Regulators: No interruption after utilities hacked

HARTFORD, Conn. (AP) -- Electric, natural gas and major water companies and regional distribution systems in Connecticut have been penetrated by hackers and other cyber attackers, but defenses have prevented interruption, state utility regulators said Monday in their first report on cyber security.

Security challenges are constantly evolving and "becoming more sophisticated and nefarious" and the ability of utilities to detect and stop penetration must constantly improve, the Public Utilities Regulatory Authority said in its report to Gov. Dannel P. Malloy.

The report, required as part of legislation enacted last year, said the region's Massachusetts-based grid operator, ISO-New England, has "more sophisticated" cyber defenses than utilities do.

"ISO-NE is constantly being probed, as are all of New England's utilities, many of which have been compromised or penetrated in the past," the report said. "ISO-NE's strength, therefore, depends on both its own cyber defense capabilities and those of each of the utilities with which it works."

The report did not identify the utilities that were compromised or say how. ISO said in a statement that it wouldn't elaborate publicly on security details.

Appearing at a news conference with Malloy and executives from Northeast Utilities and United Illuminating Co., PURA Chairman Arthur House there have been "a lot" of attempts to infiltrate the computer systems of Connecticut's utilities. He said his agency and the utilities need to determine whether their steps to defend against the attacks are adequate.

Weaker utilities in the region need to be monitored because failure in one utility could affect the resilience of the region's system, the report said.

Referring to what utilities and water companies can do to protect against threats from workers inside their companies, the report said personnel security requires a balance "between prudence and overkill."

"When does a security check lead to inappropriate personal invasion and unnecessary expense?" it asked.

On Monday, Malloy directed PURA to convene a series of meetings with the utilities to reach a consensus on issues raised by the report, such as establishing security standards and managing oversight of cyber-security compliance. Additionally, Malloy wants the Department of Emergency Services and Public Protection to conduct a cyber-security drill and the General Assembly to review the report to see if legislation is needed.

"The chance of an attack doing serious damage to the state of Connecticut cannot be taken lightly, and therefore we are stepping up our game in preparation," Malloy said.

Regulators said a traditional reliance on employees with no criminal background is inadequate. "Terrorists, hackers and spies rarely have damaging, discoverable police records," the report said.

The report warned that compromise could come from employees with ideological or other personal identifications that "motivate disruptive behavior." And it said it's virtually impossible to thoroughly vet all employees with potential contact to operations, including maintenance, food services and other vendors.

Regulators compared the two destructive storms of 2011 and Superstorm Sandy in 2012, both of which knocked out power to much of Connecticut, with cyber attacks that threaten utilities' reliability and resilience.

Regulators hinted at higher costs to beef up security. The possibility of cyber attacks raises the issue of "appropriateness of cost for cyber defense," the report said.

The Wall Street Journal reported last month that a federal analysis indicated that a coordinated terrorist strike on just nine key electric transmission substations could cause cascading power outages across the country in each of the nation's three synchronized power networks. Cheryl LaFleur, acting chairwoman of the Federal Energy Regulatory Commission, has not disputed the account but has criticized it as irresponsible.

___

Associated Press writer Susan Haigh contributed to this report.