The risks aren’t well understood by researchers, in part because of local and state control of electrical utilities.
Electric vehicles and internet-connected home appliances are making the electrical grid more vulnerable to cyber attacks — and even the Department of Energy doesn’t know how bad the problem is, according to a March report from the Government Accountability Office, or GAO.
While cybersecurity researchers have for years warned of insecurity in internet-of-things devices, GAO says these devices could threaten energy distribution systems: the portions of the electrical grid that deliver electricity to homes and businesses. These systems are usually managed by states or local governments while the devices are controlled by consumers. Therein lies part of the problem.
“Distribution utilities have limited visibility and influence on the use and cybersecurity of these devices because consumers typically control them, according to officials from a national laboratory,” the report states. The Department of Energy “has developed plans to implement the national cybersecurity strategy for the grid, but these plans do not fully address risks to the grid's distribution systems.”
But the vulnerabilities of local utilities may threaten entire state or regional grids. “Officials from another national laboratory said the extent to which the bulk power system is susceptible to disruption from attacks on distribution systems is unclear. For instance, they told us that the scale of potential impacts on the bulk power system from a cyberattack on the grid’s distribution systems is not well understood,” the report said.
The sheer number of connected devices is a large part of the problem, especially if an attacker can trick them to operate in a coordinated manner. In 2018, Princeton University researchers demonstrated the possibility of converting multiple energy-hungry devices—such as heaters and air conditioners—into a botnet. Such botnets are commonly used for distributed-denial-of-service attacks that take down websites. But the Princeton researchers found that they could also be used “in order to manipulate the power demand in the grid,” according to the abstract from their paper.
A cyber attack on a distribution system has never caused a power outage in the United States, something that the Energy Department noted in its response to GAO. But Russian-backed attacks have led to power outages in Ukraine. The first one, in December 2015, affected almost 200,000 people in the dead of the Ukranian winter. Nearly a year later, Ukrainians near Kiev experienced a similar disruption, an event that Ukranian energy authorities believe to be a cyberattack by Russia.