In an earlier blog article titled “Energy Sector at risk of Cyber Attacks”, we described an attack at a Western Utility company and how the attack leveraged a known software vulnerability for which a patch was available but not applied. The energy sector needs to pull up its socks as is evident from recent NIST Cybersecurity Guide for Energy Sector Asset Management [ESAM], which we blogged about recently and now this assessment report from US Government Accountability Office (GAO) titled: Critical Infrastructure Protection – Actions needed to address significant cybersecurity risks facing the Electric Grid. Let us look at the key findings from this assessment report by US GAO.
GAO was asked to review the cybersecurity of the grid, as the nation’s electric grid delivers the electricity that is essential for modern life. Specific objectives were to:
- Describe the cybersecurity risks and challenges facing the grid
- Describe federal efforts to address grid cybersecurity risks
- Assess the extent to which DOE has a defined strategy for addressing grid cybersecurity risks and challenges
- Assess the extent to which FERC-approved cybersecurity standards address grid cybersecurity risks
GAO developed a list of cyber actors that could pose a threat to the grid; identified key vulnerable components and processes that could be exploited; and reviewed studies on the potential impact of cyberattacks on the grid. GAO also analyzed Department Of Energy’s (DOE) approaches to implementing a federal cybersecurity strategy for the energy sector as it relates to the grid and assessed Federal Energy Regulatory Commission (FERC) oversight of cybersecurity standards for the grid.
During the assessment, GAO found that the electric grid faces significant cybersecurity risks:
- Threat Actors – Nations, criminal groups, terrorists and others are increasing capable of attacking the grid
- Vulnerabilities – The grid is becoming more vulnerable to cyberattacks – particularly those involving industrial control systems (ICS) that support grid operations.
- Impacts – Cyberattacks on industrial control systems have disrupted foreign electric grid operations.
GAO makes 3 recommendations as part of the assessment report as below:
- Recommendation to DOE
- Develop a plan aimed at implementing federal cybersecurity strategy for the grid and ensure that the plan addresses key characteristics of a national strategy, including a full assessment of cybersecurity risks to the grid.
- Recommendations to FERC:
- Consider adopting changes to its approved cybersecurity standards to more fully address the NIST Cyberecurity Framework.
- Evaluate the potential risk of a coordinated cyberattack on geographically distributed targets and, based on the results of that evaluation, determine if changes are needed in the threshold for mandatory compliance with requirements in the full set of cybersecurity standards.
It is key to note that DOE and FERC agreed with GAO’s recommendations. The risk of cyberattacks to electric grid is real!
In a subsequent blog, we will take a deeper dive in the US GAO assessment report.
We are participating in the CyberCon at Anaheim Convention Center [November 19th – 21st 2019]. Drop us a note for a meeting.