US grid at rising risk to cyberattack, says GAO

Distribution systems within the U.S. electrical grid are increasingly vulnerable to cyberattack, a government watchdog said in a report released Thursday.

In the report, the Government Accountability Office (GAO) noted that the Department of Energy’s cybersecurity strategy has predominantly focused on generation and transmission systems. The watchdog recommended further attention to risks facing distribution systems, those parts of the grid that actually carry power directly to customers.

Those aspects of the grid, the report states, “are becoming more vulnerable to cyberattacks, in part due of the introduction of and reliance on monitoring and control technologies.”

“However, the scale of potential impacts from such attacks is not well understood,” it states.

Distribution systems’ vulnerability is increasing due to their industrial control systems, which have increasingly been incorporating remote access. As a result, they can give bad actors access to them.

The systems the report analyzed generally are not covered by federal cybersecurity standards but have in some cases taken independent action on them.

The Department of Energy’s (DOE) cybersecurity plans do not fully cover the risks to distribution networks, according to the GAO report.

“For example, DOE’s plans do not address distribution systems’ vulnerabilities related to supply chains. According to officials, DOE has not fully addressed such risks in its plans because it has prioritized addressing risks to the grid’s generation and transmission systems,” the report states. “Without doing so, however, DOE’s plans will likely be of limited use in prioritizing federal support to states and industry to improve grid distribution systems’ cybersecurity.”

Energy Department officials told GAO investigators they were unaware of any assessments underway analyzing how a cyberattack would affect distribution systems, saying the impact would likely be less significant than on generation and transmission. However, the report notes, depending on which distribution was affected it could have nationwide effects.

For example, “a coordinated attack on distribution systems could cause outages in multiple areas even if it did not disrupt the bulk power system, according to officials from one national laboratory,” the report states.

In its recommendations, the GAO report calls for the secretary of Energy to collaborate with state officials, industry figures and the Department of Homeland Security to better address distribution system risks, including any potential fallout to the department’s national cybersecurity strategy from such attacks.