The state’s chief cybersecurity risk officer says distributed generation creates new entry points for hackers to exploit.
Connecticut’s public utilities are at risk.
Cybersecurity threats are growing in number and degree of seriousness, according to a new report from the state. Last month, Gov. Dannel Malloy released the state’s second annual review of utility cybersecurity, which found that despite millions of attempts, there were no cyber breaches of the major utility companies delivering electricity, natural gas, and water across the state. Attempted hacks varied from a few thousand to more than 10 million, depending on the week, and came from every continent. A successful cyber attack might mean stealing customer data, infecting utility’s computer software, or even causing a statewide blackout.
Public utilities have thwarted attacks so far, but the emergence of renewables in Connecticut’s energy market could complicate matters, according to Arthur House, the state’s chief cybersecurity risk officer. “We’re very concerned about people getting into utility company through a renewable system,” he said. Renewable energy is a burgeoning player in the state and made headway earlier this year when lawmakers passed a bill mandating that 40 percent of its electricity come from renewable sources by 2030.
House recently spoke with the Energy News Network about the relationship between clean energy and cybersecurity. This conversation has been edited for length and clarity.
Q: What are the big takeaways from this year’s report?
First of all, the intensity and frequency of probes and attacks have increased. Secondly, utilities have grown their cybersecurity capacities. Ten years ago, they might have had one or two people on board. Now it’s a more thorough team. Third, both boards of directors and CEOs continue to take this seriously, even more so in 2018 compared to 2017.
Q: Can you explain how clean energy, like solar and wind, fit into the state’s cybersecurity efforts?
We have to address global warming and climate change, and renewables are central to that effort. At same time, we have to protect society from cyber compromise. We have to understand how they relate to each other. When you have a new system, it’s built for efficiency and low cost without all the cybersecurity guards built into more traditional forms of energy. [That’s] something we need to pay attention to.
If you look at this from cybersecurity perspective, the source of power is less important than its security. We’re concerned about distribution in a safe manner. As we move off conventional sources of energy to more wind, more solar, we’ve got to make sure new energy sources are as well protected or better protected than the ones we replace. If you throw in a new set of suppliers like solar panels on roof, you have more openings for cyber penetration.
Q: So new suppliers mean an increasing number of entry points into Connecticut’s energy system. How do you balance the need for these sources of clean energy with the need to be cyber-secure?
It is a juxtaposition that I regret because both are laudable goals. We want both. Sometimes working in one area does not solve questions in the other. Cybersecurity isn’t a prime concern for a lot of these startup companies like getting orders and installing high quality systems [are]. [Those are] immediate do or die issues. If they don’t resolve them, they won’t be in business anymore.
We want them to conduct business in ways that are more cybersecure. We want more renewables. We want access to energy they generate, but don’t want to compromise entry into utility itself.
Q: There’s been talk about modernizing the electric grid in Connecticut. What would the move toward a smart grid and technology like smart meters mean for cyber resiliency?
I think the grid modernization is an opportunity to focus on cybersecurity. There needs to be attention to reducing the number of and exposure of grid platforms. Ironically, those who came late to the game in grid modernization have advantages. They can adapt new computer technologies that are more cyber-secure than ones that existed years ago. When you have a decentralized grid, there’s all kinds of ways to get in. I’d rather have grid modernization, with the software and a greater sense of where openings are and how to protect them.
Q: How might the cybersecurity strategy shift as the state continues to embrace renewable energy?
We have done this report, an initial effort, and Connecticut is one of the more advanced states [in cybersecurity]… Our cybersecurity action plan, which came out in May, set forth things that can be done now. At some point, we might want to expand annual review of cybersecurity to include things like solar.