trending Market Intelligence /marketintelligence/en/news-insights/trending/BsAiVngYmEVFsjTSOfdsvw2 content esgSubNav
In This List

US GAO report on cyberthreats to the grid urges action by FERC, DOE

Podcast

Next in Tech | Episode 49: Carbon reduction in cloud

Blog

Using ESG Analysis to Support a Sustainable Future

Research

US utility commissioners: Who they are and how they impact regulation

Blog

Q&A: Datacenters: Energy Hogs or Sustainability Helpers?


US GAO report on cyberthreats to the grid urges action by FERC, DOE

A new federal report outlined the cybersecurity risks facing the U.S. power grid, including from internet-connected "smart" devices and coordinated cyberattacks across geographically dispersed areas, and the steps federal regulators and the U.S. Department of Energy can take to bolster grid security.

Requested by the U.S. House of Representatives' Energy and Commerce Committee in 2015, the study by the U.S. Government Accountability Office is part of a larger and ongoing examination of the power grid's cyber defenses.

Released Sept. 25, the GAO report found that foreign nations, criminal syndicates, terrorist groups, and others are becoming increasingly capable of attacking the power grid through industrial control systems that support grid operations. The GAO also warned that the grid is becoming increasingly vulnerable thanks to the widespread adoption of "high-wattage consumer Internet of Things devices" — or internet-connected "smart" appliances, such as meters, thermostats and electric vehicles — and the use of global positioning systems in synchronizing grid operations.

In a GAO podcast, the agency's information technology and cybersecurity director Nick Marinos said smart devices allow the power sector to remotely monitor and reconfigure grid-supporting networks but they also create vulnerabilities for their increasingly-interconnected business and industrial control systems.

SNL Image

GAO's natural resources and environment director Frank Rusco said that "the big concern" is that a cyberattack on transformers or other critical components could cause "widespread and long-lasting power outages" and keep first responders from accessing needed power supplies "indefinitely."

Rusco said the U.S. wants to avoid Ukraine's December 2015 blackout experience, where suspected Russian government hackers took 27 substations in Kyiv, formerly known as Kiev, offline after gaining access to control systems more than six months earlier through malicious emails. Russian hackers in December 2016 caused another blackout in Kyiv by using CrashOverride, the first-ever malware made to target electric grids.

The U.S. power grid on March 5 experienced its own first known disruptive cyber event in the guise of a 10-hour distributed-denial-of-service attack against the servers of unnamed utilities in California, Utah and Wyoming. According to a recent analysis by the North American Electric Reliability Corp., the unsophisticated DDoS attack did not cause any blackouts or impact generation. But it did cause communication outages for less than five minutes between a utility's "low-impact" control center and multiple remote generation sites and between equipment at these sites.

GAO recommendations for DOE, FERC

The GAO report observed that "while recent federal assessments indicate that cyberattacks could cause widespread power outages in the United States, the scale of power outages that may result from a cyberattack is uncertain due to limitations in those assessments." For instance, the GAO said the cybersecurity risk assessment of the U.S. grid, conducted by the U.S. Department of Energy, used a model that not only covered just a portion of the grid but also how it existed around 1980.

The GAO, therefore, recommended that DOE fully assess cybersecurity risks to the grid with up-to-date information. It also urged the Federal Energy Regulatory Commission to consider requiring changes to mandatory cybersecurity standards to better reflect the growing risks and the National Institute of Standards and Technology's Cybersecurity Framework.

The GAO further recommended that FERC evaluate the potential risk of a coordinated cyberattack on geographically distributed targets. It explained that the threshold for determining which entities must comply with grid cybersecurity standards is based on an analysis that did not evaluate the potential risk of a coordinated cyberattack on geographically distributed targets. The response of the U.S. government and its industry partners to such an attack "could be more difficult than to a localized event since resources may be geographically distributed rather than concentrated in the same area," the report explained.

In a joint statement, four Democratic members on the House Energy and Commerce Committee, led by Committee Chairman Frank Pallone, N.J., heralded the GAO report for exposing the "clear and urgent" cybersecurity threats and challenges facing the grid. "That's why Congress must act decisively to ensure these risks do not materialize," they said.

"Risk assessment, information sharing, coordination of government and private sector entities, workforce training, and response planning to address cybersecurity risks must be improved nationwide," said the Democratic representatives, who added that three unnamed bipartisan, electricity-focused cybersecurity bills are awaiting votes on the House floor.

The GAO report comes as the National Institute of Standards and Technology's National Cybersecurity Center of Excellence released on Sept. 23 a draft cybersecurity practice guide on asset management for the energy sector.