A report has said that the U.S. must consider improving its cybersecurity to ensure it is resilient to being hacked, as threats against the grid continue to rise.
Cyber security and energy infrastructure robustness in the US are being called into question, given recent news reports that attacks on U.S. power grids rose to an all-time high last year.
A Government Accountability Office (GAO) review conducted in 2019 revealed some of the main challenges to grid security. It also spoke of strengthening energy infrastructure in line with green transition developments and the increased connectivity of renewable energy operations.
These included the need to hire a skilled workforce to manage cybersecurity, limiting the sharing of classified information between the public and private sectors, resource limitations, reliance on other critical infrastructure that requires cybersecurity strengthening, and uncertainty about how to best implement cybersecurity standards.
Further, the report suggested that although the Department of Energy (DoE) had developed plans “to implement the national cybersecurity strategy for the grid”, these plans “do not fully address risks to the grid’s distribution systems.”
For example, the supply chain-related vulnerabilities of distribution are largely overlooked as the DoE focuses on resolving threats to the grid’s production and transmission systems.
Greater digitalization in recent years has put the grid at higher risk of attack by criminals, terrorists, hacktivists, and foreign governments. The electric grid relies on industrial control systems, which manage electrical processes and physical functions like opening and closing circuit breakers.
Since many systems are now using technologies that connect to the internet – to improve remote monitoring, thereby reducing cost and boosting efficiency – this makes them more vulnerable to hacking.
The GAO believes the DoE can enhance cybersecurity by focusing on three key tasks: the adoption of a cybersecurity framework, the establishment of risk management programmes, and the implementation of the Federal cybersecurity strategy for the electric grid, which includes the comprehensive assessment of the grid’s cybersecurity risks.
The U.S. Secretary of Energy, Jennifer Granholm, warned last year that despite mandatory security requirements being followed and high levels of redundancy being built into the country’s power system, it was still possible for a sophisticated hacker to crash the grid.
Experts see that hackers are getting smarter, and the range of threats broader. While some are threatening the system to gather data and make money from intellectual property, others are approaching it from the standpoint of sabotage.
While some attacks are internal, hacking groups in Russia, China, Iran, and North Korea all have high levels of sophistication and pose a threat to U.S. power.
But the U.S. has been preparing for such an attack. The Pentagon’s Defense Advanced Research Projects Agency (Darpa) has played out a scenario five times in the last three years where they hack the system as cybersecurity experts and utility operators fight to bring it back online. This has helped utilities to understand some of the cyber threats and how best to respond.
These types of drills have been being led by Darpa since 2015, under the $118 million project Rapid Attack Detection, Isolation and Characterisation Systems (Radics).
Last year, the DoE announced $45 million in funding to test technology to “protect our electric grid from cyber-attacks.” And the 2021 bipartisan infrastructure bill provides billions of dollars in financing for cybersecurity, including the $100 million Cyber Response and Recovery Fund.
However, hacking groups suggest that taking down the grid is still too easy and poses a major threat to national security. A group of white hat hackers – aka ethical security hackers that run hypothetical scenarios – won $40,000 for cracking a system that is widely used by industrial companies, including those that run the U.S. power grid.
Also Read: UK Extends New Energy Saving Incentives
This revealed continued weaknesses in the system which could lead to hackers threatening the system for ransoms or political motivations. Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency stated, “As the destruction or corruption of these control systems could cause grave harm, ensuring their security and resilience must be a collective effort that taps into the innovation, expertise, and ingenuity of the [industrial control systems] community.”
But the winning hackers warned that the grid is highly vulnerable, with the team requiring “just a couple of days” to hack the industrial control system. Dutch researchers from the team, Daan Keuper and Thijs Alkemade, explained “In industrial control systems, there is still so much low-hanging fruit,” adding “The security is lagging behind badly.”
The U.S. will keep running these types of competitions to reveal weaknesses in the system and address them before external hackers have the chance to attack. But this does not comprehensively address the issue of poor cybersecurity in U.S. energy infrastructure, offering a reactive rather than a preventative approach to the challenge.
As cyber threats to the U.S. electric grid continue to rise, the government must do more to strengthen its energy infrastructure to threats as it undergoes greater digitalization. Despite providing large amounts of funding to fix this challenge, significant weaknesses remain, suggesting the need for a comprehensive cybersecurity strategy to be implemented at the national level, as well as the establishment of a cybersecurity standards agency to oversee the implementation of national guidelines across the sector.