The Government Accountability Office (GAO) identified in a new report several cybersecurity risks to the U.S. electric grid and called upon the Department of Energy (DoE) to develop an improved Federal strategy to protect against cyberthreats to the grid.
GAO found that threat actors – including nation states, state-sponsored groups, terrorists, and criminal groups – are increasingly becoming more capable of conducting cyberattacks on the grid, which is simultaneously becoming more vulnerable to attacks. The increased attack surface, GAO added, are largely because of remote-access industrial control system devices, consumer Internet of Things devices connected to the grid’s distribution networks, and GPS systems.
Although the United States has reportedly yet to experience a cyber-related domestic power outage, GAO also found that limited assessments make officials uncertain of the potential scale cyberattacks would have on the grid.
DoE, the Department of Homeland Security (DHS), the Federal Energy Regulatory Commission (FERC), and other agencies have engaged in activities to protect critical infrastructure from grid cybersecurity risks. Although DoE has formed strategy documents to confront cyber threats, GAO found that “they do not address the specific risks and challenges facing the electric grid.”
“Until DoE ensures it has a plan aimed at implementing the Federal cybersecurity strategy relating to the grid that addresses all of the key characteristics of a national strategy – including a full assessment of cybersecurity risks – the guidance the plan provides decision makers in allocating resources to address the risks and challenges will likely be limited,” GAO added.
Further, GAO said FERC has “not ensured that its approved grid cybersecurity standards fully address leading Federal guidance for improving critical infrastructure cybersecurity – specifically, the NIST Cybersecurity Framework,” and that FERC also has not assessed potential cyber threats on “geographically distributed targets in approving the threshold for which grid cyber systems must comply with.”
“Without information on the risk of such an attack—particularly one that might target low-impact systems that are subject to fewer requirements, but in aggregate could affect the grid—FERC does not have assurance that its approved threshold for mandatory compliance adequately responds to that risk and sufficiently provides for the reliable operation of the electric grid,” GAO explained.
GAO issued three recommendations – one to DoE and two to FERC – in its review:
- DoE should coordinate with DHS to form a plan that aims to implement the “Federal cybersecurity strategy for the electric grid and ensure that the plan addresses key characteristics of a national strategy, including a full assessment of cybersecurity risks to the grid;”
- FERC should consider whether to direct the North American Electric Reliability Corporation (NERC) to change its cybersecurity standards so that they more fully address the NIST Cybersecurity Framework, as well as current and projected risks; and
- FERC should evaluate potential risks of coordinated cyberattacks on geographically distributed targets and determine whether to direct NERC to change its “threshold for mandatory compliance with requirements in the full set of cybersecurity standards.”
DoE and FERC agreed with the recommendations. DHS and the Department of Commerce also received the report and had no comments. NERC received the report as well and disagreed with the findings.
“NERC stated that it disagreed with our conclusion that the FERC-approved cybersecurity standards do not fully address the NIST Cybersecurity Framework,” GAO said. “We reviewed NERC’s analysis comparing the FERC-approved cybersecurity standards to the NIST Cybersecurity Framework and continue to believe our analysis accurately reflects the extent to which the standards address the framework.”