Watchdog: Energy Department not doing enough to protect grid against cyber attacks

Watchdog: Energy Department not doing enough to protect grid against cyber attacks
© ThinkStock

A report released Wednesday by the Government Accountability Office (GAO) found that the Department of Energy (DOE) has not done enough to protect the electrical grid against increasing cyber attack attempts, the same day a Senate committee approved legislation intended to bolster DOE’s work on grid security.

GAO wrote in the report, originally finalized in August, that “the nation’s electric grid is becoming more vulnerable to cyberattacks — particularly those involving industrial control systems that support grid operations. Recent federal assessments indicate that cyberattacks could cause widespread power outages in the United States, but the scale of such outages is uncertain.”

ADVERTISEMENT

GAO emphasized that DOE “plays a key role in helping address cybersecurity risks in each component of the electric grid’s infrastructure. However, DOE has not developed plans for electric grid cybersecurity that address the key characteristics needed for a national strategy.”

The report also found that while the Federal Energy Regulatory Commission (FERC), which regulates the flow of electricity between states, has approved mandatory grid cybersecurity standards, these do not fully encompass current federal guidance on grid cybersecurity.

GAO noted that the actors with capabilities of interfering in the U.S. grid include foreign nations, criminal groups and terrorist organizations.

GAO recommended that DOE coordinate with other relevant federal agencies to develop a plan to implement a federal cybersecurity strategy for the electric grid. 

The report included a response from Karen Evans, the assistant secretary of DOE’s Office of Cybersecurity, Energy Security, and Emergency Response. Evans wrote that she “concurs” with GAO’s recommendation on the creation of a federal cybersecurity strategy, and noted that “DOE’s current actions meet the intent of GAO’s recommendation.”

Evans wrote that DOE is currently working to develop a “national cyber security implementation plan” to address energy sector cybersecurity, with the plan due expected to be completed sometime this fall. 

The report also included a response from FERC Chairman Neil ChatterjeeIndranil (Neil) ChatterjeeHillicon Valley: FTC rules Cambridge Analytica engaged in 'deceptive practices' | NATO researchers warn social media failing to remove fake accounts | Sanders calls for breaking up Comcast, Verizon Bipartisan senators call on FERC to protect against Huawei threats Hillicon Valley: House passes anti-robocall bill | Senators inch forward on privacy legislation | Trump escalates fight over tech tax | Illinois families sue TikTok | Senators get classified briefing on ransomware MORE, who wrote that he believed GAO’s recommendations on ways FERC can improve grid cybersecurity are “constructive.”

The GAO report was released the same day that the Senate Energy and Natural Resources Committee unanimously approved several pieces of legislation meant to protect the nation’s electric grid from cyber attacks, advancing the bill to the Senate floor for a vote. 

The bills approved included the Enhancing Grid Security Through Public-Private Partnerships Act, which would require DOE to establish and carry out a program to assess the cyber and physical security of electric utilities. This legislation is sponsored by Sens. Cory GardnerCory Scott GardnerThe Hill's Morning Report — Sponsored by AdvaMed — House panel delays impeachment vote until Friday Senate gears up for battle over witnesses in impeachment trial Democrats spend big to put Senate in play MORE (R-Colo.) and Michael BennetMichael Farrand BennetYang: 2020 rivals in Senate should be able to campaign amid impeachment Trump trade deal likely to sow division in Democratic presidential field Schumer to colleagues running for White House: Impeachment comes first MORE (D-Colo.), and has a companion bill in the House that was approved by the House Energy and Commerce Committee in May. 

The committee also approved the Energy Cybersecurity Act, sponsored by Sens. Maria CantwellMaria Elaine CantwellLet's enact a privacy law that advances economic justice There's a lot to like about the Senate privacy bill, if it's not watered down Hillicon Valley: House passes anti-robocall bill | Senators inch forward on privacy legislation | Trump escalates fight over tech tax | Illinois families sue TikTok | Senators get classified briefing on ransomware MORE (D-Wash.) and Martin HeinrichMartin Trevor HeinrichSenators want FERC to protect critical infrastructure from Huawei threats Senate reviews Interior, FERC nominees criticized on ethics This week: House to vote on Turkey sanctions bill MORE (D-N.M.), which would require DOE to “develop advanced cybersecurity applications and technologies for the energy sector.”

Cantwell noted during the committee markup that “the grid is subject to over a million cyber attacks every day,” and pointed to an incident earlier this year during which an unnamed Western utility reported having operations disrupted due to a successful cyber attack as an example of why more action needs to be taken to secure the grid.

“Something we hear from our colleagues quite often on other committees, they are bringing generals and military leaders before the Armed Services Committee or the Intelligence Committee demanding what are they going to do about cybersecurity, when in reality so much of the focus is at DOE and on the grid,” Cantwell said. “So our committee has a very important role to play in national security.”