Risky Business: Cybersecurity and the U.S. Electric Grid
- Nov 21, 2019
The federal government needs to develop a national strategy to protect the U.S. power grid from significant cybersecurity risks, including a system that is becoming more vulnerable to attacks involving industrial control systems and increasing adoption of “smart” devices connected to the internet.
That is a key conclusion of a new report from the U.S. Government Accountability Office. The GAO study also raises the concerns over possible attacks, including a coordinated cyberattack by “nations, criminal groups, terrorists, and others [who] are increasingly capable of attacking the grid.” The 84-page report notes that although the federal agencies—the Department of Energy and the Federal Energy Regulatory Commission—have performed a “variety of critical infrastructure protection and regulatory activities aimed at addressing those risks,” they don’t fully address all the key elements of a national strategy.
“Until DOE ensures it has a plan that does, the guidance the plan provides decision makers in allocating resources to address grid cybersecurity risks and challenges will likely be limited,” the report states.
In addition to recommending the DOE create the national strategy that includes a full assessment of the cybersecurity risks to the grid, the report made two recommendations to FERC:
- Consider adopting changes to its approved cybersecurity standards to more fully address the National Institute of Standards and Technology Cybersecurity Framework. Without a full consideration of the NIST framework, GAO states, “there is increased risk that grid entities will not fully implement leading cybersecurity practices.”
- Evaluate the potential risk of a coordinated cyberattack on geographically distributed targets. Determine if changes are needed for mandatory compliance with requirements for full cybersecurity standards.
A joint statement by ranking members of the House Energy and Commerce Committee, Energy Subcommittee and Environment, Climate Change Subcommittee, said the report confirmed their “concerns that cybersecurity risks to our electric grid are significant and growing.” The lawmakers also cited new technologies, including smart appliances and electric vehicles that create additional vulnerabilities that can be exploited by bad actors.
While there are several pieces of legislation pending designed to address cybersecurity issues and the grid, including – the Enhancing Grid Security through Public-Private Partnerships Act – the legislators said the GAO report indicated more needs to be done.
“Risk assessment, information sharing, coordination of government and private sector entities, workforce training, and response planning to address cybersecurity risks must be improved nationwide,” the legislators wrote.
Experts Weigh In
The GAO report’s findings were not surprising to several energy and cybersecurity experts. “If you look back at the 1980s when we were in an arms race, we are in cyber arms race now,” Justin Fier, director for cyber intelligence & analytics, at Darktrace, a global AI cyber security company, told CPE. “It’s not a matter of when an adversary gets into our grid or critical infrastructure. They’re already there,” Fier said.
Fier said it’s increasingly that likely bad actors are “already sitting waiting with their finger on the button” to take advantage of an incident to cause further damage. “There’s a lot of incentive for these attackers to get in and hang around for the right geopolitical moment,” agreed Steve Livingston, cyber principal in the Deloitte Risk & Financial Advisory and one of the authors of a Deloitte Global report released earlier this year.
In “Managing Cyber Risk in the Electric Power Sector,” the Deloitte team notes that the sophistication and frequency of attacks are increasing and the numbers of threat actors are growing. The report states energy is one of the top three sectors targeted by cyberattacks in the United States. Threats can come internally from a disgruntled employee or externally from nation-states or organized crime.
The Deloitte report looks at the increasingly complex global supply chains that power companies need to identify to map threats. Livingston said the bad actors are often looking at the grid holistically at multiple ways to disable it and usually target the weakest link in the supply chain, particularly if multiple power companies or utilities are involved in the generation and transmission of power.
“One might have better cybersecurity than the other, so they will go after the weaker one,” Livingston said. He noted they may also target companies that work with utilities to find easier ways to attack the grid. “You might have a real estate firm that works with [the utility] but probably doesn’t spend as much time on cybersecurity as the utility does,” Livingston said.
Sometimes, he added, a company may not even realize they have connections to utility or other firms. “Rather than hack into all five utilities individually, they will hack into one and move out to the others. They take that next step that gets you a little bit further.”
Managing the risk
The Deloitte report suggests that electric power companies can take a number of steps to overcome these kinds of obstacles and better manage cyber risks, including mapping the infrastructure assets and evaluating the vulnerabilities; evaluating suppliers’ security processes and engaging with industry peers and government agencies to help establish industry standards; and exchanging threat intelligence with peers and testing new technologies.
Livingston added that it’s also better and easier to build in security from the beginning of any new project rather than trying to retrofit later. A good rule of thumb, particularly for commercial real estate owners or property managers, is to budget 10 to 20 percent of every project for cybersecurity, he added.
When it comes to cyber security, Fier said much of every industry is behind the curve and playing catch-up moving from antiquated analog systems to digital. “They’re running on analog systems some that are 25, 30, 40 or 50 years old. Security was an afterthought 50 years ago,” he said. Fier said most commercial properties have a level of industrial control systems (ICS) which help manage the flow of power, that the owners may not be aware of now because of Internet of Things (IoT). He cited HVAC systems that have Internet connectivity and electronic door-locking systems as examples.
Fier notes it is not only the electric grid that must be monitored for potential cyber attacks. He listed water treatment and sewage plans, train systems and maritime vessels as just a few examples of entities at risk. Despite the issues raised by the GAO report, Fier said the federal government is “working very closely with the DOE and other agencies out there to stay ahead of this.”
He notes that much of what the federal government is doing is classified and so we will likely not know the full extent of their efforts. “We can’t tip off our adversaries about what we are doing and what we are watching,” Fier said.