But telecommunications companies operating in Connecticut have balked at such voluntary meetings, fearing they could lead to more state regulation of an industry that currently answers primarily to federal agencies.
A report released Wednesday by the state Public Utilities Regulatory Authority (PURA) lays out plans to strengthen protection of water, gas and electricity systems in Connecticut through voluntary, cooperative efforts with utilities.
In the report, state regulators warn that public utilities here and across the U.S. "face the credible danger of cyber penetration, compromise and disruption" that could cut off electricity, water or telecommunications for millions of people.
Representatives of Connecticut electricity, water and gas utilities have all agreed to participate in cybersecurity talks and planning with the state, according to the report.
Arthur H. House, PURA's chairman, said telecommunications company representatives say they're reluctant to participate in state-led security talks, even if they are voluntary and behind closed doors. Despite state assurances that the talks would be private and no information disclosed would be used against the companies, House said telecom officials "see this as a slippery slope toward state re-regulation."
"The telecommunications companies are especially concerned that information divulged in such meetings could expose them to fines, prosecution and/or litigation," the PURA report stated.
House said he and PURA experts believe any information provided to the state in such talks would be exempt from Freedom of Information Act disclosure. He also said nationwide and federally directed cybersecurity efforts that telecommunications companies would prefer could take to three to five years to develop "or might never happen."
The state report comes shortly after publication of federal documents detailing cases in which hackers have penetrated U.S. electrical grid and utility computer systems. Federal, state and utility officials have declined to identify individual companies or systems that have been hacked, fearing that could focus attention on vulnerable systems.
A U.S. Department of Homeland Security assessment of the cybersecurity threat to utilities was published by Public Intelligence, a research project website that offers secretive security information to the public. In the assessment, DHS officials stated that a damaging cybersecurity attack on the American energy and utility system was "possible but not likely."
Gov. Dannel P. Malloy said it is "critical that we are prepared for a cyberattack." Malloy said the new PURA report offers "a road map to support cybersecurity defenses" for Connecticut utilities.
The 27-page PURA report cites statements by federal officials and cybersecurity experts that "U.S. public utilities have been penetrated" and that "foreign powers could decide to harvest their penetration" by disrupting electric, gas and water supply systems to millions of people.
House said he couldn't talk about whether any individual Connecticut utility company has experienced a serious cyberattack.
"All utilities in the U.S. have been hacked" or have faced attempts to hack into their computer systems, said House. "It goes on all the time." But he added that Connecticut utility companies "have very robust and very sophisticated cyberdefenses and capabilities"
"They take this issue of cybersecurity very, very seriously," said House.
Connecticut utility officials who met with PURA on cybersecurity issues were concerned about annual review meetings that might involve large numbers of state officials and the potential for leaks of sensitive information about computer defenses.
House said PURA has agreed to having only two regulatory officials and two state homeland security representatives present at such meetings, and that state officials would "not take any written notes" from the discussions.
Any leaks of computer security information as a result of the meetings "would ruin the whole process," House said.
The PURA report also mentions the possibility that the state and Connecticut utilities might agree in the future to engage outside experts to provide objective and independent evaluations of utility cybersecurity arrangements.
©2016 The Hartford Courant (Hartford, Conn.) Distributed by Tribune Content Agency, LLC.
