As the COVID-19 pandemic forced office-based employees of Connecticut’s electric, gas and water utilities to primarily remote work last March, it laid bare cybersecurity vulnerabilities from attempting to recreate network connectivity from personal devices and homes using virtual private networks.
These were some of the findings in the fourth annual Public Utilities Critical Infrastructure Report from the state’s Public Utilities Regulatory Authority (PURA) released on Monday.
While the report notes progress made by Eversource Energy, Avangrid, Connecticut Water and Aquarion Water Co. in 2020, PURA urged them to beef up cybersecurity protocols and test threat-response systems as cyberattacks continue to increase each year in volume as well as speed and sophistication.
PURA said the “massive societal shift” to a work-from-home status allowed for the increasing use of phishing attacks and malware by cyber actors and criminals targeting personal accounts and systems in addition to online meeting platforms.
“Cybersecurity must remain a key objective for Connecticut utility companies as cybercriminals continue to take advantage of the challenges brought forth by the pandemic,” PURA Chairman Marissa Gillett said in a statement.
Gone Phishing
Phishing attempts are still the primary form of cyberattack, according to the report. The deployment of new technologies to identify and exploit vulnerabilities indicates growing activity by sophisticated cyber actors, which are often backed by state sponsors such as Russia, China and Iran. C-suite executives were the target of sophisticated phishing attempts, highlighting the need to prioritize company executives’ training. There was a spike in activity from less sophisticated actors in generic phishing attempts to steal log-in credentials or introduce malware, often in search of “illicit financial gain.”
The report said that robust, frequent phishing testing of employees, as often as monthly, “provides real-world examples” to help them identify phishing attempts. If a regular testing program is not in place at a utility, it is “seriously deficient” and “must be addressed with urgency.”
Third-party Vulnerabilities
The report also added that third-party vendors are an additional area of concern as they often provide external services to utilities such as business email, which can be compromised. In these “squatting attacks,” actors register similar domain names to the utility company and target its vendors.
“Doing business with external vendors makes the utilities depend to an extent on the security of the vendors themselves,” PURA wrote. “This security dependency requires that the utilities invest significant resources to ensure the vendors have adequate security programs to protect the company.”
Learn by Committee
The state runs the Connecticut Cybersecurity Committee, which meets every month. Consisting of state agencies, local governments, federal partners and private companies, it briefs participants on current threats and trends and provides training activities and sharing of “lessons learned” information.
Most of the state’s utilities took part last year in the committee, which shared real-time updates on the SolarWinds Orion hack made public in December. The exploit potentially affected many federal agencies and private companies, but it was particularly notable for utility companies as the product monitors operational systems network traffic. PURA said it was “premature at this time” to discuss detailed responses by the utilities.
FERC and the Department of Energy were also attacked, and the commission in December proposed incentives to encourage public utilities to make cybersecurity investments above and beyond the requirements of NERC’s Critical Infrastructure Protection standards. (See FERC Pushes Cybersecurity Incentives.)