The electric power grid is subject to escalating threats of attack by foreign adversaries and individual bad actors. While no U.S. utilities have been seriously compromised to date, in 2015, Ukraine’s electric grid was hit by a cyberattack that led to a lengthy blackout affecting approximately 250,000 people. There is growing recognition that cyberattacks have the potential to be even more malicious, disrupting increasingly digitized critical energy infrastructure. This concern is particularly acute in light of consumers’ increased interconnectedness with the energy gird, and underscores the critical need for a comprehensive public/private approach to cybersecurity.
With the increasing adoption of the Internet of Things, concerns about the vulnerability of the nation’s power system will become even more pronounced. This is especially true as the country transitions from a centralized grid to lower carbon, distributed energy resources. Despite the abundant advantages gained from grid modernization, deploying distributed resources also poses risks by increasing grid interconnection points; these unmanaged, and often unencrypted, connections create a plethora of targets for cyber-attacks. For example, sources estimate that by the end of 2018, almost two million residential solar PV systems had been installed, more than 11,000 homes had residential energy storage units, nearly 900,000 electric vehicle chargers were in use, and more than 20 million homes used smart thermostats. Compounding the issue is that, in order to increase customer participation, the software offered to run these programs is intended to be simple and user-friendly, creating ample opportunities for adversaries to gain access to, control them, and ultimately use them to compromise the system.
Generation facilities are being targeted with greater frequency in “denial-of-service” (“DoS”) attacks which are aimed at exploiting vulnerabilities in an entity’s firewall. (In a DoS attack, multiple systems flood the network of a targeted system with traffic, usually one or more of its web servers, and disrupt service with the goal of rendering it unavailable to its intended users.) In a retail setting, a DoS attack might result in the temporary inability of consumers to purchase desired items, but a DoS attack on a generation facility could leave the grid operator without visibility for a prolonged period into the power operations generating hundreds of megawatts of electricity. The inability to monitor and manage power availability real-time raises the possibility of outages or blackouts.
A Regulatory Hodgepodge for Cybersecurity on the Grid
The threat of such attacks raises concerns regarding the vulnerability of the nation’s bulk power system to cyber incidents. Oversight for cybersecurity currently rests with at least five separate agencies:
- the Federal Energy Regulatory Commission (“FERC”);
- the Department of Energy (“DOE”);
- the Department of Homeland Security (“DHS”);
- the North American Electric Reliability Corporation (“NERC”); and
- the Transportation Security Administration (“TSA”).
This hodgepodge of regulatory oversight has not only failed to keep pace with the emerging cyber-threats to our bulk power system, but has contributed to the grid’s increasing vulnerability.
A report by the Government Accounting Office (“GAO”) issued earlier this year, examined critical infrastructure protection and outlined the actions needed to address what it deemed “significant cybersecurity risks facing the electric grid.” The report identified key “threat actors,” increasing vulnerability resulting from “smart” interconnections, and discussed the potential impact on the grid based on the current lack of a coordinated cybersecurity plan. The report makes three key recommendations calling for
- DOE to develop a plan implementing national cybersecurity strategy including a comprehensive assessment of cybersecurity risks facing the grid;
- FERC to adopt changes to cybersecurity standards on the prevention, detection and response to cyber events; and
- FERC to consider the potential risk of a coordinated cyberattack and assess whether mandatory reporting thresholds are warranted.
The GAO report faults DOE for its failure to develop a comprehensive national cybersecurity strategy, and concludes that until it does, “the guidance the plan provides decision makers in allocating resources to address grid cybersecurity risks and challenges will likely be limited.”
Moreover, siloed agency reporting has resulted in a lack of sharing among these agencies; they do not even have the same interpretation of what constitutes a reportable event, leading to what FERC has called a “reporting gap.” In 2018, for example, NERC reported zero cyber events, DOE reported four events, and DHS reported 59. While rules recently adopted by FERC will broaden and standardize reporting requirements, gridlocked discussions on Capitol Hill regarding which agency will lead efforts to protect the nation’s power system leave it vulnerable.
Inadequate Oversight for National Gas Pipelines
Nor should concerns about the increasing vulnerability of the grid focus exclusively on renewable or distributed resources. As automation and digital sensors become more prevalent in moving a physical commodity like natural gas or oil, the opportunities for cyber-intrusion similarly increase as evidenced by the 2018 pipeline attack. While the bulk electric system in the U.S. is subject to oversight from multiple agencies, the natural gas pipeline system is subject to minimal oversight by TSA. By any empirical measure, the current level of TSA’s oversight of pipeline infrastructure is inadequate:
- the nation’s gas pipeline system consists of approximately 2.7 million miles of pipeline across the U.S.;
- TSA has just six employees dedicated to this oversight, which amounts to 450,000 miles of pipeline oversight per employee, according to FERC Chairman Neil Chaterjee’s testimony before the U.S. Senate Committee on Energy and Natural Resources, and a joint letter authored by Chaterjee and fellow FERC Commissioner Richard Glick in June of 2018; and
- TSA has no mandatory compliance or reporting requirements with respect to cybersecurity, and relies exclusively on company self-reporting.
Given: (1) that natural gas now generates 35% of electricity nationally; (2) that the gas and electric industries are now integrally related; and (3) the growing vulnerability of both to cyberattacks, the disparate treatment of the two industries for cybersecurity purposes becomes increasingly more difficult to justify.
In short, there is a growing recognition in the energy sector that all energy resources are vulnerable to cyberattack. The GAO report is accurate in highlighting that one of the greatest risks to the security of the bulk power system is the failure of the federal government to develop comprehensive, fuel-neutral cybersecurity protocols that apply to all entities contributing to the nation’s bulk power system. Steps that could be taken now include:
- the consolidation of regulatory oversight in a single agency, either DOE or perhaps the Department of Defense;
- the adoption of regulations that include mandatory reporting requirements for cyber-attacks; and
- adoption of regulations that establish protocols for information sharing with other agencies as necessary to protect both the proper functioning of the grid and national security.
Absent leadership on this issue, foreign state-sponsored actors, as well as individual actors, will continue to exploit the opportunities created by our inertia.