The U.S. electric grid is becoming more vulnerable to cyberattack, particularly those involving industrial control systems that support grid operations. Such cyberattacks could cause widespread power outages but the scale of such outages is uncertain.
Senator Maria Cantwell, who is sponsoring new legislation that requires advanced cybersecurity applications and technologies for the energy sector, said the grid is subject to over a million cyber attacks every day.
The electric grid’s cybersecurity risks can be grouped into three areas:
Threat actors. Nations, criminal groups, terrorists, and others are increasingly capable of attacking the grid.
Vulnerabilities. The grid is becoming more vulnerable to cyberattacks. The increasing adoption of high-wattage consumer Internet of Things devices, and the use of the global positioning system to synchronize grid operations are also vulnerabilities.
Impacts. Although cybersecurity incidents reportedly have not resulted in power outages domestically, cyberattacks on industrial control systems have disrupted foreign electric grid operations.
The Department of Energy (DOE) helps address cybersecurity risks in each component of the electric grid’s infrastructure. However, a Government Accountability Office (GAO) review has found that DOE has not developed plans for electric grid cybersecurity that address the key characteristics needed for a national strategy.
GAO’s September 25 report uses the example of a DOE risk assessment which had significant methodological limitations and did not fully analyze grid cybersecurity risks. One such key limitation was that the assessment used a model that covered only a portion of the grid and reflected how that portion existed around 1980.
GAO is making a recommendation to DOE to develop a plan aimed at implementing the federal cybersecurity strategy for the grid and ensure that the plan addresses the key characteristics of a national strategy, including a full assessment of cybersecurity risks to the grid.
DOE concurred with the recommendation and stated that it is working through an interagency process to develop a National Cyber Strategy Implementation Plan that will consider DOE’s Multiyear Plan for Energy Sector Cybersecurity.
The GAO report also noted that the Federal Energy Regulatory Commission (FERC)—the regulator for the interstate transmission of electricity—has approved mandatory grid cybersecurity standards. However, it has not ensured that those standards fully address leading federal guidance for critical infrastructure cybersecurity—specifically, the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
In addition, FERC’s approved threshold for which entities must comply with the requirements in the full set of grid cybersecurity standards is based on an analysis that did not evaluate the potential risk of a coordinated cyberattack on geographically distributed targets. Such an attack could target, for example, a combination of geographically dispersed systems that each fall below the threshold for complying with the full set of standards. Responding to such an attack could be more difficult than to a localized event since resources may be geographically distributed rather than concentrated in the same area. Without information on the risk of such an attack, FERC does not have assurance that its approved threshold for mandatory compliance adequately responds to that risk.
GAO recommends FERC consider adopting changes to its approved cybersecurity standards to more fully address the NIST Cybersecurity Framework. In addition, FERC should evaluate the potential risk of a coordinated cyberattack on geographically distributed targets and, based on the results of that evaluation, determine if changes are needed in the threshold for mandatory compliance with requirements in the full set of cybersecurity standards.
GAO released its report the same day that the Senate Energy and Natural Resources Committee unanimously approved legislation intended to protect the electric grid from cyber attacks.
The Enhancing Grid Security Through Public-Private Partnerships Act requires DOE to establish and carry out a program to assess the cyber and physical security of electric utilities.
The committee also approved the Energy Cybersecurity Act that requires DOE to develop advanced cybersecurity applications and technologies for the energy sector.