Critical Infrastructure Protection: Federal Agencies Have Taken Actions to Address Electromagnetic Risks, but Opportunities Exist to Further Assess Risks and Strengthen Collaboration
What GAO Found
Key federal agencies have taken various actions to address electromagnetic risks to the electric grid, and some actions align with the recommendations made in 2008 by the Commission to Assess the Threat to the United States from Electromagnetic Pulse Attack (EMP Commission). Since 2008, the Department of Homeland Security (DHS), the Department of Energy (DOE), and the Federal Energy Regulatory Commission (FERC) have taken actions such as establishing industry standards and federal guidelines, and completing EMP-related research reports. GAO found that their actions aligned with some of the EMP Commission recommendations related to the electric grid. For example, DHS developed EMP protection guidelines to help federal agencies and industry identify options for safeguarding critical communication equipment and control systems from an EMP attack. Further, agency actions and EMP Commission recommendations generally align with DHS and DOE critical infrastructure responsibilities, such as assessing risks and identifying key assets.
Additional opportunities exist to enhance federal efforts to address electromagnetic risks to the electric grid. Specifically, DHS has not identified internal roles and responsibilities for addressing electromagnetic risks, which has led to limited awareness of related activities within the department and reduced opportunity for coordination with external partners. Doing so could provide additional awareness of related activities and help ensure more effective collaboration with other federal agencies and industry stakeholders. Moreover, although DHS components have independently conducted some efforts to assess electromagnetic risks, DHS has not fully leveraged opportunities to collect key risk inputs—namely threat, vulnerability, and consequence information—to inform comprehensive risk assessments of electromagnetic events. Within DHS, there is recognition that space weather and power grid failure are significant risk events, which DHS officials have determined pose great risk to the security of the nation. Better collection of risk inputs, including additional leveraging of information available from stakeholders, could help to further inform DHS assessment of these risks. DHS and DOE also did not report taking any actions to identify critical electrical infrastructure assets, as called for in the National Infrastructure Protection Plan. Although FERC conducted a related effort in 2013, DHS and DOE were not involved and have unique knowledge and expertise that could be utilized to better ensure that key assets are adequately identified and all applicable elements of criticality are considered. Finally, DHS and DOE, in conjunction with industry, have not established a coordinated approach to identifying and implementing key risk management activities to address EMP risks. Such activities include identifying and prioritizing key research and development efforts, and evaluating potential mitigation options, including the cost-effectiveness of specific protective equipment. Enhanced coordination to determine key research priorities could help address some identified research gaps and may help alleviate concerns voiced by industry regarding the costs and potential adverse consequences on grid reliability that may be caused by implementation of such equipment.
Why GAO Did This Study
Electromagnetic risks caused by a man-made EMP or a naturally occurring solar weather event could have a significant impact on the nation's electric grid as well as other infrastructure sectors that depend on electricity, such as communications. These risks could lead to power outages over broad geographic areas for extended durations.
GAO was asked to review federal efforts to address electromagnetic risks to the electric grid. This report examines (1) the extent to which key federal agencies have taken action to address electromagnetic risks and how these actions align with the 2008 EMP Commission report recommendations, and (2) what additional opportunities exist to enhance federal efforts to address electromagnetic risks to the electric grid. GAO reviewed the EMP Commission report and federal program documents, and interviewed DHS, DOE, and FERC officials and relevant stakeholders who provided insights on key actions taken.
GAO recommends that DHS identify internal roles to address electromagnetic risks, and collect additional risk inputs to further inform assessment efforts; that DHS and DOE collaborate to ensure critical electrical infrastructure assets are identified; and engage with industry stakeholders to identify and prioritize risk-management activities, such as research and development efforts, to address EMP risks to the grid. DHS and DOE concurred with our recommendations and identified planned actions to address the recommendations.
Recommendations for Executive Action
|Department of Homeland Security||To enhance accountability for key risk-management activities and facilitate coordination with federal and industry stakeholders regarding electromagnetic risks, the Secretary of Homeland Security should designate roles and responsibilities within the department for addressing electromagnetic risks and communicate these to federal and industry partners.||
In a June 2016 update to our proposed recommendation, DHS reported that the Cyber, Infrastructure and Resilience (CIR) Policy Office within the DHS Office of Policy is working with DHS components to identify and articulate the roles of the National Protection and Programs Directorate, Federal Emergency Management Agency, Science and Technology Directorate, and others regarding efforts to address electromagnetic risks. In August 2017, the DHS Office of Strategy, Policy, and Plans provided GAO with documentation regarding the status of ongoing DHS efforts to develop an Electromagnetic Pulse (EMP)/ Geomagnetic Disturbance (GMD) Strategy, as called for in the National Defense Authorization Act for 2017. As part of this effort, DHS identified the DHS components that comprised the EMP/GMD Strategy Working Group including a description of their key roles and responsibilities related to addressing electromagnetic risks. As a result, this recommendation is closed as implemented.
