Connecticut PURA issues 2021 cybersecurity report for utilities

Published on January 11, 2022 by Dave Kovaleski

© Shutterstock

The Connecticut Public Utilities Regulatory Authority (PURA) released its annual cybersecurity report, which looks at the cybersecurity programs of the state’s regulated electric, gas, and water utilities.

The 2021 report revealed that phishing attacks were once again the largest source of successful cyberattacks. However, the report found that phishing attacks have become more automated and more capable of evading detection. Further, it found that the lack of multi-factor authentication was the primary cause of many successful phishing hacks on utility vendors and business partners. In addition, it noted a rising trend in ransomware attacks across the country.

The report highlights the urgency for Connecticut utilities to continue to refine their existing cybersecurity programs.

The good news is that the Connecticut utilities have implemented many security measures. Some of these measures include requiring multi-factor authentication, enforcing password policies, updating software regularly, establishing protected system back-ups, restricting access to resources, and collecting and retaining audit logs.

One of the challenges is finding qualified personnel to manage cybersecurity efforts. Eversource has found a creative solution to cultivating cybersecurity personnel by partnering with a local college. Eversource’s chief information security officer is an adjunct professor at Central Connecticut State University’s Cybersecurity Program. This partnership helps provide Eversource with qualified individuals for internships during education and employment after completion.

Also, the report noted that state officials, as well as representatives from private businesses, jointly participated in GridEx VI – a cybersecurity exercise put on every two years by the North American Electric Reliability Corporation’s (NERC) Electricity Information Sharing and Analysis Center (E-ISAC). GridEX seeks to simulate cyber and physical attacks on the nation’s electrical grid.

The focus of GridEx VI was to present region-wide disruptions to fuel oil and natural gas supply in New England. The exercise presented several specific scenarios that saw regional disruptions to the fuel supply, electric grid, and communications grid. The Connecticut delegation that competed in the exercise identified several lessons learned and pinpointed areas where they could improve their current cyber response plans and procedures.

Also, the PURA report found that many state utilities participated in the Connecticut Cybersecurity Committee. The committee, which comprises state agencies, local governments, federal partners, and private companies, meets monthly to discuss threats and cyber trends and share information.

The companies that participate in this committee receive timely cybersecurity threat and best-practice information from other members. This helps companies cultivate their own cybersecurity expertise. It also connects companies with state and local officials who can assist with any potential cyber incidents.

PURA’s 2021 Public Utilities Annual Cybersecurity Report results from collaborative efforts between PURA, state agency partners, and Connecticut’s regulated utility companies.