LegiStorm

Summary:

In the United States, it is generally taken for granted that the electricity needed to power the U.S. economy is available on demand and will always be available to power our machines and devices. However, in recent years, new threats have materialized as new vulnerabilities have come to light, and a number of major concerns have emerged about the resilience and security of the nation's electric power system. In particular, the cybersecurity of the electricity grid has been a focus of recent efforts to protect the integrity of the electric power system. The increasing frequency of cyber intrusions on industrial control (IC) systems of critical infrastructure continues to be a concern to the electric power sector. Power production and flows on the nation's electricity grid are controlled remotely by a number of IC technologies. The National Security Agency (NSA) reported that it has seen intrusions into IC systems by entities with the apparent technical capability "to take down control systems that operate U.S. power grids, water systems and other critical infrastructure." As the grid is modernized and the Smart Grid is deployed, new intelligent technologies utilizing two-way communications and other digital advantages are being optimized by Internet connectivity. Modernization of many IC systems (in particular, the Supervisory Control and Data Acquisition [SCADA] system) also has resulted in connections to the Internet. While these advances will improve the efficiency and performance of the grid, they also will increase its vulnerability to potential cyberattacks. Black Energy, Havex, and Sandworm are all recent examples of malware targeting SCADA systems. New devices (like smart meters) and increasing points of access (such as renewable electricity facilities) introduce new additional areas through which a potential cyberattack may be launched at the grid. Many cybersecurity actions are reactive to the last threat discovered. While intrusion detection is a priority, some experts say that mitigation of cyber threats requires a focus on attackers, not the attacks. Cybersecurity strategies may shift from figuring out whether a system has been compromised to an understanding of who authored the malicious software and why. Although malware intrusions may not have resulted in a significant disruption of grid operations so far, they still have been possible even with mandatory standards in place. The North American Electric Reliability Corporation's (NERC's) current set of standards, Critical Infrastructure Protection (CIP) Version 5, is moving toward active consideration of bulk electric system security needs rather than just compliance with minimum standards. Electric utilities emphasize the need for timely information sharing and advocate for liability protection from potential damages resulting from a major cyber event. Some observers argue that it is the responsibility of electric utilities to embrace security as part of their strategic business planning and operations. The National Electric Sector Cybersecurity Organization has identified six failure scenario domains intended to assist utility cybersecurity efforts. These scenarios also illustrate the continuing vulnerability of the grid to potential cyber and physical attacks, or a combination of both. This report highlights several areas for congressional consideration to improve grid cybersecurity. One issue is whether electric utilities have the resources to make the financial investment and recruit staff to reduce vulnerabilities. Another issue is that NERC CIP standards do not apply to all points of grid connection to the distribution system, and these connections still may represent cyber vulnerabilities. The adequacy of current standards where they do apply is also an issue.