The U.S. electric power sector has suffered no lasting damage from cyberattacks and is generally prepared to manage most electricity disruptions, but the risk of significant cyber intrusions is growing, according to report from the U.S. Department of Energy released May 30.
The DOE, despite the power sector's ability to manage the heightened threats, said it identified several "gaps" in the industry's response capabilities for a major cyber or physical attack on the electric grid.
"Despite the electricity subsector's substantial experience responding to power outages from severe weather, the potentially unique characteristics of a significant cyber incident may cause any electricity disruption to be larger in terms of grid impacts and customers without power and longer in duration than seen from historical events," the report said.
President Donald Trump directed the DOE to conduct the study, "Assessment of Electricity Disruption Incident Response Capabilities," as part of a May 2017 executive order on bolstering the cybersecurity of federal networks and critical infrastructure.
Although the U.S. is broadly prepared for most electricity disruptions, the report observed key gaps in assets and capabilities for dealing with a major cyber incident. Those shortcomings include an inability to consistently provide details to government, regulatory and utility entities on possible impacts from cyber-related disruptions.
The report noted that the electricity sector's primary situation awareness capability — the Cybersecurity Risk Information Sharing Program, or CRISP — covers most but not all U.S. electricity customers and is limited to the business networks of participating firms. Power sector entities also do not have the capability to correlate cyber incident data in real time across multiple sectors, the DOE said.
To improve impact analysis and capability, the report recommended the DOE work with the North American Electric Reliability Corp., the Defense Advanced Research Projects Agency and other relevant organizations to study an expansion of cyber situational awareness. It said the U.S. Department of Homeland Security should work with cross-sector partners to develop situational awareness across interdependent critical infrastructure and coordinate with the DOE on a program to continually assess situational awareness.
The DOE also recommended further clarity on community partner roles and responsibilities following a cyber incident, better incorporation of cybersecurity concerns in state emergency and energy planning, and improved recruitment and maintenance of power sector cybersecurity experts. In addition, the DOE urged improved supply chain security, information sharing and access to needed resources for cybersecurity preparedness.
The report comes as the U.S. tries to toughen its utility cyber defenses against increasingly sophisticated threats. In December 2015, hackers temporarily took down three Ukrainian electricity distribution companies, causing widespread power outages that affected roughly 225,000 customers for up to six hours. The so-called BlackEnergy3 malware the attackers used to communicate with the utilities' infected systems has also been found within organizations that operate U.S. critical infrastructure, the DOE study said.
More recently, DHS issued an alert in March that blamed the Russian government for a two-year cyber campaign partly aimed at infiltrating the computer networks of the power grid and nuclear energy plants.
To handle the growing tide of threats, the DOE recently released a five-year cybersecurity strategy for U.S. energy systems. In February, the department announced it was forming the new Office of Cybersecurity, Energy Security and Emergency Response, known as CESER, which will focus on the DOE's cybersecurity and incident response activities. Previously, those duties were managed by the DOE's Office of Electricity Delivery and Energy Reliability, but the Trump administration decided to move the office's cyber mission to a separate dedicated entity.
