The United States Government Accounting Office (GAO) recently issued a report on the cybersecurity risks facing the electric grid. The GAO reviewed the cybersecurity of the electric grid to determine the risks and challenges facing the grid, to describe federal efforts to address those risks, to assess the extent to which the Department of Energy (DOE) has defined a strategy for evaluating grid cybersecurity risks and challenges, and to assess the extent to which Federal Energy Regulatory Commission (FERC)—approved cybersecurity standards address grid cybersecurity risks.
The report was commissioned at the request of Congress and made several recommendations aimed at implementing a federal cybersecurity strategy for the grid. The GAO made one recommendation to DOE and two recommendations to FERC, which regulates the interstate transmission of electricity. GAO recommended that the DOE’s strategy for the grid address the key characteristics of a national strategy, including a full assessment of the cybersecurity risks . The GAO recommendations to FERC included considering adoption of changes to its cybersecurity standards to more fully address the National Institute of Standards and Technology (NIST) Cybersecurity Framework. The second recommendation was to evaluate the potential risk of a coordinated cyber-attack on geographically distributed targets and determine if changes are needed in the threshold for mandatory compliance with the requirements in the full set of cybersecurity standards.
The GAO report identified threat actors to the grid as nations, criminal groups and terrorists, and recognized that the electric grid of the U.S. is becoming more vulnerable to cyberattacks against supply chains for industrial control systems, consumer Internet of Things (IoT) devices connected to the grid’s distribution network, and global positioning systems (GPS). It’s no secret that a serious cyberattack on the nation’s electric grid would be devastating. The report contains many details of the different attack strategies, but more important, it recognizes that identifying resource needs and coordinating efforts through private/public partnerships will be critical in implementing a cybersecurity strategy to protect the grid.