U.S. GAO Identifies Electric Grid Cyber Risks, Calls for Stronger Strategy to Protect against Vulnerabilities in Power Grid
The United States Government Accountability Office expressed its concern about vulnerabilities in the nation’s power grid amid increasing threat of cyber-attacks from other countries and hopes to intensify cybersecurity.
The Government Accountability Office is a legislative branch government agency that provides auditing, evaluation, and investigative services for the United States Congress.
The GAO found that certain nations, criminal groups, terrorists, and others are increasingly capable of attacking the grid. This concern came at a time when potential cyber threats from Russia were expected to be increasing.
According to the GAO, the electric grid faces significant cybersecurity risks from threat actors, vulnerabilities in the grid and the impact of any attacks on disruption of life in the country.
Similarly, the GAO also noted that vulnerabilities were identified. The increasing adoption of high-wattage consumer smart devices connected to the internet and the use of the global positioning system to synchronize grid operations are also vulnerabilities.
“The grid is becoming more vulnerable to cyberattacks, particularly those involving industrial control systems that support grid operations.” The GAO said in the report.
Although cybersecurity incidents reportedly have not resulted in power outages domestically, cyberattacks on industrial control systems have disrupted foreign electric grid operations.
In addition to this recent federal assessments indicate that cyberattacks could cause widespread power outages in the United States and the scale of power outages that may result from a cyberattack is uncertain due to limitations in those assessments.
While the U.S. has not yet sustained a major power outage, the country’s power grid has shown resiliency to incidents such as natural disasters , the GAO report notes that nation-state actors and others are ramping up their attack capabilities, experts said.
The country’s electric grid, the commercial electric power generation, transmission, and distribution system comprising power lines and other infrastructure, delivers the electricity that is essential for modern life. As a result, the reliability of the grid and its ability to meet consumers’ electricity demand at all times has been of longstanding national interest. This is the primary reason the cyber security of the grid and its physical security remain of paramount importance to the government.
In its review, GAO developed a list of cyber actors that could pose a threat to the grid while also identifying key vulnerable components and processes that could be exploited. It also reviewed studies on the potential impact of cyberattacks on the grid by reviewing prior GAO and industry reports, as well as interviewing representatives from federal and non-federal entities.
GAO also analysed the United States Department of Energy’s (DOE) approaches to implementing a federal cybersecurity strategy for the energy sector as it relates to the grid and assessed Federal Energy Regulatory Commission oversight of cybersecurity standards for the grid.
Here are some of the major recommendations made by the GOA to protect against vulnerabilities in power grid
GAO made a recommendation to DOE to develop a plan aimed at implementing the federal cybersecurity strategy for the grid and ensure that the plan addresses the key characteristics of a national strategy, including a full assessment of cybersecurity risks to the grid.
“The Secretary of Energy, in coordination with DHS and other relevant stakeholders, should develop a plan aimed at implementing the federal cybersecurity strategy for the electric grid and ensure that the plan addresses the key characteristics of a national strategy, including a full assessment of cybersecurity risks to the grid,” The GOA said in its recommendations for executive action.
Other recommendations were also made to the FERC.
The GAO recommended the FERC to consider adopting changes to its approved cybersecurity standards to more fully address the NIST Cybersecurity Framework.
It also said the FERC should evaluate the potential risk of a coordinated cyberattack on geographically distributed targets and, based on the results of that evaluation, determine if changes are needed in the threshold for mandatory compliance with requirements in the full set of cybersecurity standards.
“FERC should consider our assessment and determine whether to direct the North American Electric Reliability Corporation (NERC) to adopt any changes to its cybersecurity standards to ensure those standards more fully address the NIST Cybersecurity framework and address current and projected risks,” The GOA said in its recommendations for executive action.
It was determined by the GAO that these actions were needed to address significant cybersecurity risks facing the Electric Grid
Both the Department of Energy and the Federal Energy Regulatory Commission agreed with GAO’s recommendations.