Connect with us

Hi, what are you looking for?



GAO Says Electric Grid Cybersecurity Risks Only Partially Assessed

A new report from the United States Government Accountability Office (GAO) shows that the Department of Energy (DOE) has yet to fully analyze the electric grid cybersecurity risks.

A new report from the United States Government Accountability Office (GAO) shows that the Department of Energy (DOE) has yet to fully analyze the electric grid cybersecurity risks.

The report includes the findings of a recently conducted review of the cybersecurity of the national electric grid, which includes “the commercial electric power generation, transmission, and distribution system comprising power lines and other infrastructure.”

The grid, GAO says, faces significant cybersecurity risks, including those posed by threat actors and vulnerabilities, which could result in power outages, although no such incidents have been observed domestically.

According to the report, nations, criminal groups, terrorists, and others are increasingly capable of targeting the grid, which is also becoming vulnerable to attacks on industrial control systems (ICS) that support grid operations, consumer Internet of Things (IoT) devices, and the global positioning system (GPS).

DOE has developed plans and an assessment to address grid cybersecurity risks, but GAO’s report (PDF) reveals that the assessment “had significant methodological limitations and did not fully analyze grid cybersecurity risks.”Assessing cyber risks to electric grid

The main limitation was that the assessment covered only a portion of the grid and reflected how that portion existed around 1980.

“Until DOE has a complete grid cybersecurity plan, the guidance the plan provides decision makers in allocating resources to address those risks will likely be limited,” the report reads.

Learn More About Cybersecurity in the Energy Sector at SecurityWeek’s 2019 ICS Cyber Security Conference

Advertisement. Scroll to continue reading.

Moreover, GAO explains that while the Federal Energy Regulatory Commission (FERC) approved mandatory grid cybersecurity standards, it did not ensure that those comply with the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

“Without a full consideration of the framework, there is increased risk that grid entities will not fully implement leading cybersecurity practices,” the report underlines.

Identified threat actors, potential vulnerabilities

China and Russia are the nations that pose the highest threat to the grid, GAO says, referring to nation-state, state-sponsored, and state-sanctioned groups or programs.

Criminal groups, including organized crime organizations, are financially driven and are not identified as a threat specifically to the energy sector. However, GAO believes they could have a large impact on the grid, either through their use of ransomware or when employed by nations to conduct malicious activities on their behalf.

Terrorist groups, which are looking to destroy, incapacitate, or exploit critical infrastructures, would be highly motivated to disrupt the grid, although they do not currently have the capacity to do so at scale. They could, however, deface websites or launch denial of service attacks on poorly protected networks.

Hackers and hacktivists could also pose a threat to the grid, although they are believed to have even less capacity to do harm when compared to other adversaries. Insiders, however, can potentially cause harm through destruction, disclosure, modification of data, or denial of service, the report says.

ICS-related risks include the presence of remote access capabilities, which are susceptible to exploitation by malicious actors, and the fact that these systems are more often connected to corporate business networks, allowing attackers to migrate from business IT systems to operational technology (OT) networks.

“Compounding the risk associated with the increased attack surface, many legacy industrial control systems were not designed with cybersecurity protections because they were not intended to be connected to networks, such as the Internet,” the report points out.

GAO also notes that testing might not always find vulnerabilities in ICS software and that, when such flaws are discovered, patching might not occur in a timely manner “because certain industrial control system devices may have high availability requirements to support grid operations.”

Supply chains for industrial control systems represent another cybersecurity risk the grid faces, as they can introduce vulnerabilities for attackers to potentially exploit.

The connection of consumer IoT devices to the grid’s distribution network represents another risk, as malicious actors could ensnare these into botnets and then launch coordinated attacks to manipulate demand across distribution grids. The likelihood of such an attack is small, but could increase in the future.

While there have been three assessments of the potential impact of cyberattacks on the grid, limitations in these assessments make it difficult to determine the scale of any power outages that may result from a cyberattack.

A better strategy required

The report also details challenges grid owners and operators face in addressing cybersecurity risks associated with the grid, and also presents the activities that federal agencies have performed to address these risks.

However, DOE hasn’t fully defined a strategy to address grid cybersecurity risks and challenges, GAO says. In this regard, the report provides a comprehensive breakdown of the DOE plans and assessments, as well as explanations regarding their limitations.

As part of the report, GAO is making a recommendation to DOE to create a plan to implement the federal cybersecurity strategy for the electric grid, which should ensure that key characteristics of a national strategy, such as a full assessment of grid cybersecurity risks, are included in the plan.

GAO also recommended that FERC adopted changes to its approved cybersecurity standards to better fall in line with the NIST Cybersecurity Framework, and that it evaluated the potential risk of a coordinated cyberattack to determine if any changes might be required to fully comply with cybersecurity standards.

“The U.S. electric grid faces an increasing array of cybersecurity risks, as well as significant challenges to addressing those risks. To their credit, federal agencies have performed a variety of critical infrastructure protection and regulatory activities aimed at addressing those risks. In particular, DOE has developed plans and an assessment aimed at implementing the federal strategy for confronting the cyber threats facing the grid,” GAO says.

“However, those documents do not fully address all of the key characteristics needed to implement a national strategy, including a full assessment of cybersecurity risks to the grid. Until DOE ensures it has a plan that does, the guidance the plan provides decision makers in allocating resources to address grid cybersecurity risks and challenges will likely be limited,” the report concludes.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.