U.S. Electric Grid Security: Distribution Systems Need Attention, Report Says
The U.S. electrical grid’s distribution systems, which carry electricity from transmission systems to consumers, are vulnerable to cyber attacks that could result in extensive power outages, the U.S. Government Accountability Office (GAO) said in a new report.
In the report, entitled Electricity Grid Cybersecurity, DoE Needs to Ensure Its Plans Fully Address Risks to Distribution Systems, the GAO said that distribution systems are more susceptible to attack because their industrial control systems allow remote access and connect to business networks. As a result, hackers have a number of tactics to tap into those systems and “potentially disrupt operations.”
Complicating the risk, the damage such an attack might deliver isn’t “well understood,” the GAO said. A cyber attack on distribution systems, the report said, could “cause outages in multiple areas even if it did not disrupt the bulk power system.” While the Department of Energy (DoE) has developed plans to implement the government’s national cybersecurity strategy for the electricity grid, those plans do not fully address risks to the grid’s distribution systems, such as vulnerabilities related to supply chains, the GAO said.
The DoE acknowledged that its attention has not been directed to risks facing distribution systems. In August 2019, the GAO reported that the “generation and transmission systems, which are federally regulated for reliability, are increasingly vulnerable to cyber attacks,” the report said. “GAO recommends that DoE more fully address risks to the grid’s distribution systems from cyber attacks—including their potential impact—in its plans to implement the national cybersecurity strategy.”
DOE agreed with GAO’s recommendation and pointed to two research projects to advance the cybersecurity of distribution systems. While the GAO conceded that those research projects may help states improve the cybersecurity of distribution systems, “it will also be important for DoE to more fully address risks to the grid’s distribution systems from cyber attacks in DoE’s plans to implement the national cybersecurity strategy for the grid,” the watchdog said. Some states have acted to protect their own electricity distribution systems, including making cybersecurity a routine oversight process and hiring dedicated cybersecurity personnel, the report said. In turn, federal agencies have supported those actions by providing cybersecurity training and guidance. Nonetheless, at the state level there is no uniformity across jurisdictions, according to the report.
Deeper federal support may not be forthcoming should the DoE not push distribution cybersecurity to the front of the line, the GAO warned. “Unless DOE more fully addresses risks to the grid’s distribution systems in its updated plans, federal support intended to help states and industry improve distribution systems’ cybersecurity will likely not be effectively prioritized,” the report said.
To date, no documented cybersecurity incident reported in the U.S. has disrupted the grid’s distribution systems, according to DoE, which requires all U.S. electric utilities to report significant electrical incidents or disturbances. Nonetheless, the GAO pointed to cyber attacks on foreign grid distribution systems that have resulted in localized power outages, such as the 2015 blackout in Ukraine, as a case in point of what could occur should a cyber attack hit the grid’s distribution network.
The GAO report calls for the DoE to collaborate with the Department of Homeland Security, states and industry to “more fully address” cybersecurity risks to the electricity grid, including the potential impact of attacks, as it implements a national security strategy.
To compile data for the report, the GAO conducted “semistructured” interviews with 38 key federal and non-federal entities with knowledge of the cybersecurity policies of grid distribution systems. The GAO also interviewed federal, state, and industry officials with a role in grid distribution systems cybersecurity. The review was conducted September 2019 to March 2021.