Connecticut utility companies blocked millions of hacking attempts over the past year according to a state government report released this week.

The Connecticut Critical Infrastructure 2018 Annual Report found utilities faced more frequent and sophisticated penetration attempts in the past year and were adequately prepared to deal with such attacks.

"While vulnerable to compromise, the companies have enhanced their cybersecurity assets, personnel, and training to prevent future attacks," the report noted.

"Connecticut's utilities are spending more time, devoting more resources, educating their workforces, and transforming their cultures more thoroughly to meet the increased level of threats."

Art House, the state's chief cybersecurity risk officer, says threat levels increased over the last year, with "attempted penetration contacts varying from a few thousand to over 10 million per week, coming from every continent."

"Our assessment is that Connecticut's critical infrastructure was able to stay ahead of the growing threats and sustain its defense against cyber compromise.

"This report underscores the potential of public-private partnership to advance cybersecurity in Connecticut."

'Offense Easier Than Defense'

Aquarion, Avangrid, Connecticut Water, and Eversource all participated in the annual review, reporting "new, powerful viruses and attack vectors unleashed during the past year."

"Their introduction did not radically change the basic truth that in cybersecurity, offense is easier than defense," the report said.

"The task of ensuring security continues to be difficult and demanding."

Attempted penetration contacts varied from a few thousand to over 10 million per week, coming from every continent.
None of the state's four utilities reported they were among a group of U.S. utility
companies notified by the Department of Homeland Security or FBI they were penetrated by Russia or other nation states.

"All four companies take cybersecurity seriously," the report said.

"During the past year, the leadership of all companies increased attention to cybersecurity management and the culture of awareness and cyber hygiene, enhanced spending on cybersecurity programs, and increased the number and levels of personnel with cybersecurity expertise."

Challenges

The report cites a number of ongoing challenges, including:

  • Difficulty recruiting, evaluating, and retaining cybersecurity subject matter experts
  • Employee buy-in of corporate cybersecurity culture
  • Improved and high-quality attacks such as spear phishing
  • Increased dependence on the Internet of Things and computer-managed systems
  • Inadequate cybersecurity protection from supply chain vendors

Private sector participation in the state's annual cybersecurity review process remains optional, although last month House suggested audits for both utilities as well as large companies may one day become required by state law.