Today, Senate President Pro Tempore Martin M. Looney (D-New Haven), Senate Majority Leader Bob Duff (D-Norwalk) and members of the Senate Democratic Caucus called on the utilities in Connecticut to better prepare for increased cybersecurity threats. In a letter to utilities operating in the state, the Democratic Senators highlighted how Russia’s invasion of Ukraine has underscored the need for heightened vigilance to protect our cyber systems and infrastructure against the increasingly sophisticated form of nation-state sponsored cyber-attacks.
The Senators warned about the potential damage of a successful attack which “could place Connecticut residents in life threatening situations. From the resident who is dependent on electricity for oxygen to live to the dependence all of us have on our water supply, your companies’ cyber security preparations are of the utmost importance to our state. We need to do all we can to strengthen our defenses in light of these more powerful and possibly more imminent threats.”
Furthermore, the Senators called on the need to anticipate and prepare for a critical infrastructure cyberattack.
“We need emergency management exercises whose central premise is such an attack. How would we handle the unprecedented effects of electricity and natural gas outages lasting more than two weeks, and the concurrent and extremely serious demands created by the inability to provide potable water and processed sewage? We want to be assured you are taking all precautions, monitoring the situation, acting to anticipate challenges, and addressing all potential threats with the urgent concern.”
The warning was sent to the major utilities in the state including Eversource, United Illuminating Company, ISO New England, Aquarion Water Company, Regional Water Authority, The Connecticut Water Company, Southern Connecticut Gas Company, and Connecticut Natural Gas Corporation. In addition the letter was sent to local utilities including Bozrah Light and Power, Groton Utilities, Heritage Village Water Company, Norwich Public Utilities, Old Newgate Ridge Water Company, Preston Plains Water Company, South Norwalk Electric and Water, Avon Water Company, Berkshire Gas Company, Hazardville Water Company, Jewett City Water Company, Torrington Water Company, Valley Water Systems, and Wallingford Department of Public Utilities.
In addition to Senator Looney and Senator Duff, the letter was signed by Senator Norm Needleman, Senator Will Haskell, Senator James Maroney, Senator Saud Anwar, Senator Marilyn Moore, Senator Patricia Billie Miller, Senator Christine Cohen, Senator Steve Cassano, Senator Dennis Bradley, Senator Julie Kushner, Senator Cathy Osten, Senator Gary Winfield, Senator Matt Lesser, Senator Derek Slap, Senator John Fonfara, Senator Jorge Cabrera, Senator Mary Daugherty Abrams, Senator Doug McCrory, Senator Rick Lopes, and Senator Joan Hartley.
The full text of the letter is below and a copy of the letter can be found here:
In 2013 the Connecticut General Assembly initiated a first in the nation study by the Public Utilities Regulatory Authority (PURA) to examine the cyber security vulnerabilities of our state’s public utilities. It was so successful a number of states and countries followed our lead.
Russia’s invasion of Ukraine has underscored the need for heightened vigilance to protect our cyber systems and infrastructure against increasingly sophisticated form of nation-state sponsored cyber-attacks.
Since our 2013 initiative, the array of potential cyber-attacks against Connecticut public utilities has grown both in sophistication and means of delivery, including nation-state cyber weaponry detected by our Intelligence Community but in many cases beyond the detection capabilities of private utilities.
On March 15 the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint Cybersecurity Advisory (Alert A22-074A) warning that “Russian state-sponsored cyber actors have gained network access through exploitation of default Multifactor Authentication (MFA) protocols and a known vulnerability.”
The FBI has now added greater certainty to the fact of critical infrastructure compromise by indicting four Russian individuals for their efforts to execute critical infrastructure penetration.
Moreover, President Biden on March 21 underscored previous warnings about the potential for Russia conducting malicious cyber activity against the United States by stating that “evolving intelligence” indicates that “the Russian Government is exploring options for potential cyberattacks.” He specifically stated his administration’s intention to “use every tool to deter, disrupt, and if necessary, respond to cyberattacks against critical infrastructure.” He called on “the private sector and critical infrastructure owners” to “accelerate efforts to lock their digital doors” to strengthen “the cybersecurity and resilience of the critical services on which Americans rely.”
A successful attack on one of your companies could place Connecticut residents in life threatening situations. From the resident who is dependent on electricity for oxygen to live to the dependence all of us have on our water supply, your companies’ cyber security preparations are of the utmost importance to our state. We need to do all we can to strengthen our defenses in light of these more powerful and possibly more imminent threats.
We also need to anticipate and prepare for a critical infrastructure cyber-attack. We need emergency management exercises whose central premise is such an attack. How would we handle the unprecedented effects of electricity and natural gas outages lasting more than two weeks, and the concurrent and extremely serious demands created by the inability to provide potable water and processed sewage?
We want to be assured you are taking all precautions, monitoring the situation, acting to anticipate challenges, and addressing all potential threats with the urgent concern. We are here to be your partners for the people and businesses of the State of Connecticut. We need to ensure that our goals are closely aligned during these unprecedented times so that we can cooperatively fight back against any threats directed toward our state. Connecticut has been a national leader in this changing arena, and we should offer leadership again.
You are our first line of defense. We would deeply appreciate your assessment of how we can most effectively strengthen our cyber defenses, improve our resilience and prepare to counter and rehearse our response to cyber-attacks should they occur. We look forward to hearing from you and to working with you as we confront these new cyber threats and address the warnings we are receiving from our national leaders.