GAO Identifies Significant Cybersecurity Risks in US Electric Grid

• The GAO determined that the electric grid faces significant cybersecurity risks and is becoming more vulnerable to cyberattacks by threat actors and criminal groups.
• The GAO has also made recommendations to the Department of Energy (DOE) and the Federal Energy Regulatory Commission (FERC).

The new report released by the Government Accountability Office (GAO) reveals that the nation’s electric grid is becoming more vulnerable to cyberattacks.

What did GAO do?

The GAO reviewed the cybersecurity of the nation’s electric grid, analyzed the Department of Energy (DOE) strategy for addressing the cybersecurity risks faced by the electric grid, and assessed the extent to which FERC-approved the standards to address the grid’s cybersecurity risks.

What did GAO find?

The GAO determined that the electric grid faces significant cybersecurity risks and is becoming more vulnerable to cyberattacks by threat actors and criminal groups.

• The GAO identified key vulnerable components and processes used in the grid that could be exploited.
• This includes the increased use of consumer Internet of Things (IoT) devices connected to the internet, and the use of GPS to synchronize grid operations.
• The GAO also identified the potential impact of cyberattacks on the grid which includes widespread power outages in the United States.

“Although cybersecurity incidents reportedly have not resulted in power outages domestically, cyberattacks on industrial control systems have disrupted foreign electric grid operations. In addition, while recent federal assessments indicate that cyberattacks could cause widespread power outages in the United States, the scale of power outages that may result from a cyberattack is uncertain due to limitations in those assessments,” the report read.

GAO’s recommendations

The Government Accountability Office (GAO) has made recommendations to the Department of Energy (DOE) and the Federal Energy Regulatory Commission (FERC).

Recommendations to DOE:

• To develop a plan for implementing the federal cybersecurity strategy for the electric grid, and
• To ensure that the plan addresses the key characteristics of a national strategy, including a full assessment of cybersecurity risks to the grid.

Recommendations to FERC:

• To make changes to FERC’s approved cybersecurity standards in order to completely address the NIST Cybersecurity Framework.
• To evaluate the potential risk of a coordinated cyberattack on geographically distributed targets and, based on the results of that evaluation, determine if changes are required.

Both the DOE and FERC have agreed with GAO’s recommendations.