Processing Your Payment

Please do not leave this page until complete. This can take a few moments.

April 21, 2014 Editorial

Third-party audits best way to oversee cyber security

Last week's announcement that Connecticut's utilities have been compromised by cyberattacks isn't surprising, but it does raise serious concerns about the vulnerability of the state's electricity, natural gas, and water infrastructure.

Cyberattacks pose a serious threat to the state's economy, potentially leading to blackouts or water issues that disrupt the flow of commerce. The fact that Connecticut, like all other states, doesn't have a comprehensive blueprint to deal with the growing danger is alarming.

Last week, Arthur House, chairman of the state Public Utilities Regulatory Authority, released a study that detailed the cyber threats facing Connecticut and offered some ideas on how the state could set up a strong defense system.

A key issue Connecticut will need to grapple with is oversight. Who should make sure the state's major utility providers adhere to best practices and invest in infrastructure and technology that prevents online hackers from compromising the electric grid?

Utilities have already raised a red flag about potential state intrusion. House's report said “state-regulated utilities are undoubtedly reluctant to open their cyber doors to state regulators, thereby sharing sensitive, secret, and extremely important information.”

We certainly understand utilities' privacy concerns, but cybersecurity compliance shouldn't be left to self-reporting. There is too much risk involved to take each company at its word, even though there are many incentives for utilities to have the best possible defense system.

House's report suggests the state make use of third-party audits, similar to how accounting firms review the finances of companies and report their findings based on uniform standards. This idea makes a lot more sense for a couple of reasons.

First, it prevents the state from having to spend money to set up a new cybersecurity agency or department. Currently, no U.S. state regulator has cyber expertise on staff capable of performing a thorough cyber audit, House's report said, so acquiring that intelligence would be prohibitive in terms of cost, time, and training.

We certainly don't want to see the state's bureaucracy grow any larger.

State regulators also don't work in secure compartmented information facilities, which are designed to protect sensitive data and information. So that means the state, if it were to become a cybersecurity regulator, might need to invest in new office space and equipment as well.

House's report says there are consulting firms with cyber experts who have the ability to store sensitive information and conduct thorough energy audits. Connecticut would be wise to leverage those resources.

State government should develop new cybersecurity standards for utilities, but it shouldn't try to become the chief overseer. Leave that to the private sector, which already has much more expertise and understanding of cyber threats and how to combat them. Third-party audits will hold utilities accountable and prevent state government from having to grow its ranks.n

It looks like Earth Day could bring about a clean energy breakthrough in Connecticut.

Time to lift wind ban

As managing editor Brad Kane reports this week, it appears key legislative leaders and energy officials have reached a tentative agreement on new regulations that will lift the state's three-year ban on wind turbine development. The legislature's Regulation Review Committee is expected to approve the rules at their scheduled Tuesday meeting, unless there is a last-minute technical revision or objection.

Although wind power will never be a major industry in Connecticut, it's important to have that clean energy source available as the state tries to reach its goal of having 27 percent of its electricity come from renewables by 2020. n

Sign up for Enews

Related Content


Order a PDF