The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 

27,225 Members

WARNING: SIGN-IN

You need to be a member of Energy Central to access some features and content. Please or register to continue.

Post

Report Warns of Cybersecurity Risks to the Grid and Points to DER as a Concern

The U.S. Government Accountability Office (GAO) released an assessment of electric grid vulnerabilities to cyberattack and issued recommended actions for the Department of Energy and the Federal Energy Regulatory Commission (FERC) to take.

The GAO also cited what it said was a potential vulnerability due to the increased adoption of distributed generating assets across the grid.

The report said that FERC’s approved threshold for compliance with cybersecurity requirements is based on workthat “did not evaluate the potential risk of a coordinated cyberattack on geographically distributed targets.”

The report said that such an attack could target multiple dispersed systems that each fall below the threshold for complying with the full set of cybersecurity standards. “Responding to such an attack could be more difficult” than to a localized event because resources may be geographically distributed rather than concentrated in the same area. “Without information on the risk of such an attack, FERC does not have assurance that its approved threshold for mandatory compliance adequately responds to that risk,” the report  said.

Also in its report, GAO recommended that DOE to develop a plan aimed at implementing the federal cybersecurity strategy for the grid and “ensure that the plan addresses the key characteristics of a national strategy,” including a full assessment of cybersecurity risks to the grid.

GAO also made two recommendations to FERC:

  • Consider adopting changes to its approved cybersecurity standards to more fully address the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
  • Evaluate the potential risk of a coordinated cyberattack on geographically distributed targets and, based on the results of that evaluation, determine if changes are needed in the threshold for mandatory compliance with requirements in the full set of cybersecurity standards.

The GAO report  describes the cybersecurity risks facing the grid, assesses the extent to which DOE has defined a strategy for addressing grid cybersecurity risks and assesses the extent to which FERC-approved standards address grid cybersecurity risks.

GAO said it developed a list of cyber actors that could pose a threat to the grid; identified key vulnerable components and processes that could be exploited; and reviewed studies on the potential impact of cyberattacks on the grid by reviewing prior GAO and industry reports, as well as interviewing representatives from federal and nonfederal entities. GAO also analyzed DOE’s approaches to implementing a federal cybersecurity strategy for the energy sector as it relates to the grid and assessed FERC oversight of cybersecurity standards for the grid.

The report concluded that the electric grid faces what it said are “significant cybersecurity risks” that include:

Threat actors. Nations, criminal groups, terrorists, and others are increasingly capable of attacking the grid.

Vulnerabilities. The grid is becoming more vulnerable to cyberattacks—particularly those involving industrial control systems that support grid operations. The increasing adoption of high-wattage consumer Internet of Things devices and the use of the global positioning system to synchronize grid operations are also vulnerabilities.

Impacts. Although cybersecurity incidents reportedly have not resulted in power outages domestically, cyberattacks on industrial control systems have disrupted foreign electric grid operations. In addition, while recent federal assessments indicate that cyberattacks could cause widespread power outages in the United States, the scale of power outages that may result from a cyberattack is "uncertain due to limitations in those assessments."

Although DOE has developed plans and an assessment to implement a federal strategy for addressing grid cybersecurity risks, GAO said that these documents do not fully address all of the key characteristics needed for a national strategy. For example, while DOE conducted a risk assessment, that assessment had significant methodological limitations and did not fully analyze grid cybersecurity risks.

GAO claimed that one such key limitation was that the assessment used a model that it said covered a portion of the grid and reflected how that portion existed around 1980. Until DOE has a complete grid cybersecurity plan, the report said, the guidance the plan provides decision makers in allocating resources to address those risks “will likely be limited.”

The report also said that although FERC has approved mandatory grid cybersecurity standards,  it has not ensured that those standards fully address leading federal guidance for critical infrastructure cybersecurity, specifically, the NIST Cybersecurity Framework. It cautioned that without a full consideration of the framework, “there is increased risk that grid entities will not fully implement leading cybersecurity practices.”

DW Keefer's picture

Thank DW for the Post!

Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.

Discussions

Richard Brooks's picture
Richard Brooks on Oct 4, 2019 1:49 pm GMT

Excellent article. Just an FYI: NIST is now working on a Zero Trust Architecture that may address some of these concerns. They are currently accepting comments on their ZTA draft. I provided a suggestion to include a section on software background checks, as an emerging area within a Zero Trust Framework. 

