The U.S. electricity grid’s distribution systems—the parts of the grid that carry electricity to consumers—are becoming more vulnerable to cyberattacks, in part because of the introduction of and reliance on monitoring and control technologies. However, the scale of potential impacts from such attacks is not well understood.
The Department of Energy (DOE) is working on the energy sector portion of the national cybersecurity strategy, but a March 18 Government Accountability Office (GAO) report says the Department’s efforts need refocusing.
Distribution systems are growing more vulnerable, in part because their industrial control systems increasingly allow remote access and connect to business networks. As a result, threat actors can use multiple techniques to access those systems and potentially disrupt operations.
Distribution utilities included in GAO’s review are generally not subject to mandatory federal cybersecurity standards, but they, and selected states, had taken actions intended to improve distribution systems’ cybersecurity. These actions included incorporating cybersecurity into routine oversight processes and hiring dedicated cybersecurity personnel. Federal agencies have supported these actions by, for example, providing cybersecurity training and guidance.
The watchdog is concerned however that DOE’s plans do not address distribution systems’ vulnerabilities related to supply chains. According to officials, DOE has not fully addressed such risks in its plans because it has prioritized addressing risks to the grid’s generation and transmission systems. GAO says DOE’s plans will consequently be of limited use in prioritizing federal support to states and industry to improve grid distribution systems’ cybersecurity.
Following the SolarWinds hack, the North American Electric Reliability Corp. warned electric utilities that software made by the Texas-based firm is used in the electricity, and urged vigilance. As well as the threat from hostile nation state actors, both far right and Islamic extremist groups have frequently highlighted utilities as targets.
Attackers can use various techniques to gain access to industrial control systems. In 2018 for example, Schneider Electric issued an alert regarding certain solar system monitoring devices that were packaged with universal serial bus removable media that one of its suppliers contaminated with malware during manufacturing. According to a Finnish cybersecurity company, in 2014, a group of attackers used malware to compromise the software installers for industrial control systems devices available on the websites of three vendors based in Europe. The research indicated that this malware infected multiple organizations in Europe and at least one company in California. The malware reportedly gathered information about other industrial control systems devices connected to the infected devices and sent this information to servers that the malicious actors controlled.
Malicious actors have also been known to target systems by using spearphishing emails or by compromising virtual private networks.
GAO has recommended that the Secretary of Energy, in coordination with the Department of Homeland Security, states, and industry, should more fully address risks to the grid’s distribution systems from cyberattacks—including the potential impact of such attacks—in DOE’s plans to implement the national cybersecurity strategy for the grid.
DOE concurred and highlighted work currently underway at its Office of Cybersecurity, Energy Security, and Emergency Response (CESER). In September 2020, CESER announced renewed cooperative agreements totaling $12 million over a three-year period to develop and deploy cyber and cyber-physical solutions for distribution and municipal utilities. As part of a congressionally directed initiative, CESER is partnering with the American Public Power Association (APPA), which represents community-owned utilities serving nearly 50 million customers, and the National Rural Electric Cooperative Association (NRECA), which represents more than 900 electric cooperatives, public power districts, and public utility districts. Through its work with APPA and NRECA, the Department expects to complete work to meet the recommendation by September 2023.
See also our upcoming law enforcement-only event where we explore attacks on the energy sector.