New Grid Study Sees United States Vulnerable to Cyberattacks

A national study on electric grid security released Thursday called on the United States to do more to protect its grid against high-impact attacks, highlighting large gaps in U.S. technology and infrastructure.

The nonpartisan report from the National Academies of Sciences, Engineering and Medicine, commissioned by Congress, comes as the Trump administration proposes significant cuts to cybersecurity research in key budget areas.

The report was funded by the Department of Energy and calls on the agency to play a bigger role in organizing almost 3,000 grid operators to strengthen the electric grid and improve its ability to withstand man-made and natural attacks, such as cyberattacks and hurricanes. The Committee on Enhancing the Resilience of the Nation’s Electric Power Transmission and Distribution System, which authored the report, also calls for more vigorous research programs to protect the nation’s electricity supply.

“We’re not gonna get there with just what we have in hand,” Granger Morgan, the chair of the committee and professor of engineering and public policy at Carnegie Mellon University, said in a webinar Thursday.

President Donald Trump has proposed significant budget cuts to cybersecurity research for the next fiscal year: The science and technology arm of the Department of Homeland Security, which largely focuses on cyber issues, would be allocated $437 million, or 27 percent below fiscal 2017 levels, while the Energy Department’s Office of Cybersecurity for Energy Delivery Systems would be allotted $42 million, or 33 percent less.

With recent Russian hacking attacks on nuclear plants, attention on Capitol Hill is also focused on the resilience of the grid. Malware attacks have targeted the personal computers of nuclear power plant operators employees since May.

A bipartisan Senate energy bill, introduced by Energy and Natural Resources Committee Chairwoman Lisa Murkowski (R-Alaska) and ranking member Maria Cantwell (D-Wash.), includes $200 million a year for grid modernization in the Energy Department’s Office of Electricity. The senators are trying to bring the bill the Senate floor for a vote, Cantwell said.

“We want him [Trump] to restore money in the budget and to quit trying to cut the cybersecurity budget,” Cantwell said Thursday in a brief interview.

Cantwell introduced a bill in 2015 to modernize the electric grid and increase its resilience to natural disasters, cyberattacks and electromagnetic threats. Eighty-five senators voted for that measure as part of a larger energy infrastructure and security bill. The legislation stalled on the House side.

Cantwell and fellow Senate Democrats wrote to the White House on June 22 for further action on grid resilience, asking for an assessment of the grid after a nuclear plant cyberattack.

The White House did not respond to a request about the letter.

The authors of Thursday’s report said cyber breaches can’t be wholly prevented, so resilience measures would help speed up recovery or reduce the impact from powerful blackouts and long-term grid shutdowns.

“Much less emphasis has been placed on cyber resilience [than security measures],” William Sanders, a co-author of the report and head of the electrical engineering department at the University of Illinois at Urbana-Champaign, said during the webinar.

On Tuesday, Energy Secretary Rick Perry said at a press conference that the agency was looking at cyber threats, such as electromagnetic pulse attacks on the grid — without providing further details or talking about proposed budget cuts. He said the Idaho National Lab, the Sandia National Lab and the Pacific Northwest National Lab “collectively are looking at the cybersecurity side of the grid.”

The DOE will be issuing a separate grid study that Perry said is focused on maintaining “the grid’s ability to deliver the energy that the country needs.” The study is expected in the coming weeks.

The challenge is determining who is responsible for making the grid safer. For instance, electromagnetic pulse attacks are low probability, so it’s hard to justify investing taxpayer money to protect against them, a member of the Electric Power Research Institute, an energy advisory group, told the Senate Energy Committee in May.

The key remains protecting critical assets and “making sure that we can restart the grid if there’s [an] electromagnetic pulse and things fail, that it’s not components that require years to replace,” Mark McGranaghan, a vice president at the institute, said in an interview Thursday.