Bob Meinetz's picture
Bob Meinetz on Oct 4, 2019 2:37 pm GMT

Filed under "What Could Possibly Go Wrong With Deregulated Electricity", in case we ever start to think simple problems can be solved by making them more complex.

Richard Brooks's picture
Richard Brooks on Oct 4, 2019 3:24 pm GMT

Bob, one thing I believe we both agree on is the need to ensure a reliable electric grid now and well into the future, whatever happens in the supply chain transition. Agree?

Bob Meinetz's picture
Bob Meinetz on Oct 4, 2019 4:34 pm GMT

Agree, but the supply chain transition itself - privatizing what was once a public asset, like water, gas, security, mail - is the source of many of these problems with electricity.

Consider an island community where the residents' water is provided by one freshwater well. The well is drying up, however, so residents have been forced to purchase their own tanks to collect rainwater for washing, cooking, and bathing.

One day the island's governor decides he's going to pipe everyone's water to a big cistern, so everyone can economically share. Great, everyone says - now we don't have to worry about running out. Then the problems begin - someone's tank is rusty, so the water tastes bad. One resident who couldn't afford a big tank is able to contribute less - her water costs a lot more than everyone else's. They gather together and have a meeting. "How are we going to figure out why the water has rust in it? How can we make it affordable for everyone?", they ask. "Could a zero-trust architecture be the solution?"

"No, this Distributed Water Resources (DWR) was my stupid idea," says the governor. He collects donations and replaces the cistern with a huge tank to collect rainwater for everyone, so they all have access to the same, clean water. The dried-up well has been replaced by a 100% sustainable solution for the entire island.

Isn't a public solution to a public problem always best?

Matt Chester's picture
Matt Chester on Oct 4, 2019 3:39 pm GMT

Ironically, Bob, I think that argument is a simplification as well. It's not always as easy to see simple = good, added complexity = bad. Sometimes the complexities are needed to deal with the real world nuances that we're presented with. When learning physics, we often use a simplified model: a point source, assume no friction, assume no air drag, and solve for x. That's simple and preferable, but it's not addressing the realities of the world. 

A more tangible analogy, perhaps, would be economic policy: "The path to better understanding the economy requires treating the economy as the complex system that it really is."

That's not at all intending to undercut your other points about why you find central generation to be preferable and those are points that are worth discussing and debating, but simply dismissing a concept because it's more complex I think is short-sighted and will miss out on some optimal solutions

Bob Meinetz's picture
Bob Meinetz on Oct 5, 2019 2:23 pm GMT

"I think that argument is a simplification as well. It's not always as easy to see simple = good, added complexity = bad."

But that wasn't my point, Matt. Like engineering, economics, or any other field: when beginners fresh out of school encounter problems, they usually err on the side of adding elements to try to compensate, to tweak, to induce, when they could have solved the problem by subtracting elements - by making it a simpler problem.

With energy what are our priorities? To provide society with a source of electricity that's dependable, affordable, and clean? To create jobs? To make our use of electricity more efficient? To allow citizens to become energy-independent? To establish DC transmission corridors across the country? To power transportation?

To say "all of the above" immediately makes the problem more complex, expensive, and error-prone than it needs to be. For example: establishing DC transmission corridors across the country assumes we need them for wind turbines, that we need more wind turbines because they're emissions-free, that we want to lower CO2 emissions. Similarly, efficiency has become a current priority, the assumption using less electricity burns less fossil fuel, that burning less fossil fuel generates less CO2, that we want to lower CO2 emissions.

All of the priorities above can be boiled down to providing society with dependable, affordable, clean, electricity - that's the simple problem. Among solutions which address those priorities, and only those priorities, are the simplest and the best.

Misplaced priorities are often illustrated by an anecdote attributed to a friend of the economist Milton Friedman:

"At one of our dinners, Milton recalled traveling to an Asian country in the 1960s and visiting a worksite where a new canal was being built. He was shocked to see that, instead of modern tractors and earth movers, the workers had shovels. He asked why there were so few machines. The government bureaucrat explained: 'You don’t understand. This is a jobs program.' To which Milton replied: 'Oh, I thought you were trying to build a canal. If it’s jobs you want, then you should give these workers spoons, not shovels.'"

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »