Search Department of Administrative Services

Press Releases

10/12/2017

State Reports Results of Utility Cybersecurity Reviews

Companies Focused on Defenses Against Cyber Threats to Infrastructure

State officials have concluded the first annual cybersecurity reviews of the state’s electric, natural gas and large water companies in a report to Governor Dannel P. Malloy, senior officials of the General Assembly’s Energy and Technology Committee and the Consumer Counsel.

The report stated that the review process achieved its objectives of “realizing a cooperative, candid, productive and insightful sharing of pertinent information regarding Connecticut’s critical infrastructure cybersecurity defense.”

The review and report are the result of a 2014 cybersecurity strategy and 2016 cybersecurity action plan, both products of Connecticut’s Public Utilities Regulatory Authority (PURA) and both announced by Governor Malloy.  Connecticut’s utilities had worked with PURA to reach agreement regarding scope and process for conducting the cybersecurity reviews.  Four utility companies participated: Aquarion, Avangrid, Connecticut Water and Eversource. 

The companies graded themselves using the Cybersecurity Capabilities Maturity Model.  Conducting the reviews were Arthur H. House, Chief Cybersecurity Risk Officer; Steven Capozzi PURA Public Utilities Engineer; Brenda Bergeron, Principal Attorney in the Division of Emergency Management and Homeland Security in the Department of Emergency Services; and Brett Paradis, Intelligence Analyst in the Connecticut Intelligence Center. 

The report and its transmittal are both attached.   The report concludes that “all four companies have healthy corporate cultures addressing cybersecurity hygiene, all have currently adequate operational defense systems and all are investing in ways to strengthen cybersecurity going forward.”

The report noted that two main areas require “ongoing vigilance and continued improvement.”  One is attention to “spear phishing” efforts to insinuate damaging intrusions into cybersecurity systems, and the second is managing third-party services, a reference to supply chain and services provided to the utilities.

Arthur House called the first annual cybersecurity review process “a clear success.”  He said:   “We placed trust in Connecticut utilities to take this challenge seriously and to focus on cybersecurity as an important priority.  Top-level management engaged and held extensive, frank exchanges.  We can never guarantee security.  But having concluded this first round of reviews, we know that Connecticut’s utilities are investing expert attention and capital to defend Connecticut.  The system is working as we had hoped.”

For more information contact Arthur House, arthur.house@ct.gov, 860-622-2218