Cybersecurity: A public-private mission in Connecticut
If a hacker were to shut down an essential utility company, it could be a matter of life or death, according to Arthur House, chairman of the Connecticut Public Utilities Regulatory Authority.
He said in the past few years, utility companies have been dealing with attacks that are growing in frequency and sophistication. House, who took the position about three years ago after a career in both the government and private sectors, including in national security, said PURA has been working closely with the state”™s private electric, water, gas and telecommunications companies to share information and create cybersecurity standards.
“We are at the stage now where I think the customers in Connecticut ”” the people in Connecticut ”” demand to know what we”™re doing about cyberthreats,” House said. “They ask questions. I think it”™s important for us to say we hear this and we”™re going to have a dialogue.”
In 2013, the Connecticut General Assembly ratified Connecticut”™s Comprehensive Energy Strategy and directed PURA to prepare a cybersecurity review, which was published in April 2014. The report said hostile penetrations occur frequently and called for regulators and utilities to work together.
PURA has recently completed a series of working sessions with individual utility companies to discuss their cybersecurity measures, strengths and weaknesses, performance criteria, training, costs and more. Normally meetings require a courtroom setting with testimony and cross examination, but these have been informal, House said.
“We are looking to suspend the normal relationship between the regulators and those who are regulated in order to work out a solution and a new way of assessing our cybersecurity,” House said. “That”™s a new task.”
PURA is working on a report to share with the companies, who will be able to comment on it. House said the report should be completed at the end of this year or early next year. The outcome will be a set of standards by which companies in all four sectors ”” electric, water, gas and telecommunications ”” will report on their progress and how they are managing their cybersecurity.
The utilities groups have also agreed to participate in annual meetings with PURA and other public officials. House said they are still finalizing who will be involved, but he said it could include the governor or his designee, public utilities commissioners and the Department of Emergency Services and Public Protection.
“In Connecticut our political leadership has made it clear that they would like to have some assurance, they want to be involved in this,” House said. “They need to be able to tell their constituents and the people of Connecticut there is a basic understanding of what the state of cybersecurity is and to make sure it”™s adequate.”
Utility companies said cybersecurity has become a larger focus for them and they are working with industry and federal groups in addition to PURA.
Elizabeth Godbout, spokeswoman for Stamford-based Frontier Communications, said that until recently, company CEO Maggie Wilderotter was chairwoman of the National Security Telecommunications Advisory Committee, which provides industry advice to the U.S. government about critical infrastructure issues.
Godbout said the telecommunications industry overall has increased attention to addressing cyber risks and threats. Frontier has devoted significant resources and energies to its cybersecurity efforts, she said. There are always new ways of infiltrating systems, so Frontier is constantly updating and adapting its cybersecurity capabilities, she said.
“We need to be vigilant to protect consumers,” Godbout said. “We all understand the potential consequences that these threats pose to our economic and national security.”
Frontier conducted a thorough risk assessment, analyzed threats and implemented security controls to reduce or eliminate risk, she said. Once in place, the security plans need to be maintained and monitored.
Michael West, spokesman for The United Illuminating Co., said the company is also involved with PURA and other groups where information is shared. Company CEO James Torgerson works with organizations under the North American Electric Reliability Corp. as the co-chairman of its Business Continuity Guideline Taskforce and as a member of its Electricity Sub-sector Coordinating Council.
“He”™s getting a first-hand view what everyone else is doing across the country,” West said of Torgerson. “We utilize some of those best practices.”
West said United Illuminating has been involved with cybersecurity for “some time,” but it has become an increased focus. The team who works on cybersecurity employs defensive and offensive strategies and re-evaluates to make sure it has the proper resources.
House said it can be advantageous for utility companies to speak with PURA so the regulator understands cybersecurity costs and can better evaluate a rate increase.
House does not know of any states that are proceeding in the same manner as Connecticut. Cybersecurity is a large issue for states to take on; they generally do not have cybersecurity experts on board and are often in “triage” dealing with their most urgent problems, House said. He said it is rare for someone in his position to have a background in security.
At meetings with the National Association of Regulatory Utility Commissioners, there is a lot of interest in what Connecticut is doing, House said.
“You hear about fights in government and accusations and hyperbole,” House said. “This is the opposite of that. This is public and private sectors coming together privately and constructively.”