope and process for conducting the cybersecurity reviews. Four utility companies participated: Aquarion, Avangrid, Connecticut Water, and Eversource.

In many cases, the utility companies have been beefing up their cybersecurity teams, according to the report, which outlined several areas of progress:

  • Internal review and audit processes have grown.

  • Employee training is more extensive.

  • Systematic vetting of utilities’ supply chain is more rigorous.

  • All the utilities run drills to revert to manual control for facilities and substations.

  • Security consultants have been retained and utilities participate in trade associations concerned with improved cybersecurity.

All four utilities asked that the cable and broadband companies on which they depend be subject to the same annual review process.

“Cybersecurity threats continue to grow across the United States, for everyone — the federal government, states, cities, businesses and organizations, and private citizens,” Malloy said in a statement. “We can never be assured of security, but we can fight back and do everything in our power to make ourselves safe. Connecticut has been a leader among states, launching both a cybersecurity strategy and an action plan.”

The report concludes that “Connecticut’s utilities are spending more time, devoting more resources, educating their workforces and transforming their cultures more thoroughly to meet the increased level of threats.” But it notes that significant threats and challenges remain, including increased volume, sophistication, and country of origin of attempted malicious probes.

At the same time, the report notes significant improvements and areas of progress. There were no known cyber breaches during the past year, despite millions of attempts.

“The number of threats to our infrastructure has never been greater and fortunately, the commitment across the public and private sectors to respond has never been stronger,” Department of Emergency Services and Public Protection Commissioner Dora Schriro said. “The plans that are in place today and the partnerships that we have formed will help to keep Connecticut, the region and our country safer than ever before.”

“Every sector, every business, every individual can and should be taking steps to reduce cybersecurity risks,” Chief Information Officer Mark Raymond said. “This report demonstrates that we can make progress through incremental, cooperative efforts.”

To read the entire report, go to https://bit.ly/2xySlAw.