On the day before Christmas Eve 2015, a cyberattack hit the power grid in Ukraine, shutting off power to about half the homes in the Ivano-Frankivsk region of the country.
The incident, which was blamed on Russia-based cybercriminals, marked the world’s first known successful cyberattack against an electric grid. Ever since, the question that has haunted American electricity providers and government officials has been: Can the same thing happen to the U.S. grid?
Cybersecurity experts agree that at some point in the near future cyber criminals based in other countries could shut at least some portions of the U.S. power grid, if not the entire grid.
“Will it surprise me if at some point an electric company has an outage because of a cyberattack? No. If that doesn’t happen within the next five years, I’d be very surprised,” Danny Jenkins, CEO of cybersecurity firm ThreatLocker, said in an interview.
Jenkins said he thinks any shutdown of portions of the electric grid as a result of a cyberattack would likely be confined to a localized area served by one of the country’s many smaller electric utility companies, which tend to have less robust cyber protections in place than the big regional power companies.
“Do I think it’s a wide-scale issue? Probably not wide-scale but it should be addressed and those companies should be looking at it,” he said.
The answer to the question of whether cyberattacks can result in power blackouts in the U.S. is yes, said Padraic O’Reilly, co-founder of cyber risk firm CyberSaint.
“Nobody really likes to talk about it. It’s such a big yes, such a scary yes,” he said. “The networks have been to some extent infiltrated.”
Government response to cyber challenges
Over the past several years, different sectors of the federal government have been working on various fixes to the challenge posed by potential cyberattacks on the electric grid.
On July 22, the U.S. Department of Energy released a tool designed to help electric utilities as well as types of energy companies evaluate and improve their ability to protect against cyberattacks. In a press release, the DOE announced the release of Version 2.0 of the Cybersecurity Capability Maturity Model (C2M2). The release of the updated model took place as part of a 100-day plan announced by the Biden administration in April to confront cyber threats to critical systems essential to U.S. national and economic security.
The C2M2, first released in 2012, is designed to help organizations in the energy sector understand cyber risks to their information technology (IT) and operational technology (OT) systems. The updated model includes inputs from 145 cybersecurity experts representing 77 energy sector organizations.
“Our electricity, oil, and natural gas industry partners played a critical role in jointly authoring the C2M2 to ensure that it is responsive to the current cyber risk landscape,” said Fowad Muneer, acting deputy assistant secretary in DOE’s Office of Cybersecurity, Energy Security and Emergency Response.
The administration’s focus on increasing the cybersecurity protections for critical pieces of energy infrastructure has only intensified in the wake of the ransomware attack on Colonial Pipeline, which resulted in shutdown of the pipeline, which carries about a quarter of the East Coast’s supply of gasoline and other fuels.
Distribution system risks
In March, the nonpartisan Government Accountability Office released a study highlighting the vulnerability of the grid’s distribution systems, which carry electricity from transmission systems to consumers, to cyberattacks. These systems are typically regulated by the states.
“Distribution systems are growing more vulnerable, in part because their industrial control systems increasingly allow remote access and connect to business networks. As a result, threat actors can use multiple techniques to access those systems and potentially disrupt operations,” the report states.
While many of the distribution utilities included in its review were generally not subject to mandatory federal cybersecurity standards, the GAO found that some utilities and states had taken voluntarily actions to improve the distribution systems’ cybersecurity defenses.
In addition, a number of bills have recently been introduced in Congress dealing with various aspects of cybersecurity, including several bills that deal directly with hardening the defenses of the electric grid.
As lawmakers and regulators formulate the best mechanism for beefing up the cyber defenses of the electric grid, they must deal with the unique regulatory frameworks already in place.
Unlike the oil and gas pipeline network, the electric grid is overseen by a not-for-profit international regulatory authority. The mission of the North American Electric Reliability Corporation (NERC) is to assure the effective and efficient reduction of risks to the grid’s reliability and security.
NERC provides its members and partners with resources to reduce cyber and physical security threats through the Electricity Information Sharing and Analysis Center (E-ISAC).
“All critical infrastructure sectors are vulnerable to cyberthreats,” Manny Cancel, CEO of E-ISAC, said in an interview. “On the electricity side, cybersecurity has been something they have taken very seriously for a long time, putting in programs and adhering to well-recognized standards that help guide the maturation of cybersecurity.
In another difference from the pipeline network, the electric companies that make up the grid don’t compete with one another, which allows them to share information across the sector. This information sharing helps the companies maintain situational awareness about evolving cyberthreats, Cancel said.
“That should by no means be construed to think that we’ve got this problem covered. The adversaries continue to change the way they continue to attack us. They’re very sophisticated, very persistent,” he said. “We just have to continually maintain our guard.”
Cancel questions whether additional regulation of the electric power industry is needed or whether more robust standards should be put in place to make the electric grid more resistant to cyberattacks.
He pointed out that the electricity sector has had a great deal of regulation in place for quite some time, governing the bulk power system as well as other facets of the industry.
“The critical question is: Is more regulation needed? I think that’s a question that requires additional deliberation,” he said.
By the same token, NERC might need to establish new cybersecurity standards, but that is only a partial solution to the evolving challenge of cyberattacks. Instead, Cancel called for continued close collaboration between the private sector and the government to address the grid’s cybersecurity issues.
“Standards are something we should take a look at, but they’re not a silver bullet at all,” he said.