Executive Summary
With utilities in the U.S. and around the world increasingly moving toward smart grid technology and other upgrades with inherent cyber vulnerabilities, correlative threats from malicious cyber attacks on the North American electric grid continue to grow in frequency and sophistication.
The potential for malicious actors to access and adversely affect physical electricity assets of U.S. electricity generation, transmission, or distribution systems via cyber means is a primary concern for utilities contributing to the bulk electric system.
This paper seeks to illustrate the current cyberphysical landscape of the U.S. electric sector in the context of its vulnerabilities to cyber attacks, the likelihood of cyber attacks, and the impacts cyber events and threat actors can achieve on the power grid. In addition, this paper highlights utility perspectives, perceived challenges, and requests for assistance in addressing cyber threats to the electric sector.
There have been no reported targeted cyber attacks carried out against utilities in the U.S. that have resulted in permanent or long term damage to power system operations thus far, yet electric utilities throughout the U.S. have seen a steady rise in cyber and physical security related events that continue to raise concern.
Asset owners and operators understand that the effects of a coordinated cyber and physical attack on a utility’s operations would threaten electric system reliability –and potentially result in large scale power outages.
Utilities are routinely faced with new challenges for dealing with these cyber threats to the grid and consequently maintain a set of best practices to keep systems secure and up to date.
Among the greatest challenges is a lack of knowledge or strategy to mitigate new risks that emerge as a result of an exponential rise in complexity of modern control systems.
This paper compiles an open-source analysis of cyber threats and risks to the electric grid, utility best practices for prevention and response to cyber threats, and utility suggestions about how the federal government can aid utilities in combating and mitigating risks.
Among the findings of this paper, several key elements are:
Growth of networks and communication protocols used throughout ICS networks pose vulnerabilities that will continue to provide attack vectors that threat actors will seek to exploit for the foreseeable future. The interoperable technologies created for a shift toward a smart grid will continue to expand the cyber attack landscape.
Threat actors on multiple fronts continue to seek to exploit cyber vulnerabilities in the U.S. electrical grid. Nation-states like Russia, China, and Iran and non-state actors, including foreign terrorist and hacktivist groups, pose varying threats to the power grid. A determined, well-funded, capable threat actor with the appropriate attack vector can succeed to varying levels depending on what defenses are in place.
Utilities often lack full scope perspective of their cyber security posture. Total awareness of all vulnerabilities and threats at all times is improbable, but without enough cyber security staff and/or resources utilities often lack the capabilities to identify cyber assets and fully comprehend system and network architectures necessary for conducting cyber security assessments, monitoring, and upgrades.
Some utilities require financial assistance in creating or shaping their cyber strategy, both to meet regulatory standards and for business security. While regulatory requirements for the bulk electric system are clear about what compliance outcomes utilities should achieve, utilities desire guidance about how to best achieve cyber security outcomes, as well as how to develop active defenses capable of addressing a highly targeted cyber attack.
The assortment of regulatory standards and guidelines applicable to utilities regarding cyber security practices produces varied methods of adoption. This causes some overlap and confusion in jurisdictional applicability (federal vs. state) and has produced a wide range of differing practices by utilities in meeting standards, making an evaluation of industry-wide best practices difficult.
Utilities expect more qualitative, timely threat intelligence from existing federal information sharing programs. Utilities also seek clarity about the conditions of information sharing programs based on new national cyber security policy (CISA 2015).
