The U.S. electrical grid provides the country the power to enjoy all the luxuries of modern life and technology.
The increased connectivity brought on by the Industrial Internet of Things (IIoT) allows for more real-time monitoring and adjustment of power, but with those benefits also comes greater risk.
The reliability of the grid has become a topic of greater national interest. The recent SolarWinds incident has highlighted the importance of securing critical infrastructure in the U.S., including the electricity grid.
The U.S. Government Accountability Office (GAO) has released a report, Electricity Grid Cybersecurity, detailing concerns with the cybersecurity of the grid in the U.S. and what should be done to ensure its security in the future.
[RELATED: How a Hacker Tried to Poison a Florida City]
Cybersecurity for U.S. electricity grid
The electrical grid essentially has three functions: generation, transmission, and distribution. The GAO report notes that the distribution systems are increasingly vulnerable to cyber attacks, but the scale of potential impacts remains unclear.
It says the increased vulnerability is partly due to the introduction and reliance on monitoring and control technologies. Here are some examples from the report:
- "Industrial control systems increasingly include remote access
capabilities to monitor and control operations and connect to
corporate business networks;
- Grid operations increasingly rely on global positioning systems (GPS)
for critical position, navigation, and timing information; and
- More networked consumer devices and distributed energy resources, which provide increased monitoring and control capabilities for consumers and utilities, are being connected to distribution systems networks."
It also says the increased vulnerabilities are compounded for distribution
systems because of the size and dispersed nature of the systems, which
present a large attack surface.
How do hackers gain access to industrial control systems?
On page 14 of the report, the below graphic is included to show how a hacker might gain access.
After gaining access, attackers will use tactics such as execution, evasion, and lateral movement for the purpose of positioning themselves to manipulate or interrupt industrial control systems.
The report states that vulnerabilities in the grid's industrial control systems might come from the following factors:
- "Older legacy systems were not designed with cybersecurity
protections because they were not intended to connect to networks
such as the internet. For example, many legacy devices are not able
to authenticate commands to ensure that they have been sent from a
valid user and may not be capable of running modern encryption
protocols. In addition, some legacy devices do not have the capability to log commands sent to the devices, making it more difficult to detect malicious activity. Further, older legacy systems often rely on unsupported operating systems that no longer receive modern software security patches to address vulnerabilities, according to DHS officials. The officials noted, for example, that Microsoft stopped supporting Windows XP with security patches in 2014, but many industrial control systems still used the unsupported operating system at that time.
- Safety and efficiency goals of the grid conflict with the goal of security in the design and operation of the systems. For example, vulnerability scanning is often used in IT systems to validate proper system configuration and to identify any vulnerabilities that may be present. However, grid operators often do not use conventional IT vulnerability scanning because of perceptions that it can impact the availability of energy delivery systems,36 and testing may not always detect vulnerabilities present in industrial control systems.
- Systems components often have to be taken offline so that owners
and operators can apply security patches to address known cybersecurity vulnerabilities. However, this may not happen in a timely manner because the devices must remain highly available to support the reliable operation of the grid."
For more information regarding the cybersecurity of the U.S. electrical grid, read the GAO report.