Lack of Skilled Workers Puts Security of the Electric Grid at Risk Warns New Report

Following up on last week’s Capitol Update, in which we reported the Office of Management and Budget released a report stating most federal agencies are unprepared for cyber-attacks, the Department of Energy (DOE) recently released its own report on the matter. The Cyber EO 2E report asserts that “Cybersecurity of the U.S. electric grid has emerged as one of the most important issues facing the electricity subsector today.”

The assessment enumerates gaps in capabilities and capacity that exist around enhancing cyber incident response capacity, including: 

1. Cyber Situational Awareness and Incident Impact Analysis
2. Roles and Responsibilities under Cyber Response Frameworks
3. Cybersecurity Integration into State Energy Assurance Planning
4. Electric Cybersecurity Workforce and Expertise
5. Supply Chain and Trusted Partners
6. Public-Private Cybersecurity Information Sharing
7. Resources for National Cybersecurity Preparedness

These gaps stem from issues such as lack of funding and a dearth of skilled workers. The lack of awareness regarding the consequences of a large scale power outage caused by an attack on the electric grid is a main concern. The report explains that “Mitigating this gap will require detailed knowledge of the capabilities of the adversary, the real-time technical conditions of the grid and electricity markets, the behavioral responses of the operators of multiple systems and their customers, as well as tens if not hundreds of additional variables.” It goes on to explain that there is also little understanding of how to recover from a cyber-attack, as these attacks would differ greatly from other factors affecting the grid such as hurricanes or ice storms.

Due to the wide scope of cyber-attacks on the electric grid, the report also calls on the DOE to work with other agencies such as the Department of Homeland Security to bolster both defenses against cyber-attacks, as well as responses to successfully executed attacks. While there have been no major attacks reported on the grid to-date, the report makes reference to the two cyber-attacks on the Ukrainian electric grid in December 2015 and again in 2016.

In a press release following the release of the report, DOE Secretary Rick Perry highlighted the newly-created Office of Cybersecurity, Energy Security and Emergency Response as an “important step” in safeguarding energy infrastructure, and that "This Administration recognizes the growing security risk of cyber threats and has prioritized overcoming these challenges facing our nation."

To read the full report, click here: https://www.energy.gov/sites/prod/files/2018/05/f51/EO13800%20electricity%20subsector%20report.pdf