What Can Be Done to Enhance Electrical Grid Security?Agency Officials Tell Congress of Concerns About Equipment Used
The lack of adequate security features in critical electrical grid equipment - including high-power transformers - that's made in other nations poses a serious U.S. cybersecurity threat, according to federal officials who testified at a Congressional hearing this week. Supply chain vulnerabilities could result in a grid takedown by nation-state actors and a lengthy recovery period, they said.
As a result, officials told the House Subcommittee on National Security they are pushing for domestic production of more electrical equipment - supported by financial incentives and allowing for the implementation of proper security standards.
Meanwhile, the Department of Energy said this week it's working directly with international electrical equipment firms to evaluate software and firmware in equipment and mitigate supply chain vulnerabilities.
The panel heard testimony from leaders at the Cybersecurity and Infrastructure Security Agency, the Department of Energy and the Federal Energy Regulatory Commission - which controls the interstate transmission and sale of electricity.
The committee is considering whether additional regulations are needed to mitigate growing threats to distribution systems, utility vendors and global supply chains that support the electrical grid.
Concerns about the security of the nation's critical infrastructure have heightened in the aftermath of the ransomware attack on Colonial Pipeline Co. that led the firm to temporarily shut down a pipeline serving much of the East Coast.
The electrical grid, in particular, is "susceptible" to cyberthreats because its systems are increasingly connected to the internet through business networks and remote access tools, the Government Accountability Office said in March (see: GAO: Electrical Grid's Distribution Systems More Vulnerable).
'Backbone of Daily Life'
"The electrical grid is the backbone of daily life in America," said Rep. Stephen F. Lynch, D-Mass., the subcommittee chairman. "It provides energy to heat our homes, power our hospitals, and charge our smartphones. It is also a priority target for state and nonstate cyber adversaries. A successful attack on the electric grid could have devastating consequences for U.S. national security and economic interests."
Lynch said large transformers are particularly vulnerable to tampering by foreign actors because of inadequate security measures built into various IT and OT systems.
The federal agency officials echoed lawmakers' concerns, saying the electrical grid is vulnerable to "persistent" and "sophisticated" threats.
Cyberattacks constitute "an immediate threat to our national security, economic prosperity and public health and safety," said Eric Goldstein, executive assistant director at CISA. "A highly damaging cybersecurity intrusion, affecting a national critical function, such as the provision of power to the American people, is certainly a possibility."
Joseph H. McClelland, director of the Office of Energy Infrastructure Security at the Federal Energy Regulatory Commission, added: "Widespread disruption of electric service can quickly undermine the U.S. government, its military and the economy, as well as endanger the health and safety of millions of citizens."
Commenting on the grid's resiliency, McClelland told lawmakers: "The [electric] industry does operate on an 'N-1' contingency - which means that it can suffer the single largest contingency on the grid and continue operations and continue to provide power." He noted, however, that "multiple contingencies can result in prolonged outages," which would depend on the extent of damage to the equipment and equipment availability.
Understanding the Supply Chain
Puesh M. Kumar, acting principal deputy assistant secretary at the Office of Cybersecurity, Energy Security, and Emergency Response within the Department of Energy, acknowledged that U.S. companies do not currently manufacture large power transformers, calling it "a huge gap that we have as a country."
Kumar testified: "Understanding the supply chain of our critical energy systems is very important to us. To that end, the president issued an executive order really focused on America's supply chains. And one of the key components of that is looking at those critical components, like transformers … that are so critical to the reliability of our electric grid and where we are manufacturing a lot of those components."
In 2020, the Trump administration zeroed in on bulk-power equipment manufactured in China, prohibiting critical utilities from procuring their products. Upon taking office, President Joe Biden suspended and later revoked the Trump-era prohibition, though he has since introduced new cybersecurity detection/mitigation/forensics guidelines for grid owners and operators, also citing "the growing prevalence" and "threat" of electric equipment sourced from China.
In addition to ongoing efforts to ramp up domestic equipment manufacturing, the DOE said this week it's working directly with international electrical equipment firms - including Hitachi ABB, Schweitzer Engineering Laboratories and Schneider Electric - to evaluate software and firmware in existing energy sector equipment and mitigate supply chain vulnerabilities. This effort, a part of the DOE's Cyber Testing for Resilient Industrial Control Systems, or CyTRICS - will help "engineer out many cybersecurity concerns," Kumar added, noting that cyber risk is dramatically elevated by relying on equipment produced abroad.
Keeping Pace With Adversaries
"The unfortunate reality is, at least for the next decade, the offensive cyber capabilities of our most capable adversaries are likely to far exceed the United States' ability to defend key critical infrastructures," McClelland told the committee. He cited the Federal Energy Regulatory Commission's two-pronged approach to cybersecurity: iterative standards developed in the open and interagency information sharing to prevent pervasive nation-state attacks.
Goldstein highlighted steps the Biden administration has taken to address cyberthreats to critical U.S. infrastructure, including the grid. The administration has put forward "rapid, aggressive actions to confront cyberthreats from adversaries who seek to compromise critical systems that are indispensable to U.S. national and economic security," he said.
This week, Biden signed an executive national security memorandum calling for the development of new critical infrastructure cybersecurity standards (see: Biden Calls for Critical Infrastructure Security Standards).
Kumar also testified at this week's hearing that the nation's complex network of 3,000 utilities serving the electric grid provides "built-in resiliency" because it would be difficult for threat actors to traverse thousands of networks. Still, he said, supply chain attacks, such as the SolarWinds incident, "really changed how we're thinking about … threats across the board."
Rep. Hank Johnson, D-Ga., asked CISA's Goldstein about the federal government's visibility into cyber incidents targeting private utility companies. Goldstein replied: "We know that there are still, across sectors, a number of intrusions today that are not reported to the U.S. government."
A lack of reporting, Goldstein continued, "precludes the government, including CISA, from offering assistance to the victim; it limits our ability to develop actionable information that could be used to protect victims before similar events occur; and it limits our ability to understand the extent of national risk."
Addressing broader security controls, Goldstein added: "Efforts that we can take as a country to drive adoption of better security controls will lead to improvements to our national security, economic security, public health and safety. There are a number of roads that we can take to that outcome." These include regulation and standards, plus incentives such as security grants, he said.