Dive Brief:

The report proposal the Federal power Regulatory board of directors (FERC) analyze the risk of a "coordinated cyberattack top top geographically distributed targets" and consider beefing increase its protection requirements and compliance thresholds.The report also cites industrial regulate systems (ICS) which assist manage the circulation of power, as a potential weakness. An ICS attack blacked out power to nearly a quarter million Ukrainians in 2015, and experts say growing digital networks will certainly exacerbate that risk.

You are watching: How vulnerable is the us power grid

Dive Insight:

The U.S. Electrical sector is probed for weakness every day by a coterie of nations, criminal groups, terrorists and also others, GAO said. Therefore far, utilities have actually kept the risk at bay, yet experts say the streak might not hold.

Those defending the network "have to be happy 100% of the time to keep our settings safe and secure," follow to Jason Haward-Grau, chief details security officer at cyber firm PAS. "Internal or exterior attackers simply need to be lucky once."

"The an obstacle of cyber risk to distributed networks, it is in they transmission grids, clever grids, pipelines or other infrastructure is no doubt growing," Haward-Grau told energy Dive. "No much longer are we able to depend on the timeless modus operandi of secluded or waiting gapped networks or defense by obscurity."

"The reality is ... You require to consider the eventuality the you will be breached," that said.

Security by obscurity was historically an important way the protecting ICS infrastructure. The GAO report note that early ICS "operated in isolation, running proprietary regulate protocols using dedicated hardware and also software." These equipment were additionally often in physical secured areas, unconnected to more comprehensive networks.

The U.S. Department of landscape Security has been issuing farming numbers of ICS vulnerability advisories since 2010, according to GAO. 


But ICS modern technology is swiftly evolving — being changed by cheaper equipment and more standardized network protocols, therefore making attacks easier. Allowing remote accessibility to ICS is becoming an ext common, the report notes, but it is tho a high hurdle for would-be attackers.

"Cyberattacks top top industrial manage systems sustaining grid operations might require a degree of sophistication and knowledge past what is necessary to command cyberattacks on that systems," the report says. "Industrial control systems frequently use operating systems and applications that may be thought about unconventional to usual IT personnel."

But the thin volume that resources has actually grown the number of threats, and also the report warns federal regulators may not it is in prepared. GAO renders three recommendations, 2 for FERC and also one for the U.S. Department of energy (DOE). According to the report, both agreed through the recommendations.

GAO recommended DOE construct a plan to implement a federal cybersecurity strategy because that the grid, "and ensure the the plan addresses the vital characteristics the a national strategy, including a complete assessment that cybersecurity risks to the grid."

The report recommended FERC consider alters to that is cybersecurity criter to "more completely address" the national Institute of criter and modern technology Cybersecurity Framework. It additionally recommended the firm evaluate the potential hazard of a coordinated cyberattack on distributed targets.

"FERC’s approved threshold for which entities have to comply through the demands in the full collection of grid cybersecurity criter is based on an evaluation that did not evaluate the potential danger of a coordinated cyberattack top top geographically dispersed targets," the report says.

Following the analysis, the GAO proposal FERC recognize if it requirements to make changes to the threshold because that mandatory compliance through the agency"s full set of cybersecurity standards.

FERC appreciates GAO"s feedback, and is "considering just how to address their recommendations," a board of directors spokesperson told utility Dive in one email.

Along with the phibìc American electrical Reliability Corporation, FERC is currently considering alters that can include publicly identifying violators that cybersecurity criter in the bulk electric system. Comments on the proposal were due this week come the commission.

See more: Diy: How To Make A Ski Chair : 7 Steps (With Pictures), How To Build Your Own Adirondack Ski Chair

According to Haward-Grau, the GAO report is a recognition of the growing threat to the grid and identifies the require for higher visibility.

"Enabling an effective configuration and also inventory of these dispersed assets will be key to ensuring that the setting is understood," that said. "Which in essence is one of the basic requirements coming from the cyber defense standard."