- A series of cyberattacks caused widespread blackouts in Ukraine last month, and the specter of a similar intrusion taking place in the United States has stoked fears that the country is not prepared, despite laws aimed specifically at shoring up cybersecurity.
- New Hampshire-based Foundation for Resilient Societies (FRS), a nonprofit which advocates to protect critical infrastructure, believes "America is increasingly vulnerable to foreign cyberattack" because of the implementation of a 2005 law aimed at grid hardening.
- Cybersecurity is a rising concern in the U.S., and is complicated by the increasing connected nature of generation, load, monitoring devices and non-utility programs. Last year, several industry groups warned FERC they did not believe the agency had authority to oversee security concerns related to third-party providers on the grid.
It's been a decade since The Energy Policy Act of 2005 was passed, and the law's provisions aimed at shoring up the grid's communications networks were never properly implemented, according to FRS.
“The U.S. electric grid and other critical infrastructures are cyber-vulnerable," Joseph Weiss, managing partner at Applied Control Solution, said in a statement released by the group. Weiss said many countries are aware of the United States' utility vulnerabilities, and some "may already have footholds in our critical infrastructure networks," including Russia, China, and Iran.
Among the issues FRS identified, one is how the North American Electric Reliability Corporation exempts some assets from stringent cybersecurity standards. And "newer cybersecurity standards requested by FERC would still exclude many electric grid substations from mandatory cyber-protection," according to the group's statement.
The fresh wave of media focus on grid security comes after hackers successfully caused power outages last year in Ukraine. Hackers remotely opened breaker switches at grid substations to cause the blackout, and restoring power meant substation switches had to be manually closed by on-site technicians. Hundreds of thousands of residents lost power and three regional Ukranian utilities were temporarily shut down.
NERC, purportedly, has said there is no cause for alarm. The FRS press release on cybersecurity said NERC issued a statement in response to its concerns, saying "there is no credible evidence that the incident could affect North American grid operations and no plans to modify existing regulations or guidance based on this incident.”