|Department of Homeland Security||To more fully leverage critical infrastructure expertise and address responsibilities to identify critical electrical infrastructure assets as called for in the National Infrastructure Protection Plan, the Secretary of Homeland Security and the Secretary of Energy direct responsible officials to review FERC's electrical infrastructure analysis and collaborate to determine whether further assessment is needed to adequately identify critical electric infrastructure assets, potentially to include additional elements of criticality that might be considered.||
In a June 2016 update to our proposed recommendation, DHS reported that the National Protection and Programs Directorate (NPPD) was to increase collaborative outreach activities with FERC staff that will include a review of identified critical substations developed by FERC. The intended outcome of this review was to inform DHS activities regarding identification and prioritization of critical infrastructure assets for use during steady state and response activities. NPPD was also to inform FERC of its criticality modeling capabilities through the National Infrastructure Simulation and Analysis Center (NISAC) to enhance engagement with FERC's electric power subject matter expertise and inform future capability developments regarding response to and recovery from events such as electromagnetic pulse. In November 2017, NPPD provided documentation to GAO that department officials met with FERC staff on a number of occasions to provide an overview of the Office of Cyber and Infrastructure Analysis (OCIA) modeling capabilities through NISAC. DHS also provided briefings to the Energy Government Coordinating Council (of which DOE and FERC participate) on the modeling and simulation capabilities of NISAC. NPPD reported that collaboration between DHS and FERC is constrained as DOE acts as the Sector Specific Agency for Energy under Presidential Policy Directive-21 and FERC's role is as an Independent Regulatory Agency. However, they noted that DHS works through DOE, and as appropriate, engages FERC staff to understand current projects and coordinate efforts to understand risks from a variety of hazards, to include electromagnetic risks. In October 2018, DHS issued the EMP/GMD Strategic Plan which identifies additional efforts planned to help determine critical utilities and national security assets at risk from EMP and GMD events. In February 2019, GAO requested additional information from DHS about the status and timeframes associated with the forthcoming EMP/GMD Implementation Plan and any applicable details regarding efforts to identify critical infrastructure assets that would further address the intent of this recommendation. In December 2019, GAO requested additional information from DHS regarding efforts to collaborate with DOE and identify critical electrical infrastructure as part of deliverables called for in the EMP Executive Order (March 2019). In July 2020, DHS confirmed that DOE provided the department with a list of critical energy infrastructure in 2019, which identifies common components within the electric and oil and natural gas sub-sectors that, if disrupted or damaged could cause system failures. According to DHS officials, this deliverable meets all requirements in support of section 6(a)(i) in Executive Order 13865 and was recently updated by DOE in June 2020. As a result of this effort, the recommendation is closed as implemented
|Department of Energy||To more fully leverage critical infrastructure expertise and address responsibilities to identify critical electrical infrastructure assets as called for in the National Infrastructure Protection Plan, the Secretary of Homeland Security and the Secretary of Energy direct responsible officials to review FERC's electrical infrastructure analysis and collaborate to determine whether further assessment is needed to adequately identify critical electric infrastructure assets, potentially to include additional elements of criticality that might be considered.||
In June 2016, DOE provided an update (60-day letter) reiterating their intent to continue with actions identified previously to address the GAO recommendation, namely that the Office of Electricity Delivery and Energy Reliability was to review the Federal Energy Regulatory Commission's electrical infrastructure analysis, and subsequently engage with FERC and DHS to identify if any additional elements of criticality should be considered. In January 2017, DOE issued the Electromagnetic Pulse Resilience Action Plan which included a planned deliverable for March 2017 of a report that identifies and evaluates methodologies for identifying critical infrastructure, reviews findings, and includes recommendations. In November 2017, DOE officials reported to GAO that to address this deliverable, the department reviewed the FERC methodology and determined that a new methodology was not required. However, no additional details about this effort, including key participants or scope of activities were provided to GAO. In August 2019, DOE officials reported to GAO that a new methodology was developed to identify critical electrical infrastructure assets as part of deliverables requested by DHS to address the EMP Executive Order (March 2019). In July 2020, DHS confirmed that DOE provided the department with a list of critical energy infrastructure in 2019, which identifies common components within the electric and oil and natural gas sub-sectors that, if disrupted or damaged could cause system failures. According to DHS officials, this deliverable meets all requirements in support of section 6(a)(i) in Executive Order 13865 and was recently updated by DOE in June 2020. As a result of this effort, the recommendation is closed as implemented.
