The Department of Energy is not doing enough to guard smaller power utilities from hackers despite rising threats to the U.S. distribution grid, according to a government watchdog.
While DOE has developed plans for protecting critical electricity networks, they "do not fully address risks to the grid’s distribution systems," the Government Accountability Office said in a report yesterday.
GAO said that by focusing on large power plants and high-voltage transmission systems, DOE often leaves out the distribution networks that deliver electricity to homes and businesses even as they "are increasingly at risk from cyberattacks."
While DOE has worked to address some grid cybersecurity concerns like threat information sharing and vulnerabilities in industrial control systems, other pressing issues are overlooked, the report said.
DOE’s strategies don’t address risks to supply chain cybersecurity; grid equipment reliant on global positioning systems; and networks not controlled by distribution utilities, like solar inverters and electric vehicle charging stations, the report said.
DOE officials said that a cyberattack on distribution utilities would have less impact than a hack of the bulk power system. But GAO pointed out that there have been no official assessments of the potential damage from a cyberattack on a distribution utility.
"An attack on the grid’s distribution systems for a large city could result in outages of national significance, according to officials from a cybersecurity firm," GAO said. "Additionally, a coordinated attack on distribution systems could cause outages in multiple areas even if it did not disrupt the bulk power system, according to officials from one national laboratory."
Distribution utilities are becoming increasingly vulnerable to cyberattacks, GAO noted, largely due to monitoring technologies that grid operators use to manage the grid remotely.
Smaller electricity providers are also not required to follow mandatory cybersecurity regulations from the Federal Energy Regulatory Commission and the North American Electric Reliability Corp. GAO did note that several state energy regulators have added cybersecurity to their oversight responsibilities, though the watchdog said none of the public utility commissions it contacted had imposed mandatory cybersecurity standards.
DOE agreed with GAO’s recommendation that it address distribution-level cyber risks as it carries out the National Security Council’s 2018 National Cyber Strategy, according to the report. DOE did not respond to a request for additional comment on GAO’s findings.
But the watchdog report also comes as DOE’s top cyber office, the Office of Cybersecurity, Energy Security and Emergency Response (CESER), rolls out three programs aimed at beefing up grid cybersecurity defenses.
"Our energy system faces unprecedented threat levels from hackers, foreign actors, and natural catastrophes supercharged by climate change — which is why enhancing security is a priority for this administration," Energy Secretary Jennifer Granholm said in a statement yesterday. "What’s more, President Biden’s clean energy goals all depend on resilient electrical infrastructure. These new programs will help put us a step ahead of all manner of threats so we can provide safe, reliable power to American households."
CESER said it will join grid supplier Schweitzer Engineering Laboratories in an effort to discover vulnerabilities in electricity equipment. The office will also collaborate with the energy sector and national labs to "assess systemic vulnerabilities to electromagnetic and geomagnetic interference," like threats posed by solar weather, according to yesterday’s announcement. DOE also said it plans to offer new funding opportunities aimed at supporting universities and improving the cyber workforce.
"Our vision with these programs is to bring together key partners — from industry to the states to universities — with the expertise and inventiveness needed to enhance energy sector resilience," said CESER acting Assistant Secretary Patricia Hoffman.
The ‘Essence’ of defense
DOE has also pointed to research and development projects with the National Rural Electric Cooperative Association and the American Public Power Association that aim at increasing cyberdefenses at distribution utilities.
NRECA highlighted one of the programs in a blog post Monday. The "Essence 2.0" cybersecurity tool is designed to provide real-time awareness of threats to utilities’ IT networks as well as the operational technology (OT) used to operate the grid. DOE awarded the industry group $6 million last year to continue developing the technology.
NRECA has already implemented Essence at five utilities but said it plans to expand its use to 55 cooperatives.
"We’re filling a gap for the rural communities," said Doug Lambert, senior principal for grid solutions at NRECA. "You have to think about the affordability and the resources for the rural electric cooperatives — they’re limited."
Lambert pointed to the recent attempted poisoning of a Florida town’s water supply as an example where Essence would have helped. In that cyberattack last month, an unknown hacker tried to ratchet up concentrations of sodium hydroxide at a water treatment plant that supplies around 15,000 people in Oldsmar, Fla. (Energywire, Feb. 9). The attack failed when an operator at the plant noticed what was happening and changed levels of the toxic chemical back to normal.
Essence can automatically alert operators if a hacker tries to change critical settings. Even if an attacker turned off alarms, Essence exists outside of those systems and would still be able to send a warning, Lambert told E&E News.
For power utilities, Essence can keep an eye on technical conditions that need to stay within tight boundaries.
"Frequency on the power grid should hang out at 60 hertz, but [if] it starts dropping below 59.7, bad things happen," Lambert said. "So, if we start seeing values wavering from what is normal for physics, that’s one of the things we look for."
Essence would also allow utilities to map their OT networks, Lambert said. The lack of visibility into OT networks has long been considered a major cyber vulnerability in the U.S. grid.
"If somebody goes into a substation and plugs a laptop, we’re going to see that guy when that happens," said Lambert.
Emma Stewart, chief scientist at NRECA, said that distribution-level utilities often don’t get the same level of cybersecurity attention compared with larger companies.
"People have been working with the bigger utilities, because the economies of scale of deploying products at bigger utilities tend to be easier to justify," Stewart said.
It’s difficult to convince a small utility to spend limited resources on cybersecurity enhancements when threats are often hard to identify, Stewart added.
"This is really helping serve that community that’s been needing that for a long time," she said. "So, it’s definite progress."
Correction: A previous version of this story misattributed statements by Doug Lambert of NRECA.