HARTFORD — Electric, natural gas and major water companies and regional distribution systems in Connecticut have been penetrated by hackers and other cyber attackers, but defenses have prevented interruption, state utility regulators said today in their first report on cyber security.
Security challenges are constantly evolving and “becoming more sophisticated and nefarious” and the ability of utilities to detect and stop penetration must constantly improve, the Public Utilities Regulatory Authority said in its report to Gov. Dannel P. Malloy.
The report, required as part of legislation enacted last year, said the region’s Massachusetts-based grid operator, ISO-New England, has “more sophisticated” cyber defenses than utilities do.
“ISO-NE is constantly being probed, as are all of New England’s utilities, many of which have been compromised or penetrated in the past,” the report said. “ISO-NE’s strength, therefore, depends on both its own cyber defense capabilities and those of each of the utilities with which it works.”
The report did not identify the utilities that were compromised or say how. ISO said in a statement it wouldn’t elaborate publicly on security details.
Weaker utilities in the region need to be monitored because failure in one utility could affect the resilience of the region’s system, the report said.
Referring to what utilities and water companies can do to protect against threats from workers inside their companies, the report said personnel security requires a balance “between prudence and overkill.”
“When does a security check lead to inappropriate personal invasion and unnecessary expense?” it asked.
Regulators said a traditional reliance on employees with no criminal background is inadequate. “Terrorists, hackers and spies rarely have damaging, discoverable police records,” the report said.
The report warned that compromise could come from employees with ideological or other personal identifications that “motivate disruptive behavior.” And it said it’s virtually impossible to thoroughly vet all employees with potential contact to operations, including maintenance, food services and other vendors.
Regulators compared the two destructive storms of 2011 and Superstorm Sandy in 2012, both of which knocked out power to much of Connecticut, with cyber attacks that threaten utilities’ reliability and resilience.
Regulators hinted at higher costs to beef up security. The possibility of cyber attacks raises the issue of “appropriateness of cost for cyber defense,” the report said.
The Wall Street Journal reported last month that a federal analysis indicated that a coordinated terrorist strike on just nine key electric transmission substations could cause cascading power outages across the country in each of the nation’s three synchronized power networks. Cheryl LaFleur, acting chairwoman of the Federal Energy Regulatory Commission, has not disputed the account but has criticized it as irresponsible.