This post is also available in: heעברית (Hebrew)

Electric, gas, and water companies are increasingly vulnerable to cyberattacks, according to an annual report reviewing 2021 cybersecurity programs in Connecticut. This may reflect wider emerging trends in the US.

The report by the Public Utilities Regulatory Authority (PURA) found that in 2021, phishing attacks remained the largest source of successful cyberattacks and pose a significant risk to all of the state’s critical infrastructure entities. 

Phishing attacks are emails claiming to be from reputable companies seeking personal information such as passwords and credit card numbers. Phishing is a type of social engineering attack often used to steal user data.

Findings also show these phishing attempts have become more automated, are easier to conduct, and are designed to evade detection.

The lack of multi-factor authentication was the primary cause of many successful phishing hacks of utility vendors and business partners, the report found. For example, malicious cyber actors gained access to the supervisory control and data acquisition system at a water treatment plant to manipulate the water treatment process, PURA said.

These emerging trends, and other wide-reaching phishing and ransomware attacks directed at U.S. companies in the energy and utilities industry, highlight the urgency for Connecticut utilities to continue to refine their existing cybersecurity programs.

Among the security measures already implemented by the Connecticut utilities are requiring multi-factor authentication, enforcing password policies, updating software regularly, establishing protected system back-ups, restricting access to resources, and collecting and retaining audit logs, according to portal.ct.gov.