In a September 25, 2019 report, the Government Accountability Office (GAO) outlined significant vulnerabilities and risks facing the country’s electric grid and demanded change from the Department of Energy (DOE) and the Federal Energy Regulatory Commission (FERC). Congress’s oversight arm wrote that, while FERC has set standards for grid cybersecurity, the agency has fallen short on making sure those standards address all of federal guidance on infrastructure cybersecurity. Similarly, while the DOE has developed and implemented plans to address grid cybersecurity, those plans fail to meet the requirements for a successful national strategy. The country’s leading energy regulators are operating with incomplete plans that leave the country’s electrical grid open to cyberattack.
A longstanding concern
Private companies own and operate much of the United States’ electrical grid, but the federal government maintains a strong influence over the industry, particularly as it pertains to security risks. The DOE takes the lead role in this effort and the FERC acts the regulator of interstate transmission of electricity. Security of the power grid has been on the GAO’s High-Risk List since 1997, identified as a top priority for protection.
Overall, power grid operations are relatively resilient. According to the GAO report, most potential problems come from localized interruptions caused by weather events or accidents that damage equipment. A cyberattack would likely involve interruptions on a larger scale, making effective response much more difficult. According to the report (pg. 16), federal agencies conducted assessments of the potential risk cyberattacks pose to infrastructure. The GAO expressed concerns with those assessments as being too limited to accurately diagnose the potential impact of a cyberattack on the grid. The agency and power industry know they are vulnerable, but they seem to be operating blind in that they do not know the full extent of the implications of a cyber attack.
Time to act
Concern about cybersecurity has elevated since a December 2015 state-sponsored cyberattack against the Ukrainian power grid disrupted power to hundreds of thousands of people for three hours. The GAO report identified nation-states as the greatest threats to power-grid security, but included potential threats from terrorists, hackers, and hacktivists as well.
Other major concerns for power grid cybersecurity come from growing wireless interconnectivity and aging infrastructure. The growing use of wireless internet networks for connectivity creates more vulnerabilities to attacks. Parts of the power grid still utilize devices that were not designed with the capacity to account for cybersecurity protections. The other area for major concern lies in the grid’s reliance on global positioning system (GPS) technology for control functions. The DOE highlights GPS signals as an area susceptible to exploitation and attack (pg. 28).
The GAO credits the DOE for having a strategy to implement cybersecurity protections, but identifies holes in that strategy that weaken its effectiveness. In particular, the DOE plan lacks clear benchmarks and metrics to measure successful implementation of cybersecurity protections. It similarly credits FERC for implementing compliance standards, but also identifies areas where FERC procedures fall short of complying with federal guidelines to improve infrastructure cybersecurity. FERC failed to conduct appropriate assessments to evaluate potential risks of coordinated cyberattacks across larger geographic areas.. Without that information, the GAO says the grid lacks full reliability and security.
The GAO recommends both the DOE and FERC develop plans, strategies, and protocols to address all aspects of federal guidelines. The GAO criticized FERC for failing to fully comply with all standards in the National Institute of Standards and Technology (NIST) Cybersecurity Framework. The GAO evaluated FERC performance on a spectrum, identifying whether FERC fully addressed, substantially addressed, partially addressed, minimally addressed, or did not address categories of the framework. FERC failed to fully address almost every category. Particularly alarming is the fact that current FERC standards do not address a risk management strategy at all.
The risks highlighted in the report are not new. The Energy IG has conducted multiple investigations and produced reports on DOE and FERC activities relating to cybersecurity; the common thread in those reports tends to be that both agencies will make some improvements but certain weaknesses persist from earlier evaluations (some dating back to 2014) to later evaluations. Congress and the rest of the government have been aware of power grid vulnerabilities for some time. These issues were highlighted in a July hearing before the House Energy and Commerce subcommittee on Energy. The 2019 Worldwide Threat Assessment , conducted by the Intelligence Community and reported by the Director of National Intelligence, outlined cyber threats in detail. The assessment included information about (1) Russia’s plans to map our grid infrastructure and use that knowledge to later cause “substantial damage”, (2) China’s ability to launch temporary but disruptive attacks on the power grid; and (3) Iran’s move into a position as a significant cyber threat. This year, the House proposed two bipartisan bills to address the cybersecurity concerns: H.R. 359, the Enhancing Grid Security through Public-Private Partnerships Act and H.R. 360, the Cyber Sense Act of 2019. The Senate Energy and Natural Resources Committee made similar moves with S.79, the Securing Energy Infrastructure Act. Each of these bills takes a different approach to addressing the power grid’s vulnerability to cyberattack. S.79 has passed the Senate, while the House bills are both still working their way through committee. The need for action is urgent.