Skip to main content

Preparing for Evolving Cybersecurity Threats Facing the U.S. Electric Grid

Posted on October 16, 2019

Electricity is essential for modern life. In addition to our modern home conveniences, like our microwaves, computers, and lighting, electricity is vital to hospitals, first responders, and financial services in our country.

So, what would happen if our electric grid were attacked?

For National Cybersecurity Awareness Month, today’s WatchBlog looks at our recent report on the cybersecurity risks to the U.S. electric grid and federal efforts to address them. Read on, and listen to our podcast with Frank Rusco and Nick Marinos, the directors who led the report, to learn more.

Electric Grid Cybersecurity

 

An Illustration of Powerlines

 

The U.S. electric grid faces significant cybersecurity risks

Nations, criminal groups, and terrorists pose the most significant cyber threats to U.S. critical infrastructure, according to the Director of National Intelligence’s 2019 Worldwide Threat Assessment. These threat actors are increasingly capable of attacking the grid. For example, China and Russia have the ability to launch cyberattacks that could potentially disrupt grid operations.

The grid is also becoming more vulnerable to cyberattacks—particularly those involving industrial control systems, which are typically network-based systems that monitor and control processes and functions like opening and closing circuit breakers. These systems increasingly include remote access capabilities that can be exploited by malicious actors.

 

Graphic Showing Potential Ways an Attacker Could Compromise Industrial Control System Devices

 

Potential Ways an Attacker Could Compromise Industrial Control System (ICS) Devices

Even though cybersecurity incidents reportedly have not resulted in power outages domestically, cyberattacks on industrial control systems have disrupted foreign electric grid operations.

In addition, while recent federal assessments indicate that cyberattacks could cause widespread power outages in the United States, the scale of such outages is uncertain due to limitations in those assessments. For example, one of those assessments used a model that covered only a portion of the grid and reflected how that portion existed around 1980.

 

Federal efforts to address grid cybersecurity risks

The Department of Energy plays a key role in helping address grid cybersecurity risks. However, we found that DOE hasn’t developed plans that fully address the key characteristics needed for a national strategy, and we recommended that it do so.

In addition, the Federal Energy Regulatory Commission—the regulator for the interstate transmission of electricity—has approved mandatory grid cybersecurity standards, but it hasn’t ensured that the standards fully address leading federal guidance for critical infrastructure cybersecurity.

Moreover, FERC’s threshold for which power generators must comply with all grid cybersecurity standards is based on an analysis that didn’t evaluate the potential risk of a coordinated cyberattack on geographically distributed targets. Such an attack could target, for example, a combination of systems in different parts of the country that each fall below the threshold.

We recommended that FERC consider adopting changes to its approved standards to more fully address federal guidance and evaluate the potential risk of a coordinated attack.

We believe these recommended actions will help address the significant cybersecurity risks facing the U.S. electric grid.


GAO Contacts

Related Products

About Watchblog

GAO's mission is to provide Congress with fact-based, nonpartisan information that can help improve federal government performance and ensure accountability for the benefit of the American people. GAO launched its WatchBlog in January, 2014, as part of its continuing effort to reach its audiences—Congress and the American people—where they are currently looking for information.

The blog format allows GAO to provide a little more context about its work than it can offer on its other social media platforms. Posts will tie GAO work to current events and the news; show how GAO’s work is affecting agencies or legislation; highlight reports, testimonies, and issue areas where GAO does work; and provide information about GAO itself, among other things.

Please send any feedback on GAO's WatchBlog to blog@gao.gov.