This story was updated at 7:20 a.m. EDT.
Federal energy officials have identified gaps in the U.S. grid’s defenses against a major cyberattack, according to a highly anticipated White House report released yesterday.
"Power restorations following a significant cyber incident could be more challenging than previously experienced" in grid disasters like ice storms or hurricanes, the Department of Energy and the Department of Homeland Security warned in a joint report to President Trump.
Their 55-page "Assessment of Electricity Disruption Incident Response Capabilities" offers a sobering look at shortcomings in electric sector cyber readiness, from funding challenges for small utilities to a shortage of cybersecurity workers with specialized knowledge in the control systems that underpin the grid.
The report notes that while "the United States is, in general, well prepared to manage most electricity disruptions," widescale grid cyber events could overwhelm available public and private resources for fending off hackers. It cites a recent nonpublic set of DOE tests that found a catastrophic cyberattack could result in electric load loss from 40 to 50,000 megawatts.
"This Administration recognizes the growing security risk of cyber threats and has prioritized overcoming these challenges facing our nation," Energy Secretary Rick Perry said in a statement announcing the report’s public release.
Perry pointed to the recent creation of DOE’s Office of Cybersecurity, Energy Security and Emergency Response as an "important step" in guarding energy infrastructure from a range of disaster scenarios.
The new report credits the private sector for "efforts in place to prepare for, respond to, and recover from cyber incidents," but warns that industry steps to address cybersecurity vulnerabilities may falter during an actual attack.
"Existing mutual assistance programs, which provide tested, formal processes for impacted companies to request support from others during an outage, may be stressed in their response to a significant cyber incident due to the potentially widespread and unexpected nature" of such an event, the report concludes. "Also, as cyber incidents may impact disparate systems across the country, the impacted owner-operators may not be familiar with each other’s systems and procedures."
A large-scale cyberattack, launched without warning, has the potential to affect more customers and cause longer-lasting power outages than even a major hurricane, the report found.
While a cyberattack is not known to have caused a power outage anywhere in the U.S., the report references a December 2015 hack in western Ukraine that cut out power to 225,000 electricity customers for several hours.
A year later, hackers struck Ukraine’s power grid again, cutting off electricity for several hundred thousand people around the same time in December.
U.S. utilities are aware of the "dynamic threat" and have learned from those events abroad, according to Scott Aaronson, vice president for security and preparedness at the Edison Electric Institute, which represents major investor-owned utilities.
"There are initiatives already underway aimed at filling exactly the gaps identified in the report because many of the gaps were either first identified during industry-wide and government exercises or taken as lessons learned from real-life incidents, such as the cyberattacks in Ukraine," he said in an emailed statement yesterday.
Aaronson added that the Cyber Mutual Assistance program — called out in the report — now covers about 80 percent of electricity customers and 75 percent of natural gas customers in the U.S.
For smaller utilities, the assessment notes that funding for cybersecurity "often falls short of the full scope of capabilities needed to improve prevention efforts." It calls on the federal government to support the development of preventative cybersecurity tools.
The document also highlighted the need for a thorough review of both voluntary and mandatory reporting requirements for major cyber events. The Federal Energy Regulatory Commission has proposed lowering the bar for utilities to report an attempted hacking intrusion, citing the paucity of available data (Energywire, Feb. 28).
But large power utilities are also required to share information through DOE, and other agencies in rare cases.
"DOE should work with DHS, industry partners, and other relevant organizations to better define information needs and reporting thresholds through an assessment of voluntary and mandatory reporting requirements," the assessment recommends.
Other action items included work on developing cyber insurance products for the electricity sector, improvements to training exercises and information-sharing programs, and a follow-up assessment of "the sufficiency of data on industry back-up power to improve planning and modeling."
The DOE report was loosely timed with the one-year anniversary of Trump’s May 11, 2017, executive order on cybersecurity, which called for its preparation. A few other agencies posted their own reports yesterday to mark the occasion, including the Department of Commerce’s final take on boosting U.S. resilience to "botnets" — armies of hacked devices — and a Commerce-Department of Homeland Security analysis of the U.S. cybersecurity workforce.
Homeland Security Secretary Kirstjen Nielsen said in a statement that "the work undertaken reflects months of extensive research and collaboration with the private sector," adding that "as the world becomes more interconnected, it also becomes more difficult to secure" from botnets and other emerging cyberthreats.
