The Energy Department has been focused on securing the generation and transmission of power, but distribution processes are also increasingly vulnerable.
The Energy Department is collaborating with an external entity to test equipment that could help identify vulnerabilities in industrial control systems, but there are other areas where the department’s plan falls short, according to the Government Accountability Office.
In a press release Thursday, Energy announced its Office of Cybersecurity, Energy Security and Emergency Response would work with Schweitzer Engineering Laboratories to test digital security tools the industry uses alongside its physical operational technology.
“The complex global supply chains the U.S. relies on in producing this technology creates openings for security vulnerabilities,” the release said. “CESER is joining with Schweitzer Engineering Laboratories in the Cyber Testing for Resilient Industrial Control System (CyTRICS™) program, to use state-of-the-art analytics to test the various digital tools used by energy sector partners for security issues. This testing will make it easier to identify and address potential vulnerabilities within industrial control systems before bad actors can exploit them.”
The new supply chain program is one of three the department rolled out. The others aim to improve the workforce by funding industry ventures with academia that focus on cyber-physical systems and anticipating risks posed by electromagnetic pulse attacks and geomagnetic disturbance events.
On the same day last week, the Government Accountability Office released a report identifying gaps in the department’s plan to address risks to energy distribution systems.
GAO explained that energy sector functions are divided up into generation, transmission and distribution, and while distribution is mostly regulated at the state level, the Energy Department still has a role to play under federal decisions going back to a presidential policy directive from 2013.
The report pointed to a need for DOE to address vulnerabilities associated with the ICS supply chain but also GPS-dependent and networked consumer devices not controlled by distribution utilities as well as devices used for solar inverters and battery storage that are increasingly connected to the grid.
“In 2015, a solar energy company remotely updated the software of 800,000 of its customers’ smart solar inverters through the company’s networks,” GAO wrote. “However, a national laboratory found that such remote access poses a vulnerability. Specifically, an attacker may be able to compromise the company’s access to these devices to instruct them to perform actions outside their desired functionality, which could result in disruptions to the grid’s distribution systems operations.”
The department concurred with GAO’s recommendation that it should more fully address cybersecurity risks to the grid’s distribution system. However DOE officials told the GAO their plans would continue to prioritize distribution at the same level because they view threats to bulk power functions—generation and transmission–as having a greater impact.
“DOE officials told us that they are not addressing risks to grid distribution systems to a greater extent in their updated plans because they have prioritized addressing risks facing the bulk power system,” GAO said. “Officials said a cyberattack on the bulk power system would likely affect large groups of people very quickly, and the impact of a cyberattack on distribution systems would likely be less significant.”
GAO disagreed, and noted scenarios where even more localized impacts from attacks on distribution systems—such as those of a major city—could result in outages of national significance.