On May 30, 2018, the federal government released a report that identifies gaps in assets and capabilities required to manage the consequences of a cyber attack on the U.S. electric grid. The assessment is a result of the U.S. Department of Energy (“DOE”) and the U.S. Department of Homeland Security’s (“DHS”) combined efforts to assess the potential scope and duration of a prolonged power outage associated with a significant cyber incident and the United States’ readiness to manage the consequences of such an incident.
DOE and DHS caution, “as cyber capabilities become more readily available over time, state and non-state actors will continue to seek and develop techniques, tactics, and procedures to use against U.S. interests.” They note that the National Security Agency has already identified intrusions into critical industrial control systems by entities with the apparent technical capability to take down power grids, water systems and other critical infrastructure. While no lasting damage from cyber attacks and intrusions targeting U.S. electrical utilities has been observed, the assessment references a December 2015 cyber attack on three Ukrainian electricity distribution companies. The attacks were executed within thirty minutes of each other and caused outages for up to six hours for 225,000 customers. DOE and DHS report that large scale or long duration attacks in the United States could impact public health and safety, as well as result in economic costs of billions of dollars.
Although the report concludes that the U.S. government is generally well prepared, it identifies gaps around enhancing cyber incident response capacity, developing high-priority plans, augmenting scarce and critical resources, and understanding and characterizing response efforts to catastrophic incidents. DOE and DHS organize these gaps under seven categories: (1) Cyber Situational Awareness and Incident Impact Analysis; (2) Roles and Responsibilities under Cyber Response Frameworks; (3) Cybersecurity Integration into State Energy Assurance Planning; (4) Electric Cybersecurity Workforce and Expertise; (5) Supply Chain and Trusted Partners; (6) Public-Private Cybersecurity Information Sharing; and (7) Resources for National Cybersecurity Preparedness.
Among its recommendations, the report emphasizes the importance of public-private cybersecurity information sharing: “DOE should work with DHS, industry partners, and other relevant organizations to better define information needs and reporting thresholds through an assessment of voluntary and mandatory reporting requirements.” The report credits the federal government for taking significant steps to enhance existing planning structures for responding to cyber incidents in the last two years, but stresses the importance of closing the identified gaps.