Key government organizations charged with protecting the electric grid from cyberattacks do not have sufficient plans in place to handle the expanding threat landscape, according to a Sept. 25 Government Accountability Office report.
The GAO found that the Department of Energy did not have what equated to a national strategy for the protection of the electric grid. According to the GAO, the Energy Department had scattered plans and assessments, but the documents “do not fully address all of the key characteristics needed for a national strategy.”
The watchdog found that a risk assessment done by the Energy Department had significant shortfalls. In one anecdote, the department modeled a risk assessment on one portion of the grid based on how that sector operated in 1980. In 1980, that sector’s power capacity was one-quarter of what it is now.
The GAO recommended that the Energy Department “develop a plan aimed at implementing the federal cybersecurity strategy for the electric grid and ensure that the plan addresses the key characteristics of a national strategy, including a full assessment of cybersecurity risks to the grid.”
The GAO also evaluated the cybersecurity posture of the Federal Energy Regulatory Commission (FERC), which regulates the interstate transmission of electricity. The watchdog found that FERC has not adequately ensured that all the standards established by the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework are laid out in its practices. FERC approves cybersecurity standards created by the North American Electric Reliability Corporation (NERC).
“Without a full consideration of the framework, there is increased risk that grid entities will not fully implement leading cybersecurity practices,” the GAO wrote.
FERC also did not consider the risk of a coordinated cyberattack on different locations on the power grid. FERC has the authority to require systems generating 1,500 megawatts of electricity or more to comply with FERC’s cybersecurity standards. That threshold is based off an analysis of the effects of a power outage on a facility generating that amount of electricity. The analysis assumed that the loss could be compensated by power from a nearby region, GAO wrote.
“Responding to such an attack could be more difficult than to a localized event since resources may be geographically distributed rather than concentrated in the same area,” the GAO wrote. “Without information on the risk of such an attack, FERC does not have assurance that its approved threshold for mandatory compliance adequately responds to that risk.”
The analysis also did not consider a coordinated cyberattack on power grid components generating below 1,500 megawatts, which “in aggregate, might present a significant risk to the grid.”
In its first recommendation to FERC, the GAO wrote that FERC should determine whether to direct the NERC to adopt changes to its cybersecurity standards that fully address the NIST framework.
As the second recommendation to FERC, the GAO wrote that it should evaluate the potential risk of a coordinated cyberattack on the electric grid and then decide whether to direct NERC to reconsider the 1,500 megawatt threshold for mandatory compliance.
The GAO report also found that the grid faces threats from nation-states, criminal groups, terrorists and hacktivists, though several officials said that hacktivists may not have the resources to do harm as larger actors.
The report also found the threat landscape was increasing because of the deluge of internet-connected devices on industrial control systems, as well as consumer internet of things devices, like air conditioning systems or heaters. Consumer IoT devices run the risk of becoming a botnet, or a network of devices infected by malicious code that can then be controlled without the knowledge of the owner.
“Such an attack could disrupt the balance of power generation and consumption and ultimately cause an outage,” the report said.
Direct attacks on industrial control systems are more complex.
“Cyberattacks on industrial control systems supporting grid operations may require a degree of sophistication and knowledge beyond what is needed to conduct cyberattacks on IT systems,” the GAO wrote.
Both the Energy Department and FERC agreed with the recommendations.
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.