It’s not clear exactly how many times someone may have tried to gain access to Connecticut’s electrical grid with malicious intent, but state officials say they’re working with utilities in developing cybersecurity regulatory guidance.
“Hostile probes and penetrations of utilities occur frequently. Defenses in Connecticut so far have been adequate, but security challenges are constantly evolving and becoming more sophisticated and nefarious,” a report on cybersecurity found.
The report from the Public Utilities Regulatory Authority highlights cybersecurity threats to the state.
Gov. Dannel P. Malloy said the state computer system fended off 40 million probes to its system last year alone. It’s unknown how many attempts were made on computers at Connecticut’s utilities, like Northeast Utilities and United Illuminating, which distribute electricity and natural gas in the state.
As far as Malloy is concerned, the most significant attack to any electrical utility was the assault on PG&E’s California substation by snipers last year. The attack involved the cutting of telephone cables and shooting out 17 transformers at a substation, according to this Wall Street Journal article.
Peter Clarke of Northeast Utilities said every day there are probes, which are “people trying to get into the system.” But as of Monday none have been successful. “Fortunately our layered securities have worked,” Clarke said.
He said they stay in touch with third-party vendors who keep them up to date on evolving threats. He said many come from overseas, according to Internet Protocol addresses.
“There have been no successful penetrations or interruptions caused by hacking,” Clarke said Monday at a press conference in the Emergency Operations Center.
He said sometimes it’s just people trying to see how far they can get into a system, while others may have “malicious intent.”
Arthur House, a former Director of Communications for the Office of the Director of National Intelligence and current chairman of the Public Utility Regulatory Authority, said that if there are all these probes taking place from nation states or individual actors, then “what is the nature of our security?”
“How can the people of Connecticut know that there is a system which is being overseen to ensure that the utilities are doing all that they can?” House said.
He that’s the purpose of the report. Once that information is gathered it will be shared with the appropriate parties and one of the possible outcomes would be a voluntary agreement by the utilities to conduct an audit and share that information with select state officials.
“The details of those studies obviously shouldn’t be made public,” House said.
He said that in doing the report Connecticut “is ahead of the game” when it comes to trying to create some type of standard for utilities, which are regulated by the states.
Malloy said the state already knows what it’s like to have 1 million customers without power. He said if a power outage is a result of a cyberattack, it could be sustained for a period of time and have devastating effects on a heating or cooling system.
He said this is a statewide attempt to coordinate cybersecurity efforts at a wide range of utilities. Cybersecurity also will be included in emergency management drills in the future.