The 2015 cyberattack on Ukraine’s energy grid that caused power outages for nearly a quarter million people was once the most devastating and best-known. Since then, there have been many successful power grid attacks in the United States. In addition to successful attacks on our energy systems, there have been thousands of probes into the security of critical energy infrastructure. Some have been coordinated probes that security experts have linked to the Chinese and Russian governments. Others have been executed by individual hackers who target critical infrastructure with hefty ransom demands.
Local and state utilities are incredibly vulnerable to ransomware attacks, phishing attempts and other cyber threats. While private energy companies might have the budget to hire experts and train employees, local and state government agencies rarely do. Their systems are outdated and poorly protected, while their IT departments are ill-equipped to handle the volume and sophistication of cyberattacks. In this post, we look at federal, state and local plans for electric grid cybersecurity. We review recent legislation in light of growing energy grid cybersecurity risks and identify ways to improve power grid cybersecurity.
Growing Global Threats to Our Nation’s Electric Grid and Energy Security
Cyberattacks have ramped up in recent years. Many have targeted the federal government and our nation’s critical infrastructure, but others have targeted private companies. State governments and local utilities are equally — if not more — vulnerable.
Our dependence on the power grid and the complex interconnectedness of utilities across the US makes the energy sector an attractive target. It should come as no surprise that our energy systems are frequently targeted by politically and financially motivated bad actors.
In a cybersecurity white paper for the NGA, Patricio Portillo and colleagues underscore this. Portillo et al. write that 20% of all cyberattacks reported to the Department of Homeland Security in 2016 “targeted the energy sector” which experienced a sixfold increase in incidents from 2010.
Since then, the number of attacks on energy infrastructure has exploded. As Naureen S Malik writes in an article for Bloomberg, “attacks on US power grids rose to an all-time high in 2022.” Referencing data released in February 2023, Malik notes that “the number of direct physical attacks…that potentially threatened grid reliability rose 77%” from 2021.
Potential Consequences of a Successful Power Grid Security Attack
Successful cyberattacks on US power grids could cripple our energy supply chain. Writing for The Texas Tribune last March, Mitchell Ferman describes the “worst-case scenarios.” Ferman notes that hackers could “shut off electricity to millions.” They could “halt shipments of oil and gas from seaports” and prevent factories from producing critical products.
Citizens could lose heat, internet, air conditioning and light for hours — if not longer. Not to mention how critical infrastructure like traffic systems, hospitals, police departments and emergency response teams could suffer. Thankfully, both public and private sectors are taking electric grid cybersecurity seriously.
What are Federal, State and Local Government Agencies Doing to Protect Critical Infrastructure?
Local, state and federal governments — as well as private sector companies — have all taken steps to address the significant cybersecurity risks our grid faces. The Federal Energy Regulatory Commission, Infrastructure Security Agency, Department of Homeland Security and nearly every other lead federal agency have issued guidance.
Recent legislation has demanded that public and private sectors take cybersecurity and the increasing cyber threat to our critical energy infrastructure seriously. Local and state governments have released similar cybersecurity plans and have passed their own bills into law. Private energy companies have increased spending on cybersecurity measures.
US National Cybersecurity Strategy for Electric Grid Cybersecurity
Our federal government has taken the lead in protecting critical infrastructure from cyberattacks. In 2021, the Biden administration announced its 100-day plan to better secure our electric grid against cyber threats. Last year, Congress increased the federal budget for cybersecurity.
In 2022, the Biden administration also announced a grant program that would provide a billion dollars in funding for state and local cybersecurity. The DOE announced an enormous budget for research into and development of cybersecurity technology.
Electric Grid Security Initiatives Implemented by State and Local Governments
Across the US, state and local governments have also taken initiative. Nearly three quarters of all state governments passed cybersecurity legislation in 2021 alone. In December 2022, New York Governor Kathy Hochul went a step further. According to the Governor’s office, Hochul signed legislation “that will create strongest-in-the-nation cybersecurity protections for the state’s energy grid.”
Ways to Protect Our Power Grid from Cyberattacks
Below are a few steps private companies and public utilities can take to protect our power grid from attacks. These electric grid cybersecurity measures are recommended by both government agencies and cybersecurity researchers. As with any plan to prevent cyberattacks, our approach to protecting the energy grid and other critical infrastructure must be multipartite.
- Researchers at RWTH Aachen University recommend “decentralizing power generation” to avoid mass outages in a recently published paper. When communities rely on a single source of power instead of “decentralizing power generation,” consequences of an attack are more widespread and devastating.
- They also recommend investing in “intrusion detection systems” that will alert users to security breaches. Conducting routine risk assessments to identify gaps is also helpful.
- Private companies and government agencies should train their employees to observe cybersecurity best practices. This is especially important for remote and hybrid employees.
- In a white paper, Patricio Portillo recommends that government agencies and private companies “collaborate with utility regulators to enhance their cybersecurity oversight.”
- We must physically protect our energy system from malicious actors seeking to cripple such infrastructure through air gaps, full-disk encryption and other approaches.
- Public and private sectors must join forces to protect our grid instead of working independently.
- Embrace pre-boot and post-boot authentication processes to prevent different types of attacks.
- The White House also recommends approaching federal law enforcement to establish a response protocol. One should contact a “local FBI field office or CISA Regional Office to establish relationships in advance of any cyber incidents.”
- Electric power industry and government partners should consult cybersecurity experts to ensure systems are on the cutting edge.