The U.S. Energy Department says the electricity system "faces imminent danger" from cyber-attacks, which are growing more frequent and sophisticated, but grid operators say they are already on top of the problem.
In the department's landmark Quadrennial Energy Review, it warned that a widespread power outage caused by a cyber-attack could undermine "critical defense infrastructure" as well as much of the economy and place at risk the health and safety of millions of citizens. The report comes amid increased concern over cybersecurity risks as U.S. intelligence agencies say Russian hacking was aimed at influencing the 2016 presidential election.
"Cyber threats to the electricity system are increasing in sophistication, magnitude, and frequency," it said in the 494-page report. "The current cybersecurity landscape is characterized by rapidly evolving threats and vulnerabilities, juxtaposed against the slower-moving deployment of defense measures."
The department detailed 76 recommendations to boost energy, including increasing the collection of data about online breaches from utilities. Separately, it called for extending tax credits to boost construction of new nuclear reactors. Overall, the report said, total investment requirements necessary for grid modernization range from $350 billion to $500 billion.
The risks to the electric sector were highlighted within the past week as suspicious Internet traffic was found on a laptop computer at a Vermont electric utility. While the laptop wasn't connected to the grid, the Burlington Electric Department alerted federal authorities of the risk.
Modified or new grid reliability requirements and increased data collection on cyber-attacks will be needed to address the cyber risks, it said. While there haven't been major attacks in the U.S., the department review noted that a 2015 attack on the Ukrainian grid caused widespread power outages. That "should be seen as an indicator of what is possible," it said.
The report also called for a new Energy Department assessment of cybersecurity for natural gas pipelines.
Regional wholesale grid operators including PJM Interconnection LLC said they have implemented security measures, such as having redundant facilities, to counter cyber threats.
"We are continually working to improve our security as cybersecurity threats evolve," said Marcia Blomberg, spokeswoman for ISO New England Inc. in Holyoke, Massachusetts. "We monitor system conditions continuously, and we share information as needed with regulatory and industry bodies."
Utilities have had "cyber incidents" like ransomware attacks, according to the National Rural Electric Cooperative Association, which represents smaller, rural electric cooperatives.
"These things typically happen via email by clicking on an attachment or a link that brings the malware into the network," Barry Lawson, the association's senior director of power delivery and reliability, said in an interview. Once that happens the network is locked. To get back in, the company must either pay ransom to a criminal enterprise or work around it over time. "But that can cost quite a bit of money," he said.
He declined to specify the number or timing of the cyber-attacks, but said all of the utilities were able to "get back where they need to be."
The Quadrennial Energy Review is part two of a broad administration-wide review of the nation's energy policies. The first report, released in 2015 focusing on energy infrastructure, recommended spending $15.2 billion over a decade to improve the grid, and called for $2 billion to upgrade the Strategic Petroleum Reserve.
(c) 2017, Bloomberg · Ari Natter, Mark Chediak