The leader of Connecticut’s cybersecurity efforts said Tuesday that Washington, with a deeply polarized Congress and faction-riven White House, has abrogated its role in defending the nation’s electrical grid, natural gas system and public water supplies against hackers who are growing bolder, more numerous and more sophisticated.
“I’m often asked in my job, ‘Are we safe from a cyber attack?’ And the answer, of course, is no,” said Arthur H. House, the state’s chief cybersecurity risk officer. “We’re not safe. No one’s safe. No federal agency, no state agency, no city, no business, no individual can take safety as an assumption. We’re all threatened. We’re threatened all the time. What’s important is that Connecticut and Connecticut’s utilities take cyber security very, very seriously.”
House joined Gov. Dannel P. Malloy and representatives of state agencies and utilities to release the second annual cybersecurity review of Connecticut’s systems for the delivery of electricity, natural gas and water. The report found no penetrations of any Connecticut utility, despite hundreds of millions of attempts annually from every corner of the world.
“These threats are real,” said James W. Hunt, a senior vice president for regulatory affairs at Eversource. “And just to put it into perspective, at Eversource we estimate that we get a million knocks on the door from these threats every day.
The attacks represent everything from attempts to steal customer data to efforts to infect or control utilities that are increasingly controlled by sophisticated computer software.
Malloy called the annual review a model for the nation.
“Connecticut’s critical infrastructure was able to stay ahead of the growing threats and sustain a defense against this cyber threat,” Malloy said. “It is our job as a state to be as ready as possible.”
House, whose resume includes a stint as the chairman of the Public Utilities Regulatory Authority and high-ranking posts in national security jobs and Congress, said Connecticut’s annual review offers a model of cooperation among utilities, regulators and security officials to protect vital infrastructure and stay abreast of cyber threats.
He said the role of states is key for two reasons: States provide the first response to infrastructure failures, and Washington has been less than an effective working partner.
“Congress hasn’t passed any significant cyber security legislation. There’s no clarity on cyber security leadership coming from Washington,” House said. “We cannot rely on Washington to keep us safe. The states have to take the lead.”
State officials worked on the annual review with two major water suppliers, Aquarion and Connecticut Water, and two companies that provide electricity and natural gas, Avangrid and Eversource.
The ultimate fear, as outlined in a related “cyber security action plan” released earlier this year, is a prolonged power outage that could cripple the power grid and ripple throughout government and the economy.
“A prolonged outage of critical infrastructure presents a set of challenges local and state law enforcement need to anticipate and practice, including assessment of security demands resulting from prolonged absence of electricity, food, water and fuel,” the action plan says. “Law enforcement needs to be prepared to ensure safe delivery of scarce supplies, and if banking systems no longer operate, to anticipate and manage new law enforcement demands. Cyber threats extend beyond police departments to other government functions including, but not limited to, consumer protection, health and elderly services and banking and insurance regulators.”
The plan recommends increased investments in security and intelligence gathering, though House said the state police have assigned detectives to a new cyber unit, which he called a good start.
While officials commended the utilities for recognizing the threats and working with the state, the review indicates that response is not universal.
“For many businesses, fear of and opposition to legislation and regulation dominate their thinking about cybersecurity, and they approach the subject with some suspicion and resentment,” the report said. “Yet cybersecurity has become a compelling public issue. Elected officials understandably no longer accept lack of information as a reason for being unable to respond to questions about the effectiveness of cybersecurity in both government and business. They demand answers.”