The threats are real and include a prolonged loss of electricity and water, evaporation of company records and breach of customer privacy, said the report to Gov. Dannel P. Malloy.
Arthur House, the state’s chief cybersecurity risk officer, was blunt about the threats utilities and their customers face.
“I’m often asked in my job are we safe from cyberattack? And the answer, of course, is no,” he said at a Capitol news conference. “We’re not safe. Nobody’s safe. No federal agency, no state agency, no city, no business, no individual can take safety as an assumption. We’re all threatened all the time.”
Attempts to compromise utilities’ systems are becoming more sophisticated and frequent, he said.
“They’re growing in volume. We have to defend ourselves and Connecticut is doing that,” House said.
Jim Hunt, senior vice president for regulatory affairs at Eversource, said the utilities and state officials launched a partnership to face down cybersecurity threats, turning away from the typical relationship in which utilities must yield to regulators.
House said utilities are assigning qualified people to the task of defending their operations and are spending money on cyberdefenses. In addition, utilities’ boards of directors and top management of the utilities are “on board,” he said.
Still, numerous problems need to be addressed, the report said. State officials and the utilities said the impact of a loss of service to Connecticut is not well understood and utilities need to increase their attention to response and recovery planning for a major cybersecurity attack.
Utilities also are having trouble competing for qualified young workers, facing off against companies offering higher salaries and government agencies providing greater resources, the report said.
In addition, Connecticut utilities need to improve crisis management, and vendors of materials and services are potential sources of compromise, the report said.
“The utilities realize that there is no template or playbook for the broad and unpredictable effects of a cyberattack,” the report said.
Exercises with a range of possibilities, including breakdown in public order and large-scale movements of people seeking water and other necessities need to be planned and executed, the report said.
China, Iran, North Korea, Russia and Turkey have been identified as among the sources of cyberthreats, seeking to undermine U.S. security, officials said.
The U.S. Department of Homeland Security warned earlier this year of Russian “reconnaissance of U.S. critical infrastructure” and said Russian military intelligence conducted in the past two years a hacking campaign targeting hundreds of critical infrastructure companies that included electric power utilities.
Connecticut’s utilities have not been informed that they were among those breached, the report said.
House said that in addition to governments seeking to undermine the U.S., “cybermercenaries” in the Middle East and eastern Europe “could be hired by somebody to launch an attack.”
House said states must take the lead on improving cybersecurity because the federal government is doing little.
©2018 The Hartford Courant (Hartford, Conn.) Distributed by Tribune Content Agency, LLC.
