Report: Connecticut utilities face more cyberthreats
Data says attacks growing in number, sophistication
Electric, gas and water companies are increasingly vulnerable to cyberattacks, but are keeping up with the rising number of threats, a state report says.
The Public Utilities Regulatory Authority said phishing attempts — emails claiming to be from reputable companies seeking personal information such as passwords and credit card numbers — are the largest type of attack and ”pose a significant risk to all of the state’s critical infrastructure entities.”
“The array and sophistication of cybersecurity threats facing Connecticut’s public utilities seems to grow every year,” said the report, which was released Friday.
Utilities are aware of the increasing cyberthreats and are responding with cybersecurity programs, PURA said. While the types of cyberattacks have remained consistent, the number continues to grow, according to regulators.
“As attacks such as phishing become more automated and easier to conduct, more unsophisticated malicious cyber actors are entering into the cybercriminal ecosystem,” regulators said.
A lack of proper authentication was the source of many successful hacks of utility vendors and business partners, Connecticut’s utility regulators said in an annual cybersecurity report. For example, malicious cyber actors gained access to the supervisory control and data acquisition system at a water treatment plant to manipulate the water treatment process, PURA said.
“The hackers exploited an outdated and unsupported computer operating system used for the utility’s operations,” the report said. “Personnel prevented any control, and operations were not disrupted.”
One of the biggest cyberattacks last year was ransomware used against the information technology systems of Colonial Pipeline that originates in Houston. Operations were halted to contain the attack.
Cyberattacks continue to target the information technology chain and third-party vendors to gain access to networks, PURA said. And cyberattacks have gained access into many networks using legitimate credentials that were likely stolen in previous phishing campaigns or easily guessed based on previous data breaches, regulators said.
The types of cyberattacks have remained “fairly consistent,” but the number is growing, PURA said.
“As attacks such as phishing become more automated and easier to conduct, more unsophisticated malicious cyber actors are entering into the cybercriminal ecosystem,” the report said.
In addition, ransomware actors have “continued to thrive as many new groups targeted entities within the United States this year and showed no signs of slowing down,” PURA said.
Regulators cited the sensitivity of some information to withhold details associated with utilities that participated in the fifth annual report. Arthur House, a former chairman of PURA, said utilities initially resisted the idea of regulators examining their cybersecurity systems.
He said he bargained over the process of an annual review that utilities eventually supported. Utilities are taking cybersecurity seriously and have upgraded systems and hired consultants. “They’re well-defended against normal penetration,” he said.
However, he said no utility is “safe from a probing attack by a sophisticated nation-state” such as China, Iran, North Korea or Russia.
PURA said Microsoft identified vulnerabilities in its servers that were “actively exploited by Chinese state actors” that compromised at least 30,000 devices in the United States.