This Year’s Report Focuses on Four Utility Companies: Aquarion, Avangrid, Connecticut Water, and Eversource
(HARTFORD, CT) – Governor Ned Lamont, leaders of the General Assembly’s Energy and Technology Committee, and the Office of Consumer Counsel today were transmitted copies of the state’s third annual cybersecurity review of Connecticut’s electric, natural gas, and large water companies, which was compiled in an ongoing effort by the state to detect and prevent cybersecurity threats to critical infrastructure.
This year’s report focuses on the cybersecurity strength of four of Connecticut’s public utility companies – Aquarion, Avangrid, Connecticut Water, and Eversource – and concludes that each company is “taking adequate defense measures to protect themselves against their perceived threats.”
The annual report is the result of a 2014 critical infrastructure cybersecurity strategy and a 2016 critical infrastructure cybersecurity action plan that were developed by Connecticut’s Public Utilities Regulatory Authority (PURA). It was produced by Arthur H. House, the state’s Chief Cybersecurity Risk Officer; Steven Capozzi, Public Utilities Engineer for PURA; David Geick, Director of Information Technology Security Services for the Department of Administrative Services (DAS); and David Palmbach, Intelligence Analyst for the Connecticut Intelligence Center.
“In this day and age it is critical that we be prepared for any type of cyberattack that could potentially threaten our state, and the best strategy to strengthen our defenses is working with all of our public utility companies as a united front,” Governor Lamont said. “This voluntary collaboration is helping us prepare for any contingency and we are grateful for the cooperation each of these companies have demonstrated, which are in the public’s best interest.”
The companies were graded using the Cybersecurity Capabilities Maturity Model. The report finds that “the utilities are well aware of the increasing dangers, take them seriously, and demonstrate top-level commitment to construct and manage defense.” It also notes that two main areas require ongoing vigilance and continued improvement, including attention to “spear phishing” efforts to prevent intrusions into critical systems, and foreign interference with malware and cyberattacks.
The report also draws attention to the gap between reports from federal officials regarding increased foreign penetration of critical infrastructure and the lack of any indication of such penetrations in Connecticut. It notes that this gap creates a concern that federal agencies are not fully communicating necessary information with their state and local counterparts. It states that the work of local distribution companies to find and root our foreign malware implementations “will necessarily be incomplete until intelligence sharing reflects partnership at levels not currently in place.”
All four utility companies participating in the review explicitly affirmed that neither the U.S. Department of Homeland Security nor any other federal agency has notified them of cyber compromise.
“The Connecticut utilities take seriously their responsibilities to defend against cybersecurity compromise and have deployed extensive defenses,” House said. “They are all eager to work with federal authorities to detect and contain penetrations intelligence agencies claim are present in the U.S. critical infrastructure.”
“It’s important to continually check, test, and re-check cyber defenses because new threats emerge on a daily basis that endanger our critical infrastructure,” Connecticut’s Chief Information Officer Mark Raymond said.
For Immediate Release: October 10, 2019
Contact: David Bednarz
Office of Governor Ned Lamont
Contact: John McKay
Department of Administrative Services