The national power grid — classified by the government as a “critical infrastructure” network — may still be vulnerable to a cyber attack, even despite warnings from the Government Accountability Office in 2011 that major steps were required to mitigate the risk of cyber terrorism.
In a testimony Wednesday before the congressional subcommittees on Energy, and Research and Technology, and the Committee on Science, Space, and Technology, Gregory Wilshusen, director of Information Security Issues for the GAO, followed up on the 2011 Critical Infrastructure Protection report in which the GAO made a number of recommendations to a wide range of organizations involved in maintenance and regulation of power grids across the country, including the National Institute of Standards and Technology, the North American Electric Reliability Corporation, the Federal Energy Regulatory Commission, the Department of Homeland Security, and the Department of Energy.
“The electric power industry—including transmission and distribution systems—increasingly uses information and communications technology systems to automate actions with the aim of improving the electric grid’s reliability and efficiency,” the 2011 report stated. “However, these ‘smart grid’ technologies may be vulnerable to cyber-based attacks and other threats that could disrupt the nation’s electricity infrastructure. Because of the proliferation of cyber threats… GAO has designated protecting the systems supporting U.S. critical infrastructure as a high-risk area.”
In addition to establishing intuitive goals like “Ensuring that smart grid systems have built-in security features” and ” Taking a comprehensive approach to cybersecurity,” Wilshusen explained, the GAO specifically recommended “Effectively sharing cybersecurity information” and “Clarifying regulatory responsibilities” between independent agencies.
While agencies — including NIST, NERC and DOE — have made strides in fulfilling these goals, FERC, key in creating a strong foundation for cybersecurity through regulation, reportedly “did not coordinate with other regulators to identify strategies for monitoring compliance with voluntary cybersecurity standards in the industry.” The result is that FERC “does not know the extent to which such standards have been adopted or whether they are effective,” according to Wilshusen.
The stakes of such a lapse, said Wilshusen, are potentially disastrous.
“Unintentional threats [to the grid] can be caused by, among other things, natural disasters, defective computer or network equipment, software coding errors, and careless or poorly trained employees,” he said. “Intentional threats include both targeted and untargeted attacks from a variety of sources, including criminal groups, hackers, disgruntled insiders, foreign nations engaged in espionage and information warfare, and terrorists.”
FERC, he continued, is “critical to approving and disseminating cybersecurity guidance and standards” to prevent these eventualities. Until it takes “steps to monitor compliance with voluntary standards,” he warned, the risk of an attack on the power grid is a real possibility.
“Given the increasing use of information and communications technology in the electricity subsector and the evolving nature of cyber threats, continued attention can help mitigate the risk these threats pose to the electricity grid,” Wilshusen said.