Skip to main content

Securing the U.S. Electricity Grid from Cyberattacks

Posted on October 12, 2022

Reliable electricity is essential to the conveniences of modern life and vital to our nation’s economy and security. But the electricity grid is an attractive target for cyberattacks from U.S. adversaries—such as nations like China and Russia, as well as individual bad actors, such as insiders and criminals.

So, how is the electricity grid vulnerable and what could happen if it were attacked?

For National Cybersecurity Awareness Month (October), today’s WatchBlog post looks at two of our recent reports on cybersecurity risks to the U.S. electric grid and federal efforts to address them.

The U.S. Electricity Grid

Image

Graphic illustration showing how the electricity grid works

 

Where are the potential weaknesses in our nation’s electricity grid?

The U.S. electricity grid is really three interconnected transmission grids covering the contiguous United States, as well as parts of Canada and Mexico. It is roughly divided into the western states, Texas, and the eastern U.S. and Midwest. These three interconnections operate independently to provide electricity to their regions.

There are several points of vulnerability in the U.S.’s system of electricity grids. For example, grid distribution systems—which carry electricity from transmission systems to consumers—have grown more vulnerable, in part because their operational technology increasingly allows remote access and connections to business networks. This could allow threat actors to access those systems and potentially disrupt operations.

Nations and criminal groups pose the most significant cyber threats to U.S. critical infrastructure, according to the Director of National Intelligence’s 2022 Annual Threat Assessment. These threat actors are increasingly capable of attacking the grid.

Example of an Attacker Compromising High-Wattage Networked Consumer Devices

Image

graphic showing ways the electricity grid might be attacked

 

As the lead federal agency for the energy sector, DOE has developed plans to implement a national cybersecurity strategy for protecting the grid. However, we found that DOE’s plans do not fully incorporate the key characteristics of an effective national strategy. For example, the strategy does not include a complete assessment of all the cybersecurity risks to the grid. Addressing this vulnerability is so important that we made it a priority recommendation for DOE to address. We prioritize recommendations that need immediate attention.

Other actions for addressing grid cybersecurity risks

The Federal Energy Regulatory Commission (FERC)—which regulates the interstate transmission of electricity—has approved mandatory grid cybersecurity standards. But it hasn’t taken steps to ensure that those standards fully address leading federal guidance for critical infrastructure cybersecurity. For example, and similar to the above, the standards do not include a full assessment of cybersecurity risks to the grid.

In 2019, we recommended that FERC consider adopting changes to its approved standards to more fully address federal guidance and evaluate the potential risks of a coordinated attack. These recommendations have not been implemented yet, leaving the grid vulnerable.

Finally, in March 2021, we found that the federal government does not have a good understanding of the scale of the potential impacts from attacks facing the component of the grid that is generally not subject to FERC’s standards: distribution systems. After identifying this vulnerability, we recommended the Department of Energy (DOE)—in coordination with the Department of Homeland Security, state, and industry partners—address risks to the distribution systems.

Find out more about our work on electricity grid cybersecurity by checking out our recent reports linked above.


GAO Contacts

Related Products

About Watchblog

GAO's mission is to provide Congress with fact-based, nonpartisan information that can help improve federal government performance and ensure accountability for the benefit of the American people. GAO launched its WatchBlog in January, 2014, as part of its continuing effort to reach its audiences—Congress and the American people—where they are currently looking for information.

The blog format allows GAO to provide a little more context about its work than it can offer on its other social media platforms. Posts will tie GAO work to current events and the news; show how GAO’s work is affecting agencies or legislation; highlight reports, testimonies, and issue areas where GAO does work; and provide information about GAO itself, among other things.

Please send any feedback on GAO's WatchBlog to blog@gao.gov.