Attempts by thieves or state-sponsored groups to hack into utility technology systems are ever evolving, but the COVID-19 pandemic added new wrinkles for Connecticut utilities in their efforts to keep their defenses strong.
According to a newly released annual report by the state Public Utilities Regulatory Authority, bad actors over the past year sought to take advantage of potential weaknesses caused by the sudden and unexpected shift to employees working from home.
That included an increase in attempted attacks that targeted remote employees’ VPN connections as well as online meeting platforms.
“Company networks are now less vulnerable, since there was less centralized activity on those networks,” PURA said in its fourth annual report on utility cybersecurity. “However, this now heavily distributed workforce added new vectors for attack, most notably on individual accounts and systems.”
State reviewers found that all regulated utilities who participate in the voluntary reviews “performed admirably to manage the new COVID-19 work environment, enable remote work and adapt their cybersecurity programs.”
Still, PURA said it’s urging utilities to continue to scale up cybersecurity protocols and test their prevention, detection and response systems as threats continue to increase.
“Cybersecurity must remain a key objective for Connecticut utility companies as cyber criminals continue to take advantage of the challenges brought forth by the pandemic,” PURA Chairman Marissa Gillett said in a statement.
PURA also noted an increase in bad actors targeting C-suite level executives at utilities using phishing attacks that can install malware if the email recipient clicks certain links, or through “business email compromise” attacks, which include spoofing a vendor’s or fellow employee’s email address, often seeking illicit financial gain through fraudulent invoices or wire transfers, according to the FBI.
PURA said the increased targeting of executives highlights the need to prioritize training them to avoid falling prey to such attempts.
Aside from the challenges created by the pandemic, utilities last year noted the use of new technologies that can more quickly find and exploit new vulnerabilities, which PURA said indicates increasing activity by sophisticated cyber actors sponsored by countries like Russia, China and Iran.
Connecticut regulators have placed a greater focus in recent years on strengthening utility companies’ cyber defenses, concerned about the potential for an attack on the power grid that could cause prolonged power outages.
The reviews with participating utilities — Eversource Energy, Avangrid, Connecticut Water Co. and Aquarion Water Co. — were first established by PURA in 2016 and are confidential.
PURA’s resulting reports provide only vague details about any specific attempted attacks or weaknesses. The agency has deemed utility network defenses to be adequate overall in each year since the reviews began.
