Electricity is critical to every aspect of modern life. The United States’ national security, economy, and public health and safety rely on the North American electric grid every second of the day. These, and many other functions powered by the grid have likely experienced local outages caused by weather, accidents, or sometimes from tree branches falling on power lines. Larger power outages, however, are infrequent occurrences, due in part to an array of organizations that work tirelessly to ensure the grid remains reliable, resilient, and secure. Nonetheless, it is neither practical nor possible to prevent all disruptive events. Grid owners and operators balance risk, investment, and cost to customers when making investments in their systems.
Cybersecurity of the U.S. electric grid has emerged as one of the most important issues facing the electricity subsector today. There are key trends that are increasing the risk of significant cyber incidents. On one hand, utilities and grid operators are adopting new technologies that leverage ever-expanding amounts of data and automated control capabilities to manage the grid more efficiently and reliably. On the other hand, cyber threat actors are becoming more knowledgeable about how to exploit various aspects of the grid infrastructure, including pathways through these new technologies, to achieve their malicious objectives.
As cyber capabilities become more readily available over time, state and non-state actors will continue to seek and develop techniques, tactics, and procedures to use against U.S. interests. It has been reported that the National Security Agency has seen intrusions into critical industrial control systems (ICS) by entities with the apparent technical capability “to take down control systems that operate U.S. power grids, water systems and other critical infrastructure.”
Cyberattacks and intrusions targeting U.S. electric utilities have been reported, though no lasting damage—physical, cyber-physical, or otherwise—has been observed. Without precedent, it is very difficult to predict the impacts to the country of a prolonged power outage from a significant cyber incident, which remains a significant gap for the intelligence community, industry, and subject matter experts. Mitigating this gap will require detailed knowledge of the capabilities of the adversary, the real-time technical conditions of the grid and electricity markets, the behavioral responses of the operators of multiple systems and their customers, as well as tens if not hundreds of additional variables.
In both government and private industry, U.S. electricity subsector stakeholders perform regular assessments, exercises, and information sharing and coordination plans of general and specific responses to significant cyber incidents. As part of this overall coordinated effort, Executive Order 13800 on “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” called for an Assessment of Electricity Disruption Incident Response Capabilities.
The national frameworks and systems for coordinating public and private sector risk management efforts are robust and sustained systems of plans, partnerships, and preparedness activities. In the last two years, the federal government has taken significant steps to enhance existing planning structures by significantly updating the concept of federal coordination for cyber incidents; creating incident-specific annexes to the response and recovery national planning frameworks focused on long-term power outages; and publishing a National Cyber Incident Response Plan.
National exercises focused on energy assurance and emergency response are important both for maintaining readiness and ensuring coordination among the diverse stakeholders and partners who manage the ecosystem of national preparedness and infrastructure risk management.
Despite taking steps to ensure their resilience to power disruptions, critical infrastructure sectors supporting the national economy, defense, and important lifeline functions remain vulnerable to power disruptions. The ability of government and industry partners to close identified gaps in cybersecurity preparedness and response capabilities can help reduce potential scope and duration of a significant cyber incident on the electric grid for the electric subsector, as well as interdependent critical infrastructure sectors.