Warning that there “will likely be a utility cyber disruption at some point,” Connecticut officials say they plan to begin annual confidential meetings to review utility cybersecurity efforts.
“Given the extent to which both our quality of life and sheer survival depend upon modern utilities, the nascent area of recovery management deserves serious, urgent attention,” said the Connecticut Public Utilities Regulatory Authority (PURA) in an April 6 report culminating two years of study. Connecticut Governor Dannel Malloy and legislative leaders first called for utility cybersecurity planning in April 2014.
PURA is opting for a largely voluntary, cooperative process with utilities, rather than strict directives. The agency described the need for “flexible collaboration” in light of the “rapidly evolving nature of cyber threats to public utilities.”
To determine if a utility is taking necessary steps to defend against cyberattacks, the state plans to look at management’s commitment, corporate culture, engagement with outside experts, and third party and technical assessments. Connecticut also wants utilities to maintain a cybersecurity risk register for government review. Among other things, the registry will address a utility’s strengths and weaknesses in maintaining cybersecurity.
While electricity, natural gas and water companies have been cooperating with the state, telecommunications companies are balking at Connecticut’s cybersecurity process.
CTIA-The Wireless Association and the New England Cable and Telecommunications Association argue that the review process could lead to a breach of confidential information. In comments filed with PURA, they urged the state to instead let federal efforts play out on utility cybersecurity.
PURA, however, said that Malloy and legislative leaders “made it clear that they need to be assured that Connecticut’s public utility companies are taking necessary steps to address challenges in the cybersecurity landscape.”
Since the state began its cybersecurity review in 2014, national officials and cybersecurity experts “have warned of the increased sophistication of cyberattacks and “more thorough penetration of public utilities as well as other sectors such as finance, industry and communications,” PURA said.
Among things, the state agency cited a February 2016 warning to US power companies by the Department of Homeland Security about a Ukraine utility attack that caused outages after disabling several substations and breakers.
The PURA report noted the tightrope officials and utilities walk in formulating cybersecurity policy, a “tension between alarmism and complacency.”
“We should not give in to hysteria or panic in a modern version of Henny Penny’s alarm that the sky is falling. At the same time, we need to recognize the risks and consequences of cyber disruption. Given the motivations and capabilities of those who seek to damage the United States, the increasingly accessible means for committing cyber crime and the difficulty of thwarting attacks with hidden attribution, we need to recognize that there will likely be a utility cyber disruption at some point,” the report said.
This is not the first time Connecticut has taken an aggressive posture to preserve electric reliability. The state also was an early leader in microgrid development for critical services, an effort it pursued after severe storms caused wide-scale power outages.
Survey indicates cyberattack rise
Separately, Tripwire reported last week that its polling shows a dramatic rise in recent cyberattacks. The cybersecurity company surveyed 150 IT professionals energy, utilities, and oil and gas companies in November.
Three quarters of those polled reported an increase over the last 12 months in attacks where they work. In addition, 68 percent said the rate of successful cyberattacks had increased by over 20 percent in the last month.
“It’s tempting to believe that this increase in attacks is horizontal across industries, but the data shows that energy organizations are experiencing a disproportionately large increase when compared to other industries,” said Tim Erlin, director of IT security and risk strategy for Tripwire. “At the same time, energy organizations face unique challenges in protecting industrial control systems and SCADA assets.”
Other findings reported by Tripwire were:
- Energy executives were more than twice as likely to believe their organization detected every cyberattack (43 percent) than nonexecutives (17 percent).
- In the last year, 78 percent of the respondents said they experienced a cyberattack from an external source, and 30 percent from an inside employee.
- 44 percent indicated they have not gathered enough information to identify the sources of cyberattacks on their organizations.
- Nearly one-fourth (22 percent) admitted their organizations do not have business processes to identify sensitive and confidential information.
Join Microgrid Knowledge in Manhattan May 19 for “New York and Beyond: Advancing Microgrids Nationally with Lessons Learned in New York.“