- The U.S. electric grid "is becoming more vulnerable to cyberattacks," according to a new assessment from the U.S. Government Accountability Office, with industrial control systems and the rise of distributed resources playing major roles in the growing risk.
- The report recommends the Federal Energy Regulatory Commission (FERC) analyze the threat of a "coordinated cyberattack on geographically distributed targets" and consider beefing up its security requirements and compliance thresholds.
- The report also cites industrial control systems (ICS) which help manage the flow of power, as a potential weakness. An ICS attack blacked out power to almost a quarter million Ukrainians in 2015, and experts say growing digital networks will exacerbate that risk.
The U.S. electric sector is probed for weaknesses every day by a coterie of nations, criminal groups, terrorists and others, GAO said. Thus far, utilities have kept the threat at bay, but experts say that streak may not hold.
Those defending the grid "have to be lucky 100% of the time to keep our environments safe and secure," according to Jason Haward-Grau, chief information security officer at cyber firm PAS. "Internal or external attackers just need to be lucky once."
"The challenge of cyber risk to distributed networks, be they transmission grids, smart grids, pipelines or other infrastructure is no doubt growing," Haward-Grau told Utility Dive. "No longer are we able to rely on the traditional modus operandi of isolated or air gapped networks or security by obscurity."
"The reality is ... you need to consider the eventuality that you will be breached," he said.
Security by obscurity was historically an important way of protecting ICS infrastructure. The GAO report notes that early ICS "operated in isolation, running proprietary control protocols using specialized hardware and software." These systems were also often in physically secured areas, unconnected to broader networks.
The U.S. Department of Homeland Security has been issuing growing numbers of ICS vulnerability advisories since 2010, according to GAO.
But ICS technology is rapidly evolving — being replaced by cheaper equipment and more standardized network protocols, thus making attacks easier. Enabling remote access to ICS is becoming more common, the report notes, but it is still a high hurdle for would-be attackers.
"Cyberattacks on industrial control systems supporting grid operations may require a degree of sophistication and knowledge beyond what is needed to conduct cyberattacks on IT systems," the report says. "Industrial control systems often use operating systems and applications that may be considered unconventional to typical IT personnel."
But the sheer volume of resources has grown the number of threats, and the report warns federal regulators may not be prepared. GAO makes three recommendations, two for FERC and one for the U.S. Department of Energy (DOE). According to the report, both agreed with the recommendations.
GAO recommended DOE develop a plan to implement a federal cybersecurity strategy for the grid, "and ensure that the plan addresses the key characteristics of a national strategy, including a full assessment of cybersecurity risks to the grid."
The report recommended FERC consider changes to its cybersecurity standards to "more fully address" the National Institute of Standards and Technology Cybersecurity Framework. It also recommended the agency evaluate the potential risk of a coordinated cyberattack on distributed targets.
"FERC’s approved threshold for which entities must comply with the requirements in the full set of grid cybersecurity standards is based on an analysis that did not evaluate the potential risk of a coordinated cyberattack on geographically distributed targets," the report says.
Following the analysis, the GAO recommends FERC determine if it needs to make changes to the threshold for mandatory compliance with the agency's full set of cybersecurity standards.
FERC appreciates GAO's feedback, and is "considering how to address their recommendations," a commission spokesperson told Utility Dive in an email.
Along with the North American Electric Reliability Corporation, FERC is currently considering changes that could include publicly identifying violators of cybersecurity standards in the bulk electric system. Comments on the proposal were due this week to the commission.
According to Haward-Grau, the GAO report is a recognition of the growing threat to the grid and identifies the need for greater visibility.
"Enabling an effective configuration and inventory of these distributed assets will be key to ensuring that the environment is understood," he said. "Which in essence is one of the fundamental requirements coming from the cyber security standard."