GAO Raises Concerns About Power Grid VulnerabilitiesAudit Makes Risk Mitigation Recommendations, Including Use of NIST Framework
The U.S. electric grid is growing increasingly vulnerable to cyberattacks from countries such as Russia, and a well carried out attack on the grid could cause widespread power outages, according to a new audit from the Government Accountability Office finds. It offers a list of recommendations for mitigating the risk.
The report notes that industrial control systems, which help power plants and utilities function properly, are now more vulnerable to attack because of the addition of remote access features.
And while the U.S. has not yet sustained a major power outage - the nation's grid has shown resiliency to incidents such as natural disasters - the GAO notes that nation-state actors and others are ramping up their attack capabilities.
“Threat actors are becoming increasingly capable of carrying out attacks on the grid. At the same time, the grid is becoming more vulnerable to attacks,” the GAO notes. “With respect to the potential impacts of the threats and vulnerabilities, U.S. cybersecurity incidents reportedly have not caused a domestic power outage.”
The GAO assessment says that the U.S. Department of Energy, which is responsible for addressing cybersecurity risks for the electric grid infrastructure, has developed plans to address these issues, but decision makers lack full insight into the entire power grid. The audit also notes that DOE has sometimes relied on outdated information, including assessments of the U.S. grid that date back to the 1980s.
"DOE has developed plans and an assessment aimed at implementing the federal strategy for confronting the cyber threats facing the grid," the GAO report states. "However, those documents do not fully address all of the key characteristics needed to implement a national strategy, including a full assessment of cybersecurity risks to the grid."
The GAO report recommends that DOE develop a truly nationwide strategy that encompasses the three major sections of the U.S. power grid - the Eastern Interconnection, the Western Interconnection and the Electric Reliability Council of Texas Interconnection - instead of its previous regional approach to security.
The report also states that the Federal Energy Regulatory Commission, which regulates the interstate transmission of electricity, needs to do more to protect the U.S. power grid by implementing security standards for government agencies that have responsibility for protecting critical infrastructure.
The report calls for a more thorough assessment of what damage a cyberattack can cause. And it urges the commission to adopt the National Institute of Standards and Technology Cybersecurity Framework, which many other federal agencies, along with private businesses, have already implemented.
The report notes that both the Energy Department and the Federal Energy Regulatory Commission agreed with all of the GAO’s recommendations.
Risk and Vulnerability in the Grid
A report issued earlier this year by the U.S. Director of National Intelligence, Worldwide Threat Assessment of the US Intelligence Community, found that nation-states such as Russia, criminal groups and terrorists pose the most significant and current cyberthreats to U.S. critical infrastructure. Hackers and hacktivists, as well as malicious insiders, also pose significant risks to the U.S. power grid as well, according to the intelligence report.
One major reason for this increase in malicious activity is the changing nature of industrial control systems used within power plants and utilities. These systems typically monitor and control sensitive processes and physical functions, such as the opening and closing of circuit breakers on the grid. These systems also ensure that power is delivered from plants to customers.
Over time, these industrial control systems have shifted from closed, "air-gapped" devices to those that use industry-standard IT network protocols and are now connected to the internet, the GAO report notes. Also, the use of internet of things devices throughout plants and utilities is now common, the audit points out.
Many of today’s industrial control systems have remote access capability, which makes them efficient and effective but also more susceptible to hacking and attacks, the GAO states.
"Cheaper and more widely available devices that use traditional IT networking protocols are being integrated into industrial control systems. The use of these protocols, as well as traditional IT computers and operating systems, has led to a larger cyberattack surface for the grid’s systems," according to the GAO report.
In exchange for ease of use and efficiency, these power plants and utilities have created serious security gaps, says Joseph Carson, the chief security scientist at Thycotic, a Washington-based security firm.
"This typically means security is an afterthought and not by design,” he says. “Lack of strong access security controls, risk strategy and supply chain security controls leaves power stations seriously vulnerable."
Types of Attacks
The addition of IoT devices as well as remote access to industrial control systems means that attackers can carry out a wider variety of attacks if they can gain access to the network, the GAO says.
IoT devices, for example, could be used to create a botnet that could be turned against a power plant or utility. The report notes that two university researchers used computer models to sketch out this scenario in a report published in 2018.
In that scenario, the attackers could use IoT devices found in heating and air conditioning units built into a power plant to create a botnet and then use that computing power to create an attack against the utility, the GAO report notes.
"For example, according to the researchers, one such attack could involve synchronously switching on all of the compromised devices. Such an attack could disrupt the balance of power generation and consumption and ultimately cause an outage," the report notes.
Another possibility is a distributed denial-of-service attack that targets a utility.
In fact, back in March, intruders probed weaknesses in the network firewalls of a U.S. power utility to attempt a DDoS attack. And while there was no disruption of power, there were gaps in communication between power stations and the main control system (see: Hackers Attempted DDoS Attack Against Utility: Report).
Another possibility is that attackers could use malware planted in a network to cause a disruption. This has happened at least once in Ukraine (see: Ukrainian Power Grid: Hacked).
The GAO report also notes that electrical utilities and power plants in the U.S. face a number of resource challenges. Those include difficulties in hiring a sufficient cybersecurity workforce, the inability to receive and share classified information about attacks, lack of funding for cybersecurity protections and reliance on other critical infrastructure that may also be vulnerable to cyberattacks.