Also, in March, the U.S. Government Accountability Office issued a report to Congress recommending action by DOE to fully address risks to electrical distribution systems.
In its report, the GAO stated, “The U.S. grid’s distribution systems — which carry electricity from transmission systems to consumers and are regulated primarily by states — are increasingly at risk from cyberattacks. Distribution systems are growing more vulnerable, in part because their industrial control systems increasingly allow remote access and connect to business networks. As a result, threat actors can use multiple techniques to access those systems and potentially disrupt operations.”
Federal Agencies Take Steps to Improve Security for Utilities
According to GAO, the distribution utilities included in its review generally are not subject to mandatory federal cybersecurity standards, but they had taken actions intended to improve the cybersecurity of their systems. “These actions included incorporating cybersecurity into routine oversight processes and hiring dedicated cybersecurity personnel. Federal agencies have supported these actions by, for example, providing cybersecurity training and guidance,” such as the Cybersecurity and Infrastructure Security Agency’s Cybersecurity Workforce Training Guide, which was released in August.
As the lead federal agency for the energy sector, GAO said, “DOE has developed plans to implement the national cybersecurity strategy for the grid, but these plans do not fully address risks to the grid’s distribution systems. For example, DOE’s plans do not address distribution systems’ vulnerabilities related to supply chains.”
According to officials, DOE has not fully addressed such risks in its plans because it has prioritized risks to the grid’s generation and transmission systems. Unless the agency does so, however, its plans will likely be of limited use in prioritizing federal support to states and industry to improve grid distribution systems’ cybersecurity, leaving energy providers vulnerable to cyberattack.
Federal Agencies and Third-Party Providers Offer Assessments and Training
In July, DOE announced an updated version of its Cybersecurity Capability Maturity Model (C2M2), “a tool designed to help companies of all types and sizes evaluate and improve their cybersecurity capabilities. The C2M2 updates address the evolving cyber threat and technology landscape. Today’s release of C2M2 V2.0 advances the Administration’s 100-day plan to confront cyber threats from adversaries who seek to compromise critical systems that are essential to U.S. national and economic security.”
In addition to the updated assessment tool, DOE announced it is building security by design into all research and development from its national labs and across the department. “Finally, it’s critical that we empower today’s energy workforce with the skills they need to defend and protect the security of our energy systems. Through initiatives like DOE’s recently expanded cybersecurity workforce development program, CyberForce, we’re doing just that.”
Third-party service providers such as CDW can help with security assessments. The Cybersecurity and Infrastructure Security Agency (CISA) also conducts specialized security and resilience assessments. According to the agency, “these voluntary assessments assist CISA and its partners — federal, state, tribal, territorial governments and private industry — in better understanding and managing risk to critical infrastructure. The assessments examine infrastructure vulnerabilities, interdependencies, capability gaps, and the consequences of their disruption.”