ADVERTISEMENT

http://www.hartfordbusiness.com

Report: CT utilities' cyber defenses 'adequate'

BY Matt Pilon

10/12/2017
HBJ file photo
HBJ file photo
Art House, the state's cybersecurity risk officer
A confidential review of four utility companies' cybersecurity strategies has determined that all have adequate "operational defense systems."

The companies -- Eversource, Avangrid, Aquarion and Connecticut Water -- face "ongoing, changing and serious cybersecurity probes" and are investing in their defenses, according to a report by state regulators released Thursday.

Each company requires cybersecurity training at least annually. Several conduct recurring reviews of their defenses and conduct phishing drills and other tests of potential vulnerabilities.

Full details of the review conducted by the Public Utilities Regulatory Authority and the Division of Emergency Management are being kept secret, but the public report said that there are two key areas for "ongoing vigilance and continued improvement."

Those include staying current with the evolving ways that hackers penetrate systems using a technique called "spear phishing," and protecting against breaches that could be suffered through integrating utility systems with third-party vendors' systems.

The report concluded the first review of utility cybersecurity probes under a new voluntary program finalized by the Public Utilities Regulatory Authority last year.

The program was not without controversy. Telecom and wireless providers declined to participate in the reviews with PURA and the Division of Emergency Management and Homeland Security, citing concerns about duplication of federal reporting requirements and the potential for disclosures to lead to fines or litigation.

Regulators and utilities intend to appeal to those companies again, the report said, to address challenges such as "internet-of-things" devices, which present a potential point of entry into utility distribution systems for hackers. Regulators also want to include municipal utilities in the reviews.

Art House, the state's chief cybersecurity risk officer and a former PURA commissioner, wrote to legislators and Gov. Dannel Malloy that the inaugural review had "achieved its objectives of realizing a cooperative, candid, productive and insightful sharing of pertinent information."

In an address to industry officials last summer, House -- appointed by Malloy last year -- warned that a cyber attack on utilities, particularly at a vulnerable moment such as an extreme weather event, could have a devastating effect.