Distribution system vulnerabilities need to be fully addressed for a national cybersecurity strategy to have an effect, US Government Accountability Office (GAO) reports.
The review by the GAO states that distribution systems are becoming more vulnerable to cyberattacks, largely because of the introduction of monitoring and control technologies.
In particular there is increase in industrial control systems with remote access capabilities and connection to corporate business networks, increasing dependence on GPS for timing information and more networked consumer devices and distributed energy resources.
As a result potential cyber attackers can use multiple techniques to access those systems and possibly disrupt operations.
However, the scale of the potential impacts from such attacks is not well understood, the GAO finds.
The challenge in the US is that unlike the generation and transmission systems, which are federally regulated for reliability, the distribution systems are generally not and are regulated primarily by state and local entities.
The US Department of Energy is working on the energy sector portion of the country’s national cybersecurity strategy, but has focused its efforts more on risks facing the grid’s generation and transmission systems, the GAO reports.
Without addressing the distribution systems’ vulnerabilities, the DOE’s plans will likely be of limited use in prioritising federal support to states and industry to improve their cybersecurity, the GAO states, recommending the DOE more fully address these risks.
Distribution system vulnerabilities
The GAO in its report cites real world examples of techniques for gaining access to industrial control systems and corporate networks – and from where additional threat tactics can be launched – to include product manipulation of the supply chain, access to internet connected devices, ‘phishing’ emails and virtual private network connections.
Vulnerability to such attacks may be because of poor cybersecurity practices at utilities related to encryption, authentication, patch management or configuration management, the report comments.
Other factors they may stem from include the presence of older legacy systems that were not designed with cybersecurity protections, the safety and efficiency goals of the grid conflicting with the goal of security in the design and operation of the systems or failure to make timely security patch updates to systems components.
Examples of the potential impacts, again from real world cases, include loss of visibility into network operations and loss of productivity and revenue.
Another is the performance of unauthorised actions by systems devices such as during the 2015 attacks on the Ukrainian power grid when unauthorised commands to open the breakers at substations led to loss of power to about 225,000 customers.
The GAO reports in its findings that DOE officials had stated they had prioritised addressing risks to the bulk power system, as a cyberattack would likely affect large groups of people very quickly, whereas the impact of a cyberattack on distribution systems would likely be less significant.
However, none of the federal and non-federal entities that were spoken with were aware of any assessments confirming the scale of potential impacts of a cyberattack on distribution systems.
In addition, even if a cyberattack on the grid’s distribution systems did not impact the bulk power system, such an attack could still have significant national consequences, depending on the specific distribution systems that were targeted and the severity of the attack’s effects, according to some interviewees.
For instance, an attack on the grid’s distribution systems for a large city could result in outages of national significance. Additionally, a coordinated attack on distribution systems could cause outages in multiple areas even if it did not disrupt the bulk power system.
In its response the DOE concurred with the findings, citing two projects under way on distribution cybersecurity with the National Rural Electric Cooperative Association (NRECA) and American Public Power Association (APPA). The estimated completion date is September 2023.