Published April 14. 2014 3:00PM Updated April 14. 2014 11:50PM
Hartford — Gov. Dannel P. Malloy has announced a cybersecurity plan for Connecticut’s utilities to protect lives and commercial activities against a “mounting threat” from nation states and individuals trying to hack into utility companies across the country.
At a press conference Monday, Malloy said, “We know what having 1.2 million customers without power is like.
“... We have experienced it, and if that was to be the result of a cyberattack, sustained over a period of time, obviously it can have devastating effects.”
The plan is based on the role of states — not the federal government — in regulating utility companies. A recent report — “Cybersecurity and Connecticut’s Public Utilities” by the state Public Utilities Regulatory Authority — called for a multi-tiered approach to preventing attacks and said utility companies should weigh the pros and cons of using outside, third-party audit companies when trying to measure the results of their efforts.
The state’s major electric companies were present Monday along with ISO New England, which distributes electricity throughout New England, to express their support for a collaborative effort.
“We, on behalf of the people of Connecticut, need to verify that the companies have solid systems in place, (that) they’re being verified and that they are doing all that is possible and reasonable to protect the citizens of Connecticut,” PURA Chairman Arthur House said.
There were more than 3,000 cyberattacks against U.S. companies in 2013, Malloy said. Cyberattacks against utilities providing electricity, natural gas, water and telecommunication services have grown in intensity and sophistication, he said. Connecticut’s state government receives 40 million probes annually, ranging from someone trying to get into the system to someone trying to take down the entire system.
“There have been no successful penetrations or interruptions caused by hacking,” said Peter Clarke, senior vice president of emergency preparedness for Northeast Utilities, the parent company of Connecticut Light & Power.
But the electric power grid is becoming more computerized, he said, and thus more vulnerable to cyberattack.
“This is a constant daily battle to stay ahead of the game,” House said.
The United Illuminating Co. is constantly monitoring external threats coming from the Internet and internal threats by employees, said Craig MacGibbon, vice president and chief information officer for the UIL Holdings Corp., the parent company of The United Illuminating Co.
Malloy said he is calling on PURA, utility companies and state and federal authorities to create concrete actions in response to the questions raised in the report. He also said he would share the report with other states. Issues that deserver further exploration include establishing key standards, reporting on the compliance of meeting those standards and whether to use a third-party auditor to measure results, he said.
The Department of Emergency Services and Public Protection is being instructed to conduct a cybersecurity exercise to explore the challenges and potential problems the state could face, Malloy said. The General Assembly was asked to review the report to prepare for future legislation.
“Just as we are taking proactive steps to harden our critical infrastructure and the shoreline to defend against severe weather events, so too must we be prepared to defend against the potential disruption that cyberintrusions can cause to vital services such as energy, water and telecommunications,” Malloy said.