|Department of Homeland Security||To enhance federal efforts to assess electromagnetic risks and help determine protection priorities, the Secretary of Homeland Security should direct the Under Secretary for National Protection and Programs Directorate and the Assistant Secretary for the IP to work with other federal and industry partners to collect and analyze key inputs on threat, vulnerability, and consequence related to electromagnetic risks--potentially to include collecting additional information from DOD sources and leveraging existing assessment programs such as the Infrastructure Survey Tool, Regional Resiliency Assessment Program, and DCIP.||
In a June 2016 update, DHS reported that the department completed the planned refresh of the Strategic National Risk Assessment, which incorporates information on potential impacts to the power system from electromagnetic events. In addition, DHS reported that the Electricity Sub-sector Coordinating Council created an Electromagnetic pulse (EMP) task force, which met in April 2016 and provided input to the Joint Electromagnetic Pulse Resilience Strategy (published July 2016). However, DHS noted that existing assessment mechanisms, such as the Infrastructure Survey Tool (IST) and the Regional Resiliency Assessment Program have significant limitations with regard to their ability to be leveraged in support of this recommendation. Specifically, they noted that the IST is intended to be threat agnostic and applicable to a range of different scenarios, threats, and hazards. As a result, DHS stated that they will continue to seek other, more applicable mechanisms to collect and analyze electromagnetic risk information. In June and November 2017, DHS provided additional documentation identifying joint efforts between DHS's National Protection and Programs Directorate and DOE to enhance federal efforts to analyze the hazard environments, impacts, and consequences of EMP and GMD on U.S. electric power infrastructure. In addition, DHS reported that NPPD provided expertise and support to a departmental EMP working group that is leading the development of a DHS Electromagnetic Pulse (EMP)/Geomagnetic Disturbance (GMD) Strategy as required by the National Defense Authorization Act of 2017. As a result, this recommendation is closed as implemented.
|Department of Homeland Security||To facilitate federal and industry efforts to coordinate risk-management activities to address an EMP attack, the Secretary of Homeland Security and the Secretary of Energy should direct responsible officials to engage with federal partners and industry stakeholders to identify and implement key EMP research and development priorities, including opportunities for further testing and evaluation of potential EMP protection and mitigation options.||
In a June 2016 update, DHS reported completion of key activities previously identified to address this recommendation, including (1) further engagement with DOE and the Electricity Sub-Sector Coordinating Council (ESCC) to develop a joint government and industry approach to addressing EMP, and (2) ongoing utilization of the DHS Science and Technology's process of Integrated Product Teams (IPT) to identify and pursue additional opportunities to address potential EMP research and development capability gaps. Specifically, DHS reported that the Office of Infrastructure Protection and DOE has worked with the ESCC to help identify and implement EMP research and development efforts. It was noted that the ESCC created an EMP Task Force in November 2015, which has received classified EMP briefings from DOE and is currently developing a joint government and industry approach to address EMP. In regards to internal department research and development efforts, DHS identified the existing mechanism within S&T by which government and industry partners could identify potential EMP-related technology gaps to be addressed. While no new EMP-related gaps were identified prior to the March 2016 deadline, DHS noted that the existing IPT process could be used to formulate future technology gaps, prioritize those gaps, and allocate resources to related projects to address potential EMP gaps. In a Sept 20th email, DHS S&T requested closeout of the rec and provided two documents confirming establishment of the EMP Task Force within the ESCC, and EMP briefings provided to partners and industry. Three documents were also provided to describe the establishment of the IPT process previously identified as the mechanism for DHS S&T to identify and prioritize EMP-related R&D projects. In addition to reviewing support materials provided by DHS, GAO subsequently obtained and reviewed the joint DOE/Electric Power Research Institute (EPRI) EMP Strategy issued in July 2016. This strategy provides additional documentation regarding planned efforts by the ESCC EMP Task Force to identify potential mitigation measures that could be tested or deployed to address EMP threats. The Strategy also describes specific ongoing efforts by EPRI to provide further technical assessment of potential transmission system vulnerabilities and mitigation options, among other deliverables. These efforts are aligned with the intent of the recommendation and should help inform additional EMP research and development priorities. As a result, this recommendation is closed as implemented.
|Department of Energy||To facilitate federal and industry efforts to coordinate risk-management activities to address an EMP attack, the Secretary of Homeland Security and the Secretary of Energy should direct responsible officials to engage with federal partners and industry stakeholders to identify and implement key EMP research and development priorities, including opportunities for further testing and evaluation of potential EMP protection and mitigation options.||
On March 9, 2016 DOE provided agency comments on GAO-16-243 concurring with the recommendation and identifying related actions. Specifically, DOE reported collaboration with the Electric Power Research Institute (EPRI) to develop a joint DOE/Industry EMP Strategy to include key goals and objectives and identification of R&D priorities. The Joint Electromagnetic Pulse Resilience Strategy was released in July 2016 and was intended to enhance coordination and guide future efforts to help meet the growing demand for EMP-related guidance. In January 2017, DOE also issued the Electromagnetic Pulse Resilience Action Plan. This document serves to further refine and direct the Department's efforts to reduce EMP vulnerabilities and improve the energy sector's response and recovery after EMP events through coordination with interagency partners and non-federal stakeholders. The Action Plan identifies specific deliverables and associated timeframes, each of which are aligned with the five strategic goals in the Joint EMP Resilience Strategy. Among these are specific actions to Test and Promote Mitigation and Protection Approaches, such as developing and validating EMP test requirements. DOE also reported that, as of September 28, 2017, they have funded additional research to Test and Evaluate Geomagnetic Disturbance Mitigation Devices, which will be carried out by the Western Area Power Administration and EPRI. Additional EMP research was also conducted in 2017 through DOE's National Laboratories that served to identify potential technology gaps and included recommendations for further R&D efforts. As a result of these efforts, this recommendation is closed as implemented.