Utility companies in Connecticut are doing an “adequate” job of protecting themselves against cyberattacks, according to a report published Tuesday by Gov. Dannel Malloy’s office.
The report, which included four public utility companies, is the second annual review the state has conducted to inspect the cybersecurity of its critical infrastructure. But just because the firms that participated got reasonably clean bills of health — repelling as many as 10 million attempts to penetrate their computer systems every day, the document states — that does not mean Connecticut is any better protected than anywhere else, the state’s top cybersecurity official said.
“I’m often asked if we’re safe from a cyberattack,” Arthur House, Connecticut’s chief cybersecurity risk officer, said at a Hartford news conference Tuesday. “And the answer, of course, is no. No one is. We’re threatened all the time. What’s important is that Connecticut’s utilities take cybersecurity seriously.”
The review analyzed two water companies, Aquarion and Connecticut Water, and two electric providers, Avangrid and Eversource. All four received good marks for taking steps like incorporating cybersecurity into their internal audit procedures, training employees to be alert for phishing schemes and running periodic penetration tests.
The review follows Connecticut’s publication earlier this year of a Cybersecurity Action Plan , which outlined a strategy for the state government, municipalities and the private sector to collaborate on information security. House said Tuesday the action plan came at a time when state governments need to take bigger roles in cybersecurity leadership because of federal inaction.
“It’s essential the states have cybersecurity programs because Congress hasn’t passed any significant cybersecurity legislation,” he said. “There’s no clarity on cybersecurity leadership coming from Washington. The states have to take the lead.”
While estimates of 10 million unsuccessful hacking attempts — perhaps 300 million a year, according to Jim Hunt, a senior vice president at Eversource — are flattering statistics for Connecticut’s utility firms, the review was not without areas where the companies were lacking.
“These were not always pleasant sessions,” House said.
Specifically, House and the other state officials who conducted the review found that the companies need to continually revise their cybersecurity policies as critical infrastructure becomes more reliant on internet-connected devices.
“The internet of things proliferates the number of ways companies can be hacked and penetrated and offers more platforms to attack,” the review reads. “IOT devices often fall outside of established, traditional vulnerability scanning and security patching procedures for computers and network devices.”
Internet-connected devices that control power plants, traffic systems and other components of public infrastructure have come under recent scrutiny from cybersecurity analysts. A report last month by IBM Security and Threatcare found that many such devices are installed with default passwords that are never changed and have weak protections around their internet protocol addresses.
While Connecticut has so far escaped such attacks, some of its neighbors have been less fortunate: In 2013, a dam in Westchester County, New York was targeted by Iranian hackers who gained access by penetrating a cellular modem. The dam was under repair at the time, but the incident still exposed how a cyberattacker could take control of a public utility.
The review also suggests that utility firms could use more consistent routes of sharing threat information with each other. While the four companies analyzed all belong to professional organizations and trade groups, direct information sharing is lacking, the document reads.
Some improvement is being made through the firms’ participation in their specific sectors’ information sharing and analysis centers — the E-ISAC for the power companies and the WaterISAC for water utilities — as well as the state government’s Intelligence Center. The companies also reported they are attempting to hire more employees with high-level security clearances, enabling them to have access to cybersecurity information shared by the federal government.