Dan Esty, the state's energy commissioner, sat across a conference table from Art House, Connecticut's head utility regulator, in the bunker of the State Armory in Hartford last July for a drill that simulated a statewide response to a major hurricane.
Esty, with other state officials and utility executives nearby, asked whether House remembered exercises like these from his days doing intelligence work for the federal government.
"There are two kinds of drills I've done in Washington," House said. There's the predictable type of emergency, like hurricanes and ice storms, that the state needs to be ready for. And then there's the unpredictable.
"I worry more about unforeseen type, like a cyber attack," he said.
That conversation, the two officials said, seeded a quickening and serious discussion of the state's liability to hackers that would aim to control or damage critical facilities, like the electric grid. House, chairman of the state's Public Utilities Regulatory Authority, is drafting a plan with utilities on how to prepare for, address and respond to cyber attacks.
"Cyber probes are a fact of life," House said in an interview this week. "Connecticut needs to look at it in terms of defense. Are we doing everything we can?"
Initial cybersecurity talks have already occurred between regulators and the state's major utilities, including Northeast Utilities and United Illuminating, and with more meetings planned soon, House said. The forthcoming plan is a product of the state's new energy plan.
The issue of fending off cyber attacks has recently focused on attacks from China as well reports that plans for many of the Pentagon's advanced weapons systems have been compromised by hackers. Last month, the U.S. Department of Homeland Security's cyber security office said that reports of cyber incidents jumped 68 percent last year over the year before.
The danger for industrial firms, like utilities, has increased over the past two decades as more operations rely more on electronic and web-based controls for important systems like electrical substations and water pumps. As early as 2009, when the first reports of hackers from China and Russia leaving malicious software on the electric grid systems across the country began to emerge, the danger that hacking faces the utility industry has been clear.
Federal security officials warn that electronic attacks on these critical facilities could create "the potential for large-scale power outages or man-made environmental disasters" and cause "physical damage, loss of life and other cascading effects that could disrupt services," the Department of Homeland Security's deputy inspector general, Charles Edwards, said in a congressional testimony last month.
"These attacks range from hackers looking for attention and notoriety to sophisticated nation-states intent on damaging equipment and facilities, disgruntled employees, competitors, and even personnel who inadvertently bring malware into the workplace by inserting an infected flash drive into a computer," he said.
In Connecticut, House plans for a rough draft of the state's cybersecurity plan to be finished by Labor Day, with a final version completed by January 2014. It will examine how state utilities could build up their electronic defenses against cyber attacks as well as how private and municipal emergency managers should be prepared in the event of such an attack.
A major piece of the state's cybersecurity efforts will lean on the federal intelligence and security resources that track and investigate cyber attacks, said House, adding that his previous work for the U.S. National Geospatial-Intelligence Agency will aid in the state's efforts. "Cyber defense is not a matter of geography. It's a matter of national defense. It goes across state line and across industries."
Joel Gordes, president of West Hartford energy consultancy Environmental Energy Solutions, has long called for attention to the cyber security issue. He cites testimonies attached to names like Defense Secretary Chuck Hagel, Former Defense Secretary Robert Gates and Former CIA Director Leon Panetta that raised concerns about the issue, concluding that it's about time Connecticut takes a clear-eyed look at cyber security.
"When we see everybody from the CIA to Lockheed Martin and the Bank of America being hacked, it's pure hubris to think that our electric grid could not be compromised," he said.
He supports a broad strategy of decentralizing the electric grid, shifting from a few large power plants serving big swaths of the state to smaller, more local power plants providing electricity to surrounding areas. This arrangement lessens the risk of a singular cyber attack affecting the whole state, as well as reducing the risk of cascading power failures.
Another suggestion relates to how regulators incentivize profits at the utilities. It's not impossible, Gordes said, to link utilities' progress on microgrids and cybersecurity to their bottom line, giving firms like Connecticut Light & Power or United Illuminating incentives to pay closer attention to what would make the electricity infrastructure more resilient.
Arrangements like this are already in place for utilities' administration of energy efficiency programs. "It's introducing some capitalism into what's now a monopoly," Gordes said.
With all forms of security a sensitive subject, utilities limited themselves to general comments about how they approach their preparations for cyber attacks, saying that they take the issue very seriously and look forward to working with regulators on a plan.
Al Lara, spokesman for Northeast Utilities, parent company of CL&P and Yankee Gas, said in a written statement that it has "enhanced the security of both the physical facilities and the electronic systems of all its companies" including "continuous monitoring of electronic access and frequent testing of its defenses."
ISO New England, which operates the region's electric grid, said it put in redundant electronic facilities and follows the industry's best practices in the matter.
"We are continually working to improve our security measures as cyber security threats evolve," said spokeswoman Marcia Blomberg. "We monitor system conditions continuously, and we share information as needed with regulatory and industry bodies."
Data sharing was one of inspector general Edwards' concerns. He said that the Department of Homeland Security's cyber security office needs to consolidate its information sharing efforts with other agencies and the private sector to "ensure that these stakeholders are provided with potential [industrial control systems] threats."
A group of energy companies and public and private groups expressed concerns about the timeliness of federal assessments on cyber threats, specifically noting that they feel that "a great deal of time might elapse until stakeholders were made aware of the same of similar incident that could affect their systems."