Infrastructure Cybersecurity: The U.S. Electric Grid

KEY TAKEAWAYS

• Electricity generation, transmission, and distribution are essential to daily life and commerce in America.
• The U.S. electric grid is vulnerable to cyberattacks that could result in catastrophic, widespread, lengthy blackouts and other loss of electrical services.
• Russia, North Korea, Iran, and China currently have the capability to launch cyberattacks that could disrupt critical infrastructure.

There is almost nothing more essential to day-to-day life in America than electricity generation and delivery. The U.S. electric grid is comprised of all of the power plants and other ways of generating electricity, together with the transmission and distribution lines and infrastructure that bring power to customers. Ensuring the cybersecurity of the electric grid is critical to safeguarding the reliability and resilience of the grid.

Key Electric Grid Components

the grid faces significant cybersecurity risks

The U.S. electric grid faces significant cybersecurity risks from a variety of actors, including criminals, terrorists, “hacktivists,” and foreign governments. The grid is vulnerable to cyberattacks that could cause catastrophic, widespread, and lengthy blackouts. The effect on hospitals, police departments, banks, gas stations, military bases, and families across America could be disastrous.

Grid owners and operators, many of which are small to medium sized companies, have to overcome a number of challenges to counter this threat. A 2019 Government Accountability Office review of cybersecurity risks facing the electric grid identified difficulties in hiring a sufficient workforce, limited sharing of classified threat information between the public and private sectors, resource constraints, reliance on other critical infrastructure that could be vulnerable to cyberattack, and uncertainty about how to implement cybersecurity standards and guidance.

One of the greatest cybersecurity threats to the electric grid involves a mundane function known as “industrial control systems.” ICS are used to manage electrical processes and physical functions like opening and closing circuit breakers. These systems increasingly are being merged with technologies that connect to or rely on the internet. This enables remote monitoring and can improve cost and energy conservation, but it also creates more access points for hackers.

In 2015, the insurance underwriter Lloyd’s developed a scenario for an attack on part of the Eastern Interconnection, which provides power to around half of the U.S. Under the scenario, an attack targeting power generators would cause a blackout in 15 states and the District of Columbia, leaving 93 million people without power. Only 10% of the generators targeted in this attack would need to be taken offline in order for it to succeed.

global threats

The 2021 annual threat assessment concluded, “Although an increasing number of countries and nonstate actors have [cyberattack] capabilities, we remain most concerned about Russia, China, Iran, and North Korea.” The report noted that Iran was responsible for multiple cyberattacks in 2020 against Israeli water facilities. Russia “continues to target critical infrastructure, including underwater cables and industrial control systems, in the United States and in allied and partner countries, as compromising such infrastructure improves − and in some cases can demonstrate − its ability to damage infrastructure during a crisis.”

A 2020 assessment by the Department of Homeland Security warned “we remain concerned about China’s intent to compromise U.S. critical infrastructure in order to cause disruption or destruction.” Last month, Energy Secretary Jennifer Granholm confirmed that America’s adversaries are capable of shutting down the grid.

There are precedents for cyberattacks causing blackouts. In 2015, a cyberattack on a utility substation in Ukraine shut off power to 225,000 people for several hours. It was the first time a cyberattack was publicly acknowledged to have caused a power outage. The director of national intelligence later attributed the attack to “a state actor with considerable technological resources.” A memo by the Council on Foreign Relations said the circumstances and forensic evidence suggest Russian involvement. In 2016, power generators in Kiev were targeted, resulting in blackouts and strains on the system. Russia has a history of using Ukraine as a test bed of sorts, running small scale cyber operations that it may later deploy on a larger scale against the U.S. or other adversaries.

Russian hackers targeted a Saudi Arabian petrochemical company in 2017, shutting off the safety systems used to prevent an explosion. In 2018, DHS and the FBI issued an alert that for the first time publicly charged “Russian government cyber actors” with targeting and penetrating a variety of critical infrastructure facilities and sectors in the U.S. The alert said the Russian hackers had gained remote access to “energy sector networks,” which they used to conduct network reconnaissance, move through the systems, and collect information pertaining to ICS.

private and public responsibilities

The federal government has primary responsibility for protecting the nation against cyberattacks. Private sector businesses that own and operate critical electric infrastructure also have statutory and regulatory duties to employ cybersecurity best practices, devote appropriate resources, and do all they can to ensure their systems are secure and able to respond quickly to outages.

The Department of Energy is the lead federal agency responsible for the protection of the electric grid. DOE’s cybersecurity office focuses on strengthening energy sector cyber preparedness, coordinating incident response and recovery, and accelerating research and development of resilient energy systems. In April, DOE launched an initiative to help enhance the cybersecurity of ICS and secure the energy sector supply chain. The 100-day plan focuses on modernizing private sector capabilities, and it includes concrete milestones for owners and operators to meet.

The Federal Energy Regulatory Commission plays a regulatory role. FERC regulates the interstate transmission of electricity and approves standards for the operation of the bulk power system. FERC’s cyber activities include issuing civil penalties to enforce regulatory requirements and conducting audits of regional and bulk power entities.

FERC also oversees the North American Electric Reliability Corporation. NERC is a federally designated not-for-profit organization certified by FERC to develop and enforce standards to ensure the reliability of the bulk power system. NERC also conducts reliability assessments and trains and certifies industry workers.

GAO’s 2019 review of cybersecurity risks found DOE had not fully defined a strategy for addressing challenges to the grid. It found FERC’s cybersecurity grid standards “did not fully address grid cybersecurity risks.” GAO recommended FERC change the standards so that they reflect current best practices. It also recommended that the commission evaluate the risk of a coordinated cyberattack based on geography, such as an attack that targets systems in different parts of the country.

senate action

In April, Senator Murkowski, along with Senators Manchin, Risch, King, and Rosen, introduced the Protecting Resources on the Electric Grid with Cybersecurity Technology Act. The bipartisan PROTECT Act would incentivize utilities to invest in technologies that improve their cybersecurity. Senator Murkowski said that the bill would “help ensure utilities across America, including municipal utilities and electric cooperatives, are able to continue investing in advanced, cutting-edge cybersecurity technologies, while also strengthening the partnership between private industry and the federal government.”

The Committee on Energy and Natural Resources held a hearing last August examining efforts to improve cybersecurity for the energy sector. The hearing focused on ways to improve collaboration between industry and the government, and on efforts to secure energy sector supply chains.