Closing Gaps in Energy Cybersecurity

GAO finds that the Energy Department needs to do more to address cybersecurity risks.

It makes your toaster, television, and lights possible. Without it, you could not access this essay.

It is electricity.

And people often take electricity for granted.

For most of the United States, electricity is created hundreds of miles away, carried across transmission lines running along streets and roads to be distributed into homes, offices, and hospitals. But these lines—known as “the grid”—are “increasingly at risk” from hackers, according to a recent report to Congress from the U.S. Government Accountability Office (GAO).

Although people may be more familiar with power outages caused by falling trees, low temperatures, and extreme weather, cyberattacks on the electric grid are also a threat to energy security.

In 2016, the U.S. Department of Homeland Security (DHS) found that a power outage caused by hackers affected 225,000 customers in Ukraine. In 2018, DHS reported that foreign hackers had previously infiltrated the U.S. electric grid.

Today, the electricity grid is more vulnerable to hackers than ever before, as it is increasingly complex and dependent on advanced technology. These advances in grid technology, such as remote-control systems and geographic positioning systems, allow grid operators to monitor and control the transmission of electricity remotely. They make coordinating the thousands of transmission lines easier for grid operators. But GAO notes that these improvements also make the grid more vulnerable to cyberattacks.

Grid vulnerabilities may also result from the system’s initial design. The electricity grid, created in the 1870s, was built many years before the internet. Because much of the physical infrastructure on which the grid operates today was not designed to be connected to the internet or to advanced technology systems, the grid lacks some protection from cyberattacks that inherently comes with newer, modern technology.

For example, many of the grid’s older technology systems are incapable of understanding whether commands are sent from an authorized person or a hacker. These systems often operate on out-of-date software that lacks modern security patches.

Who is responsible for protecting the U.S. electricity system? Federal policy, in the form of an Obama-era presidential directive and the National Defense Authorization Act, mandates that the U.S. Department of Energy is responsible for grid protection and the development of the nation’s energy cybersecurity strategy.

To date, the Energy Department has released three plans and an assessment related to cybersecurity. The Department acknowledges in its Multiyear Plan for Energy Sector Cybersecurity that cyber threats are increasing in both frequency and sophistication. The Department outlines that, to combat future risks, it must better prepare the energy sector by requiring utilities to analyze potential risks and consequences of cyberattacks.

In support of its national strategy plans, the Energy Department noted that it is collaborating with DHS on assessing response capabilities during cyberattacks. The Energy Department also called attention to its development of a coordinated national response strategy with the private sector. It stressed that it will continue to fund research and development for technology that bolsters grid security.

GAO, however, did not find that the Energy Department has sufficient plans for grid protection. GAO claims that the Energy Department has failed to address fully the risks of cyberattacks to the grid. According to GAO, the Energy Department has yet to consider the dangers of some newer technologies.

Some solar companies, for example, can remotely access and update their customers’ solar panel software. Hackers, in theory, could gain access to this software and send power back into the grid in unusually large amounts, which could lead to disruptions and power outages. Similar network problems can occur with electric vehicle chargers.

GAO recommends that the Energy Department “more fully address risks to the grid’s distribution systems from cyberattacks.” Even the Energy Department agrees, noting that its office of Cybersecurity, Energy Security, and Emergency Response will actively work to mitigate cybersecurity risks in the U.S. electric system and to target the most critical risks.

Furthermore, the Energy Department points to a few congressionally directed cybersecurity projects in the works. For example, the Energy Department partners with the National Rural Electric Cooperative Association, as well as the American Public Power Association, to bolster defenses against cybersecurity risks. Through these partnerships, the Energy Department assists with research and development to fund potential technical solutions.

Whether the Energy Department’s actions will provide sufficient protection to the electricity grid remains to be seen. Ultimately, GAO concludes that federal support for energy cybersecurity improvements is not likely to be prioritized effectively until the Energy Department fully assesses the vulnerabilities of the electricity grid.