Reliable electricity is essential to the conveniences of modern life and vital to our nation’s economy and security. But the electricity grid is an attractive target for cyberattacks from U.S. adversaries—such as nations like China and Russia, as well as individual bad actors, such as insiders and criminals.
So, how is the electricity grid vulnerable and what could happen if it were attacked?
The U.S. Electricity Grid
Where are the potential weaknesses in our nation’s electricity grid?
The U.S. electricity grid is really three interconnected transmission grids covering the contiguous United States, as well as parts of Canada and Mexico. It is roughly divided into the western states, Texas, and the eastern U.S. and Midwest. These three interconnections operate independently to provide electricity to their regions.
There are several points of vulnerability in the U.S.’s system of electricity grids. For example, grid distribution systems—which carry electricity from transmission systems to consumers—have grown more vulnerable, in part because their operational technology increasingly allows remote access and connections to business networks. This could allow threat actors to access those systems and potentially disrupt operations.
Nations and criminal groups pose the most significant cyber threats to U.S. critical infrastructure, according to the Director of National Intelligence’s 2022 Annual Threat Assessment. These threat actors are increasingly capable of attacking the grid.
Example of an Attacker Compromising High-Wattage Networked Consumer Devices
As the lead federal agency for the energy sector, DOE has developed plans to implement a national cybersecurity strategy for protecting the grid. However, we found that DOE’s plans do not fully incorporate the key characteristics of an effective national strategy. For example, the strategy does not include a complete assessment of all the cybersecurity risks to the grid. Addressing this vulnerability is so important that we made it a priority recommendation for DOE to address. We prioritize recommendations that need immediate attention.
Other actions for addressing grid cybersecurity risks
The Federal Energy Regulatory Commission (FERC)—which regulates the interstate transmission of electricity—has approved mandatory grid cybersecurity standards. But it hasn’t taken steps to ensure that those standards fully address leading federal guidance for critical infrastructure cybersecurity. For example, and similar to the above, the standards do not include a full assessment of cybersecurity risks to the grid.
In 2019, we recommended that FERC consider adopting changes to its approved standards to more fully address federal guidance and evaluate the potential risks of a coordinated attack. These recommendations have not been implemented yet, leaving the grid vulnerable.
Finally, in March 2021, we found that the federal government does not have a good understanding of the scale of the potential impacts from attacks facing the component of the grid that is generally not subject to FERC’s standards: distribution systems. After identifying this vulnerability, we recommended the Department of Energy (DOE)—in coordination with the Department of Homeland Security, state, and industry partners—address risks to the distribution systems.
Find out more about our work on electricity grid cybersecurity by checking out our recent reports linked above.
- Comments on GAO’s WatchBlog? Contact firstname.lastname@example.org.