State cybersecurity report finds utility efforts adequate, but continued diligence needed

Gov. Dannel Malloy today released the Connecticut Critical Infrastructure 2018 Annual Report, a comprehensive review of the state”™s electric, natural gas and large water companies”™ efforts to detect and prevent cybersecurity threats.

The report stated that while Connecticut”™s utilities faced more frequent and sophisticated penetration attempts in the past year, they were met with “adequate defense capabilities.”

The review and report are the result of a 2014 cybersecurity strategy and 2016 cybersecurity action plan, both products of Connecticut”™s Public Utilities Regulatory Authority (PURA). The state”™s utilities had worked with PURA to reach agreement regarding the scope and process for conducting the cybersecurity reviews. Four utility companies participated: Aquarion, Avangrid, Connecticut Water and Eversource.

“Cybersecurity threats continue to grow across the United States, for everyone ”“ the federal government, states, cities, businesses and organizations, and private citizens,” Malloy said. “The report released today shows that while our public utilities have so far detected and prevented threats, we must continue to practice vigilance.”

The companies graded themselves using the Cybersecurity Capabilities Maturity Model. Conducting the reviews were the state’s Chief Cybersecurity Risk Officer Arthur H. House; PURA Public Utilities Engineer Steven Capozzi; Brenda Bergeron, principal attorney in the Division of Emergency Management and Homeland Security in the Department of Emergency Services; and David Geick, director of IT security services at the Department of Administrative Services Bureau of Enterprise Systems and Technology (DAS/BEST).

The report concludes that “Connecticut”™s utilities are spending more time, devoting more resources, educating their workforces and transforming their cultures more thoroughly to meet the increased level of threats.” But it notes that significant threats and challenges remain, including increased volume, sophistication and country of origin of attempted malicious probes.

At the same time, the report notes significant improvements and areas of progress. There were no known cyber breaches during the past year, despite millions of attempts.

The full report is available here.