Skip to main content
close search
site logo
Dive Brief

Utility distribution systems 'increasingly at risk' for cyberattacks, GAO report concludes

Published April 8, 2021
Robert Walton's headshot
Senior Reporter
An illustration of cyber security, showing a padlock over a circuit board.
Getty

Dive Brief:

  • The U.S. Department of Energy is working to implement a national cybersecurity strategy, and has so far focused its efforts on the nation's transmission and generation assets, but utility distribution systems are "increasingly at risk" from intrusion and disruption, according to a report from the Government Accountability Office.
  • A coordinated attack on distribution systems "could cause outages in multiple areas even if it did not disrupt the bulk power system," the report, released in March, warns.
  • Utility systems are generally not subject to federal security mandates because of the size of their facilities, and the report says DOE needs to "more fully" address those risks. Risk management experts say industrial control systems (ICS) connected to distribution networks are vulnerable, but question the need for new federal rules.

Dive Insight:

The increasing use of ICS to manage the electric grid has been recognized as a threat to the transmission and generation sectors, but GAO's report concludes federal security rules overlook increasing risks to distribution systems.

"Distribution systems are growing more vulnerable, in part because their industrial control systems increasingly allow remote access and connect to business networks," the report found. "As a result, threat actors can use multiple techniques to access those systems and potentially disrupt operations."

The report noted, however, that "the scale of potential impacts from such attacks is not well understood."

Distribution systems are increasingly operated with monitoring and control technologies that have "traditionally been air-gapped from IT networks and the internet in general, making them generally impervious to remote attacks and vulnerabilities," Gary Kinghorn, marketing director at software security firm Tempered Networks, said in an email. "But that no longer is the case."

"These are legacy systems, frequently unmanaged, or unpatched, sometimes running in remote locations or lights out operations," Kinghorn said, adding that they represent a "potential disaster."

But Kinghorn said it is not difficult to secure that infrastructure, and "we already see many electrical utilities and regional energy cooperatives" taking steps to improve their risk profile and security processes.

The GAO report is "compelling," according to Mark Carrigan, chief operating officer of software security company PAS Global. Federal regulators are focused on security requirements for generation and transmission and "these measures do not properly identify and address risks that could lead to wide-spread power outages," he said in an email.

Older legacy systems were not designed with cybersecurity protections, said Carrigan, because they did not connect to the internet. The GAO report warns that legacy devices may not be able to ensure commands have been sent by a valid user, and may not be capable of running modern encryption protocols.

"The reality is that virtually all industrial control systems used to distribute power fall into this category," Carrigan said. "Companies should start by identifying those assets, that if compromised, pose the greatest potential of wide-spread power outages, and implement further controls to minimize the impact of a cyber-attack."

The GAO report recommends DOE "more fully address risks to the grid’s distribution systems from cyberattacks," and says the agency has agreed with that conclusion and is involved with a pair of research projects examining how to improve the security of distribution systems.

Those projects may help states and industry improve the cybersecurity of distribution systems, the report said, while also warning that "it will also be important for DOE to more fully address risks to the grid’s distribution systems from cyberattacks in DOE’s plans to implement the national cybersecurity strategy for the grid."

Some experts question whether new federal requirements are needed for utility systems, however.

"I would hope that the industry continues to be able to self-police itself well and recognize that new connectivity and access requirements demands more security oversight," Kinghorn said. "Time will tell if more oversight will be required based on how many breaches we see in the near term and how well the industry as a whole adapts to new digital transformation requirements."

Editors' picks

Company Announcements

View all | Post a press release
Forth Roadmap Conference Arrives in Detroit, Michigan September 24 - 26, 2024
From Forth
August 29, 2024
Copper Labs unveils new utility portal to provide detailed grid-edge visibility—with or withou…
From Copper Labs
August 22, 2024
Is the Push to Eliminate Gas Just Hot Air? The Heat is On!
From LaReg Corp.
August 13, 2024
Pioneer Community Energy Launches PowerShift Rewards Program to Incentivize Energy Conservation
From Uplight
August 20, 2024
Editors' picks
Latest in Transmission & Distribution
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell