A cyberattack on the power grid could erode trust in key U.S. institutions and cause billions of dollars in damage, a top White House advisory group said Friday.
The Council of Economic Advisers said that "insufficient" investment in security across critical infrastructure sectors exacerbates the risk posed by hackers. But the council's report concluded that private firms are still in the best position to ward off a devastating cyberattack.
"An attack launched against the electric grid could affect large swaths of the U.S. economy because most economic activity is dependent on access to electricity," the report said, citing a 2015 study by the Lloyd's insurance market operator and the University of Cambridge's Centre for Risk Studies that found a worst-case cyber event could cost the U.S. economy $1 trillion (Energywire, July 9, 2015).
Actual cybersecurity losses have fallen well short of that mark. The White House advisory group estimated that "malicious cyber activity" cost between $57 billion and $109 billion in 2016. The report also notes, however, that those figures do not reflect the potential of "a devastating cyberattack that would ripple through the entire economy."
The chances of such a nightmarish scenario are remote, said independent grid security consultant Tom Alrich. Large power utilities face binding physical and cybersecurity standards set through the Federal Energy Regulatory Commission and the North American Electric Reliability Corp., and smaller energy firms must report to increasingly cyber-aware state regulators.
"You're talking about a very small probability of a catastrophic event, so you have to protect against it," Alrich noted. "There will definitely be a big grid event at some point, and you've got to think about how you're going to recover from it."
Alrich said setting up self-sustaining microgrids could make it much harder for attackers, or storms or solar weather, to bring down large swaths of the grid. But ultimately President Trump and administration officials will have to chart their own course for dealing with dire grid scenarios, he said.
"If they focus too much on cybersecurity, then the implication is that we ought to throw everything we can at cybersecurity because terrible things could happen," he said. "You've got to think about [grid] resilience itself, not just the titular causes."
The Trump administration has shown a keen interest in locking down the power grid against hackers. Trump's 2019 budget request set aside millions of dollars in new funds for grid network defenses, including $96 million for a stand-alone cybersecurity office at the Department of Energy (Energywire, Feb. 15).
In May 2017, Trump issued an executive order on cybersecurity that called for a checkup on the power grid's resilience to an attack. That assessment, carried out by DOE and the Department of Homeland Security, was never made public, though the Council of Economic Advisers' report cites the study in a footnote while discussing grid cyber risks to U.S. military operations.
"It is estimated that a loss of power would impact the [Department of Defense] missions of preventing terrorism and enhancing security, safeguarding and securing cyberspace, and strengthening national preparedness," the council said, referencing the "Assessment of Electricity Disruption Incident Response Capabilities." "If power outages affected missions both at home and abroad, United States security would be significantly impacted."