A new report from the United States Government Accountability Office (GAO) shows that the Department of Energy (DOE) has yet to fully analyze the electric grid cybersecurity risks.
The report includes the findings of a recently conducted review of the cybersecurity of the national electric grid, which includes “the commercial electric power generation, transmission, and distribution system comprising power lines and other infrastructure.”
The grid, GAO says, faces significant cybersecurity risks, including those posed by threat actors and vulnerabilities, which could result in power outages, although no such incidents have been observed domestically.
According to the report, nations, criminal groups, terrorists, and others are increasingly capable of targeting the grid, which is also becoming vulnerable to attacks on industrial control systems (ICS) that support grid operations, consumer Internet of Things (IoT) devices, and the global positioning system (GPS).
DOE has developed plans and an assessment to address grid cybersecurity risks, but GAO’s report (PDF) reveals that the assessment “had significant methodological limitations and did not fully analyze grid cybersecurity risks.”
The main limitation was that the assessment covered only a portion of the grid and reflected how that portion existed around 1980.
“Until DOE has a complete grid cybersecurity plan, the guidance the plan provides decision makers in allocating resources to address those risks will likely be limited,” the report reads.
Moreover, GAO explains that while the Federal Energy Regulatory Commission (FERC) approved mandatory grid cybersecurity standards, it did not ensure that those comply with the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
“Without a full consideration of the framework, there is increased risk that grid entities will not fully implement leading cybersecurity practices,” the report underlines.
Identified threat actors, potential vulnerabilities
China and Russia are the nations that pose the highest threat to the grid, GAO says, referring to nation-state, state-sponsored, and state-sanctioned groups or programs.
Criminal groups, including organized crime organizations, are financially driven and are not identified as a threat specifically to the energy sector. However, GAO believes they could have a large impact on the grid, either through their use of ransomware or when employed by nations to conduct malicious activities on their behalf.
Terrorist groups, which are looking to destroy, incapacitate, or exploit critical infrastructures, would be highly motivated to disrupt the grid, although they do not currently have the capacity to do so at scale. They could, however, deface websites or launch denial of service attacks on poorly protected networks.
Hackers and hacktivists could also pose a threat to the grid, although they are believed to have even less capacity to do harm when compared to other adversaries. Insiders, however, can potentially cause harm through destruction, disclosure, modification of data, or denial of service, the report says.
ICS-related risks include the presence of remote access capabilities, which are susceptible to exploitation by malicious actors, and the fact that these systems are more often connected to corporate business networks, allowing attackers to migrate from business IT systems to operational technology (OT) networks.
“Compounding the risk associated with the increased attack surface, many legacy industrial control systems were not designed with cybersecurity protections because they were not intended to be connected to networks, such as the Internet,” the report points out.
GAO also notes that testing might not always find vulnerabilities in ICS software and that, when such flaws are discovered, patching might not occur in a timely manner “because certain industrial control system devices may have high availability requirements to support grid operations.”
Supply chains for industrial control systems represent another cybersecurity risk the grid faces, as they can introduce vulnerabilities for attackers to potentially exploit.
The connection of consumer IoT devices to the grid’s distribution network represents another risk, as malicious actors could ensnare these into botnets and then launch coordinated attacks to manipulate demand across distribution grids. The likelihood of such an attack is small, but could increase in the future.
While there have been three assessments of the potential impact of cyberattacks on the grid, limitations in these assessments make it difficult to determine the scale of any power outages that may result from a cyberattack.
A better strategy required
The report also details challenges grid owners and operators face in addressing cybersecurity risks associated with the grid, and also presents the activities that federal agencies have performed to address these risks.
However, DOE hasn’t fully defined a strategy to address grid cybersecurity risks and challenges, GAO says. In this regard, the report provides a comprehensive breakdown of the DOE plans and assessments, as well as explanations regarding their limitations.
As part of the report, GAO is making a recommendation to DOE to create a plan to implement the federal cybersecurity strategy for the electric grid, which should ensure that key characteristics of a national strategy, such as a full assessment of grid cybersecurity risks, are included in the plan.
GAO also recommended that FERC adopted changes to its approved cybersecurity standards to better fall in line with the NIST Cybersecurity Framework, and that it evaluated the potential risk of a coordinated cyberattack to determine if any changes might be required to fully comply with cybersecurity standards.
“The U.S. electric grid faces an increasing array of cybersecurity risks, as well as significant challenges to addressing those risks. To their credit, federal agencies have performed a variety of critical infrastructure protection and regulatory activities aimed at addressing those risks. In particular, DOE has developed plans and an assessment aimed at implementing the federal strategy for confronting the cyber threats facing the grid,” GAO says.
“However, those documents do not fully address all of the key characteristics needed to implement a national strategy, including a full assessment of cybersecurity risks to the grid. Until DOE ensures it has a plan that does, the guidance the plan provides decision makers in allocating resources to address grid cybersecurity risks and challenges will likely be limited,” the report concludes.
