A recent report published in August 2019 by the Government Accountability Office (“GAO”) highlights concerns about cybersecurity risks facing the nation’s electric grid. The GAO’s report, Critical Infrastructure Protection: Actions Needed to Address Significant Cybersecurity Risks Facing the Electric Grid
, finds that the US electric grid is becoming increasingly vulnerable to cyberattacks, with weaknesses in industrial control systems (“ICS”) that interconnect with grid operations, and with distributed energy resources that are both geographically dispersed and not covered by current cybersecurity standards due to size thresholds. The report notes that federal agencies, including the Department of Energy (“DOE”), have performed various assessments of the potential impacts of cyberattacks on the grid, but those assessments were limited, covering only a portion of the grid. The report also notes that the Federal Energy Regulatory Commission (“FERC”), the regulator that approves and mandates cybersecurity standards for entities operating within the interstate electric and gas transmission system, has not yet fully mandated current federal guidance on critical infrastructure cybersecurity and that current mandatory requirements do not cover certain distributed energy resources.
The GAO makes three recommendations, one for DOE and two for FERC. The report recommends that DOE develop a comprehensive national strategy that goes beyond providing a framework for addressing critical infrastructure cybersecurity risks. DOE needs to ensure that it has a plan aimed at implementing a federal cybersecurity strategy to all facets of the grid. The report cites ICS that help manage the flow of power, as potential weaknesses. The report noted that a 2015 ICS attack in Ukraine resulted in a blackout for nearly a quarter million residents. The GAO warns that the increasing use of high-wattage consumer side Internet-of-things devices, such as electric vehicles and building energy systems, are being increasingly connected to the grid’s distribution system thereby increasing vulnerabilities to cyber threats. The report also notes the increased reliance on remote communication and monitoring devices on the transmission grid by system operators is exacerbating cybersecurity risk on critical infrastructure.
The recommendations to FERC include the consideration of adopting additional cybersecurity standards that more fully address the leading federal guidance on critical infrastructure contained in the National Institute of Standards and Technology’s (“NIST”) Cybersecurity Framework, and to consider the cybersecurity vulnerabilities that distributed energy resources may face. The report notes that the FERC-approved cybersecurity standards do not fully address all of the NIST Cybersecurity Framework’s five functions and associated categories and subcategories, leading to greater grid vulnerability to projected cyber risks. The report also notes that FERC has not calculated the risk of a coordinated cyberattack on geographically distributed targets into the compliance threshold for the North American Electric Reliability Corporation (NERC) cybersecurity standards. The report notes that while FERC considers generators with a capacity of 1,500 megawatts or greater to have a medium to high impact on the bulk electric system, it has not evaluated the grid impact of smaller capacity distributed resources that may be subject to a coordinated cyber attack. The GAO notes that in consultations for this report FERC officials had said that it considered the threat assessment on low-impact systems in creating the threshold applicability of its standards, but that it did not have sufficient data to fully evaluate the threat scenario at the time and that it would do so in any future update. The report includes a letter by FERC Commissioner Chatterjee directing FERC staff to consider the GAO recommendations and take appropriate next steps to implement them.
For more information on developments in critical infrastructure protection, cybersecurity, or other electric reliability matters, contact Kristen Connolly McCullough