Skip to main content

Electricity Grid Cybersecurity: DOE Needs to Ensure Its Plans Fully Address Risks to Distribution Systems

GAO-21-81 Published: Mar 18, 2021. Publicly Released: Mar 18, 2021.
Jump To:

Fast Facts

The U.S. electricity grid's distribution systems—the parts of the grid that carry electricity to consumers—are becoming more vulnerable to cyberattacks, in part because of the introduction of and reliance on monitoring and control technologies. However, the scale of potential impacts from such attacks is not well understood.

The Department of Energy is working on the energy sector portion of the national cybersecurity strategy, but it has focused its efforts more on risks facing the grid's generation and transmission systems. We recommended more fully addressing risks to distribution systems.

The U.S. Electricity Grid

graphic showing distribution including behind-the-meter devices, step-down substation, customers

Skip to Highlights

Highlights

What GAO Found

The U.S. grid's distribution systems—which carry electricity from transmission systems to consumers and are regulated primarily by states—are increasingly at risk from cyberattacks. Distribution systems are growing more vulnerable, in part because their industrial control systems increasingly allow remote access and connect to business networks. As a result, threat actors can use multiple techniques to access those systems and potentially disrupt operations. (See fig.) However, the scale of potential impacts from such attacks is not well understood.

Examples of Techniques for Gaining Initial Access to Industrial Control Systems

Distribution utilities included in GAO's review are generally not subject to mandatory federal cybersecurity standards, but they, and selected states, had taken actions intended to improve distribution systems' cybersecurity. These actions included incorporating cybersecurity into routine oversight processes and hiring dedicated cybersecurity personnel. Federal agencies have supported these actions by, for example, providing cybersecurity training and guidance.

As the lead federal agency for the energy sector, the Department of Energy (DOE) has developed plans to implement the national cybersecurity strategy for the grid, but these plans do not fully address risks to the grid's distribution systems. For example, DOE's plans do not address distribution systems' vulnerabilities related to supply chains. According to officials, DOE has not fully addressed such risks in its plans because it has prioritized addressing risks to the grid's generation and transmission systems. Without doing so, however, DOE's plans will likely be of limited use in prioritizing federal support to states and industry to improve grid distribution systems' cybersecurity.

Why GAO Did This Study

Protecting the reliability of the U.S. electricity grid, which delivers electricity essential for modern life, is a long-standing national interest. The grid comprises three functions: generation, transmission, and distribution. In August 2019, GAO reported that the generation and transmission systems—which are federally regulated for reliability—are increasingly vulnerable to cyberattacks.

GAO was asked to review grid distribution systems' cybersecurity. This report (1) describes the extent to which grid distribution systems are at risk from cyberattacks and the scale of potential impacts from such attacks, (2) describes selected state and industry actions to improve distribution systems' cybersecurity and federal efforts to support those actions, and (3) examines the extent to which DOE has addressed risks to distribution systems in its plans for implementing the national cybersecurity strategy. To do so, GAO reviewed relevant federal and industry reports on grid cybersecurity risks and analyzed relevant DOE documents. GAO also interviewed a nongeneralizable sample of federal, state, and industry officials with a role in grid distribution systems' cybersecurity.

Recommendations

GAO recommends that DOE more fully address risks to the grid's distribution systems from cyberattacks—including their potential impact—in its plans to implement the national cybersecurity strategy. DOE agreed with GAO's recommendation.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Energy The Secretary of Energy, in coordination with DHS, states, and industry, should more fully address risks to the grid's distribution systems from cyberattacks—including the potential impact of such attacks—in DOE's plans to implement the national cybersecurity strategy for the grid. (Recommendation 1)
Open
DOE agreed with our recommendation. In its response to our report, DOE stated that it has been engaged in two congressionally directed projects to better address risks to the grid's distribution systems, and that, in 2020, it issued new awards for the implementation of cybersecurity solutions on distribution systems. These efforts may help states and industry improve the cybersecurity of distribution systems, but to fully address our recommendation, DOE should more fully address risks to the grid's distribution systems from cyberattacks in its plans to implement the national cybersecurity strategy for the grid. As of December 2023, we continue to monitor DOE's progress to implement our recommendation.

Full Report

GAO Contacts

Nick Marinos
Managing Director
Information Technology and Cybersecurity

Frank Rusco
Director
Natural Resources and Environment

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Public Inquiries

Topics

Control systemsCritical infrastructureCritical infrastructure protectionCritical infrastructure vulnerabilitiesCyber attacksCybersecurityElectricityElectricity gridsEnergy resourcesEnergy sectorsFederal agenciesGlobal positioning systemHomeland securityNational laboratoriesPublic utilities