Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Electricity Distribution Systems at Increasing Risk of Cyberattacks, GAO Warns

A newly published report form the U.S. Government Accountability Office (GAO) describes the risks of cyber-attacks on the electricity grid’s distribution systems, along with the scale of the potential impact of such attacks.

A newly published report form the U.S. Government Accountability Office (GAO) describes the risks of cyber-attacks on the electricity grid’s distribution systems, along with the scale of the potential impact of such attacks.

Following a performance audit conducted between September 2019 and March 2021, GAO has discovered that the electricity grid’s distribution systems are increasingly vulnerable to cyber-attacks and that the potential impact of such attacks is not yet clear.

According to GAO, the Department of Energy (DOE), the lead agency for the energy sector, hasn’t included in its plans for the grid’s cyber-security the necessary measures to fully address risks to distribution systems. DOE has updated its plans following a 2019 GAO report on grid cyber-security issues.

“For example, DOE’s plans do not address distribution systems’ vulnerabilities related to supply chains. According to officials, DOE has not fully addressed such risks in its plans because it has prioritized addressing risks to the grid’s generation and transmission systems,” GAO notes in the new report.

Electricity distribution vulnerabilities After conducting semistructured interviews with 38 key federal and nonfederal entities associated with the cyber-security of grid distribution systems and reviewing reports from both DOE and the Department of Homeland Security (DHS) and other relevant documentation, GAO has concluded that, in its plans to implement the national cyber-security strategy, DOE needs to fully address cyber-risks to the grid’s distribution systems.

“The grid’s distribution systems face significant cyber-security risks—that is, threats, vulnerabilities, and impacts—and are increasingly vulnerable to cyber-attacks. Threat actors are growing more adept at exploiting these vulnerabilities to execute cyber-attacks. However, the scale of the potential impacts of such cyber-attacks on the grid’s distribution systems is unclear,” GAO says.

The growing exposure to cyber-risks, GAO points out, is the result of an increased use of monitoring and control technologies within distribution systems, such as remote control capabilities in industrial control systems (ICS), global positioning systems (GPS) for grid operations, and the connecting of networked consumer devices and distributed energy resources to distribution systems networks.

Vulnerabilities related to the increased use of technology advancements are “compounded for distribution systems because the sheer size and dispersed nature of the systems present a large attack surface,” the report reads.

GAO also says that threat actors may target vulnerabilities in industrial control systems for initial access and then employ other tactics to achieve a foothold onto the compromised environment and move laterally to other systems.

Advertisement. Scroll to continue reading.

Such vulnerabilities may exist due to the use of legacy systems that do not feature the necessary cyber-security protections (some were never designed to be connected to the Internet), the lack of conventional IT vulnerability scanning, and lack of timely patching due to the need to take systems or components offline to apply security fixes.

Attackers may exploit these issues to “manipulate, interrupt, or disrupt distribution utilities’ physical control processes or industrial control systems to cause disruptions,” GAO says.

GPS, which is used for synchronizing real-time measurements among multiple devices, is prone to exploitation through jamming and spoofing, which could result in unsynchronized measurements, equipment misoperation, and power outages.

Consumer networked devices, some of which are high-wattage systems, are vulnerable to cyber-attacks and, once connected to the distribution systems, they introduce vulnerabilities, exposing the grid to attacks in which adversaries increase or decrease the electricity demands to disrupt grid operations.

Distributed energy resources, such as rooftop solar units and battery storage units, may introduce vulnerabilities too, especially through their control and communication requirements — some of these devices may be updated remotely and improperly secured update processes may impact the grid as well.

GAO also notes that a multitude of cyber-actors are increasingly capable of targeting the grid’s distribution systems, including nation states, cyber-crime groups, terrorists, hackers and hacktivists, and insiders.

The effects of a cyber-attack on the distribution systems, however, are not well understood. While none of the cybersecurity incidents reported in the U.S. disrupted the grid’s distribution systems, attacks on foreign grid systems have resulted in localized power outages. However, if such an attack would target a large city in the U.S., the outage could have national impact.

Both states and industry have taken actions to improve the cyber-security of electricity distribution systems, with cyber-security incorporated into oversight responsibilities of some states, and some are even hiring cybersecurity personnel, but these actions aren’t uniform across jurisdictions.

According to GAO, the DOE’s plans and assessment to implement a cyber-security strategy for the energy grid do address some of the risks associated with the grid’s distribution systems, but vulnerabilities associated with industrial control systems, supply chain, devices that use GPS, and networked consumer devices are not addressed.

“Unless DOE more fully addresses risks to the grid’s distribution systems from cyberattacks, including their potential impacts, in its plans to implement the national cybersecurity strategy for the grid, the […] documents will likely be of limited use in prioritizing federal support to help states and industry improve grid distribution systems’ cybersecurity,” GAO says.

Related: Watchdog Urges More Action to Protect Planes From Hackers

Related: GAO Criticizes Pentagon Over Cyber Hygiene Efforts

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...