A newly published report form the U.S. Government Accountability Office (GAO) describes the risks of cyber-attacks on the electricity grid’s distribution systems, along with the scale of the potential impact of such attacks.
Following a performance audit conducted between September 2019 and March 2021, GAO has discovered that the electricity grid’s distribution systems are increasingly vulnerable to cyber-attacks and that the potential impact of such attacks is not yet clear.
According to GAO, the Department of Energy (DOE), the lead agency for the energy sector, hasn’t included in its plans for the grid’s cyber-security the necessary measures to fully address risks to distribution systems. DOE has updated its plans following a 2019 GAO report on grid cyber-security issues.
“For example, DOE’s plans do not address distribution systems’ vulnerabilities related to supply chains. According to officials, DOE has not fully addressed such risks in its plans because it has prioritized addressing risks to the grid’s generation and transmission systems,” GAO notes in the new report.
After conducting semistructured interviews with 38 key federal and nonfederal entities associated with the cyber-security of grid distribution systems and reviewing reports from both DOE and the Department of Homeland Security (DHS) and other relevant documentation, GAO has concluded that, in its plans to implement the national cyber-security strategy, DOE needs to fully address cyber-risks to the grid’s distribution systems.
“The grid’s distribution systems face significant cyber-security risks—that is, threats, vulnerabilities, and impacts—and are increasingly vulnerable to cyber-attacks. Threat actors are growing more adept at exploiting these vulnerabilities to execute cyber-attacks. However, the scale of the potential impacts of such cyber-attacks on the grid’s distribution systems is unclear,” GAO says.
The growing exposure to cyber-risks, GAO points out, is the result of an increased use of monitoring and control technologies within distribution systems, such as remote control capabilities in industrial control systems (ICS), global positioning systems (GPS) for grid operations, and the connecting of networked consumer devices and distributed energy resources to distribution systems networks.
Vulnerabilities related to the increased use of technology advancements are “compounded for distribution systems because the sheer size and dispersed nature of the systems present a large attack surface,” the report reads.
GAO also says that threat actors may target vulnerabilities in industrial control systems for initial access and then employ other tactics to achieve a foothold onto the compromised environment and move laterally to other systems.
Such vulnerabilities may exist due to the use of legacy systems that do not feature the necessary cyber-security protections (some were never designed to be connected to the Internet), the lack of conventional IT vulnerability scanning, and lack of timely patching due to the need to take systems or components offline to apply security fixes.
Attackers may exploit these issues to “manipulate, interrupt, or disrupt distribution utilities’ physical control processes or industrial control systems to cause disruptions,” GAO says.
GPS, which is used for synchronizing real-time measurements among multiple devices, is prone to exploitation through jamming and spoofing, which could result in unsynchronized measurements, equipment misoperation, and power outages.
Consumer networked devices, some of which are high-wattage systems, are vulnerable to cyber-attacks and, once connected to the distribution systems, they introduce vulnerabilities, exposing the grid to attacks in which adversaries increase or decrease the electricity demands to disrupt grid operations.
Distributed energy resources, such as rooftop solar units and battery storage units, may introduce vulnerabilities too, especially through their control and communication requirements — some of these devices may be updated remotely and improperly secured update processes may impact the grid as well.
GAO also notes that a multitude of cyber-actors are increasingly capable of targeting the grid’s distribution systems, including nation states, cyber-crime groups, terrorists, hackers and hacktivists, and insiders.
The effects of a cyber-attack on the distribution systems, however, are not well understood. While none of the cybersecurity incidents reported in the U.S. disrupted the grid’s distribution systems, attacks on foreign grid systems have resulted in localized power outages. However, if such an attack would target a large city in the U.S., the outage could have national impact.
Both states and industry have taken actions to improve the cyber-security of electricity distribution systems, with cyber-security incorporated into oversight responsibilities of some states, and some are even hiring cybersecurity personnel, but these actions aren’t uniform across jurisdictions.
According to GAO, the DOE’s plans and assessment to implement a cyber-security strategy for the energy grid do address some of the risks associated with the grid’s distribution systems, but vulnerabilities associated with industrial control systems, supply chain, devices that use GPS, and networked consumer devices are not addressed.
“Unless DOE more fully addresses risks to the grid’s distribution systems from cyberattacks, including their potential impacts, in its plans to implement the national cybersecurity strategy for the grid, the […] documents will likely be of limited use in prioritizing federal support to help states and industry improve grid distribution systems’ cybersecurity,” GAO says.