The Department of Energy (DoE) needs to fully address potential cyber vulnerabilities to the United States electrical grid system in its national cybersecurity strategy, a Government Accountability Office (GAO) report recommends.
The GAO report, publicly released March 18, found the grid’s distribution systems responsible for carrying electricity from providers to consumers are “increasingly at risk” of cyberattacks.
“Distribution systems are growing more vulnerable, in part because their industrial control systems increasingly allow remote access and connect to business networks. As a result, threat actors can use multiple techniques to access those systems and potentially disrupt operations,” the report says.
There are three components of the electrical grid: generation, transmission, and distribution. This study focuses on the state-regulated distribution systems and follows a 2019 GAO report on the Federally regulated generation and transmission systems. That 2019 report found the transmission and generation systems were also increasingly vulnerable to cyberattacks.
The distribution systems reviewed do not typically fall within Federal purview, but the report acknowledges they have taken actions to improve cybersecurity. DoE has similarly taken actions to implement a national cybersecurity strategy for the grid, but the report found the plan does not fully account for supply chain-related vulnerabilities in the distribution system.
The scale of the potential impact of an attack on these systems is currently unknown, the report says. However, outages in just the Texas power grid in February – due to winter storms – led to water outages and at least 70 deaths.