Survey Highlights Utility Cyber Insecurities

Respondents to a recent KPMG survey echoed the old maxim of “not if but when” and showed shaky confidence when it came to organizational preparedness to cybervulnerabilities.

by Luther Turmelle, New Haven Register / December 17, 2018
Shutterstock/NicoElNino

(TNS) — Given how we have come to take the reliable delivery of electricity for granted, the results of a recent survey of power- and utility-executives about the potential for a cyberattack disrupting service could be seen as shocking.

Nearly half of the chief executive officers of power- and utility-companies who responded to a KPMG survey released in November said they believed a cyberattack on their businesses is a matter of “when”, not “if.” And only 58 percent of the respondents felt their companies were prepared in their ability to identify new cyberthreats.

Regina Mayor, global sector head of KPMG’s energy and natural resources unit, said “technology-driven opportunities in the sector have also opened the door for significant risks and cyberthreats.” KPMG is an international professional services firm based in the Netherlands.

“The levels of cyberdefense and preparedness vary across the sector, but it is critical that organizations take the necessary steps to protect their systems or they risk becoming a target for potentially crippling attacks,” Mayor said

Connecticut utilities are working with state cybersecurity officials to assess their preparedness against cyberattacks. But company officials are reluctant to talk about the subject, even in the most general of terms.

Eversource Energy officials chose not to be interviewed for this story and referred all questions to representatives of the Edison Electric Institute, a trade group representing the nation’s investor-owned utilities. Officials with Clinton-based Connecticut Water Service asked that any questions about the utility’s cybersecurity readiness be submitted in writing, which is a departure from normal practice.

Officials with the United Illuminating Co. elected not to make one of its cybersecurity executives available for an interview. Ed Crowder, a company spokesman, said “United Illuminating and the other Avangrid companies recognize the significant and ever-evolving threat presented by malicious cyberattacks.”

“We are determined to work collaboratively to detect attacks and prevent them from endangering the energy grid we all rely on for our everyday lives,” Crowder said. “We adhere to a comprehensive prevention, detection and mitigation strategy to protect our infrastructure from the threat of physical and cyberattacks and damage.”

Individual employees of UI and its sister Avangrid utilities — which include Southern Connecticut Gas and Connecticut Natural Gas in this state — receive annual training that teaches them to recognize and report potential cyberthreats, according to Crowder. Those threats include malware spread by email that can leave the organization vulnerable to intrusion.

Eversource, UI and Connecticut Water, as well as Bridgeport-based Aquarion Water — which is owned by Eversource — all participated in this year’s annual assessment of their preparedness. Arthur House, Connecticut’s Cyber Security Risk Officer, led the assessment team and its findings culminated in the Connecticut Critical Infrastructure 2018 Annual Report, which was released in September.

“We believe that their current defenses are adequate,” House said. “But we’re all vulnerable and it is very sensitive to talk about that vulnerability. And it is so easy to be misunderstood.”

Scott Aaronson, vice president of security and preparedness for the Edison Electric Institute, describes the reluctance of Connecticut utilities to talk about the readiness of their cyberdefenses as “a healthy paranoia.”

“Saying our security is good is like painting a bulls-eye on that company,” Aaronson said.

But according to Joel Gordes, a West Hartford-based energy consultant, being tight-lipped about cybersecurity “is a missed opportunity.”

“Being silent is not a deterrent,” Gordes said. “It really leaves people to wonder whether or not they (the utilities) are prepared.”

The state’s utilities, according to the 15-page report prepared by House’s team, are “subject to a persistent, changing array of increasingly sophisticated and dangerous efforts to penetrate their communications and operating systems.”

“In some cases, more than a million distinct probes are received and deflected in a single day from both nation states and private actors,” the report says in part. “Attacks take varied forms, including both attempted systems compromise and phishing directed at employees. While there have been a large number of cyberincidents (attempts to penetrate communications or operations), none reached the level of an actual breach (penetration).”

The report also identifies another, less obvious problem associated with Connecticut utilities protecting their operating systems: An inadequate supply of cybersecurity professionals.

“While the world of cybersecurity consultants and systems remains robust in the United States and for public utilities, the market for cybersecurity professionals is constrained,” the report says in part. “Human resources departments face challenges in recruiting, evaluating and retaining cybersecurity subject matter experts. It is difficult to attract technically qualified young people to utilities when such professionals are sought by other companies with higher salaries and by government agencies with more extensive resources.”

A Forbes magazine article in August estimated by 2021, there will be 3.5 million unfilled cybersecurity positions worldwide. House said nationwide, there are 350,000 unfilled cybersecurity positions unfilled and 4,000 here in Connecticut.

A successful cyberattack of a utility occurred in the Ukraine in both 2015 and 2016. The attack was able to shut off power for 225,000 Ukrainians for six hours, according to Aaronson.

House has a level of familiarity with the Ukraine cyberattack because he was asked by the U.S. State Department to go to the eastern European country after the attacks to assess what had happened.

“When the shutdown happened, they literally had go to the homes of the people that used to operate the system manually and have them show how to restore it manually,” he said. “It's a reality that computers run things, but you have to know how to manage it in case there is a problem with the computer.”

As the operation of electric grids and other utility systems become more computerized, the security becomes more complex, Gordes said.

“Whether it’s a smart (electric) grid or some other system, every time you add another smart device, you’re making it more vulnerable,” he said. “Each one of those things you add to make a system smarter is like adding a little computer. And each and every one of them needs to be adequately protected, otherwise it can be turned into a botnet.”

A botnet is a group of connected computers that have been compromised by a third party and used to transmit malware or spam, or to launch attacks.

“It’s only going to get worse before it gets better,” Gordes said.

Aaronson takes a more optimistic view of the situation.

“The electric grid is huge, it is one big machine with thousands of owners and operators,” he said. “But we are committed to constant improvement. From our perspective, cybersecurity is not an IT issue, it's a leadership issue and the leadership of this industry has made it top priority.”

©2018 the New Haven Register (New Haven, Conn.). Distributed by Tribune Content Agency, LLC.