- The U.S. Department of Energy is working to implement a national cybersecurity strategy, and has so far focused its efforts on the nation's transmission and generation assets, but utility distribution systems are "increasingly at risk" from intrusion and disruption, according to a report from the Government Accountability Office.
- A coordinated attack on distribution systems "could cause outages in multiple areas even if it did not disrupt the bulk power system," the report, released in March, warns.
- Utility systems are generally not subject to federal security mandates because of the size of their facilities, and the report says DOE needs to "more fully" address those risks. Risk management experts say industrial control systems (ICS) connected to distribution networks are vulnerable, but question the need for new federal rules.
The increasing use of ICS to manage the electric grid has been recognized as a threat to the transmission and generation sectors, but GAO's report concludes federal security rules overlook increasing risks to distribution systems.
"Distribution systems are growing more vulnerable, in part because their industrial control systems increasingly allow remote access and connect to business networks," the report found. "As a result, threat actors can use multiple techniques to access those systems and potentially disrupt operations."
The report noted, however, that "the scale of potential impacts from such attacks is not well understood."
Distribution systems are increasingly operated with monitoring and control technologies that have "traditionally been air-gapped from IT networks and the internet in general, making them generally impervious to remote attacks and vulnerabilities," Gary Kinghorn, marketing director at software security firm Tempered Networks, said in an email. "But that no longer is the case."
"These are legacy systems, frequently unmanaged, or unpatched, sometimes running in remote locations or lights out operations," Kinghorn said, adding that they represent a "potential disaster."
But Kinghorn said it is not difficult to secure that infrastructure, and "we already see many electrical utilities and regional energy cooperatives" taking steps to improve their risk profile and security processes.
The GAO report is "compelling," according to Mark Carrigan, chief operating officer of software security company PAS Global. Federal regulators are focused on security requirements for generation and transmission and "these measures do not properly identify and address risks that could lead to wide-spread power outages," he said in an email.
Older legacy systems were not designed with cybersecurity protections, said Carrigan, because they did not connect to the internet. The GAO report warns that legacy devices may not be able to ensure commands have been sent by a valid user, and may not be capable of running modern encryption protocols.
"The reality is that virtually all industrial control systems used to distribute power fall into this category," Carrigan said. "Companies should start by identifying those assets, that if compromised, pose the greatest potential of wide-spread power outages, and implement further controls to minimize the impact of a cyber-attack."
The GAO report recommends DOE "more fully address risks to the grid’s distribution systems from cyberattacks," and says the agency has agreed with that conclusion and is involved with a pair of research projects examining how to improve the security of distribution systems.
Those projects may help states and industry improve the cybersecurity of distribution systems, the report said, while also warning that "it will also be important for DOE to more fully address risks to the grid’s distribution systems from cyberattacks in DOE’s plans to implement the national cybersecurity strategy for the grid."
Some experts question whether new federal requirements are needed for utility systems, however.
"I would hope that the industry continues to be able to self-police itself well and recognize that new connectivity and access requirements demands more security oversight," Kinghorn said. "Time will tell if more oversight will be required based on how many breaches we see in the near term and how well the industry as a whole adapts to new digital transformation requirements."