From the U.S. Government Accountability Office, www.gao.gov Transcript for: Electric Grid Cybersecurity Description: In this episode, we talk about the cybersecurity risks to the nation's electric grid. Related GAO Work: GAO-19-332: Critical Infrastructure Protection: Actions Needed to Address Significant Cybersecurity Risks Facing the Electric Grid Released: September 2019 [ Background Music ] [ Nick Marinos: ] At the end of the day for again, our daily lives to remain normal we need our infrastructures to be powered. [ Jacques Arsenault: ] Welcome to GAO's Watchdog Report, your source for news and information from the U.S. Government Accountability Office. I'm Jacques Arsenault. We rely on the electric grid for so much. Serious disruptions could affect public safety, transportation, the economy, or even your ability to hear this podcast. And I have two guests with me to talk about their report on the grid's cyber security. Both are GAO directors -- Nick Marinos with Information Technology and Cyber Security, and Frank Rusco with Natural Resources and Environment. Thanks for joining me gentlemen. [ Nick Marinos: ] Thanks a lot. [ Frank Rusco: ] You bet. [ Jacques Arsenault: ] Frank, how important is the security of the National Electric Grid? [ Frank Rusco: ] It's a great question. The electric grid pretty much delivers electricity to all of the essential infrastructure of the nation. So if you think about it, it supports hospitals, first responders, telecommunications, financial services, you know without it you can't charge your phone. It's hugely important. One of the things that I think about is even functions like first responders, hospitals they all have backup generation. It runs on diesel or gasoline typically. Without power you can't refill that. So once you've run out of that initial fuel you have, even that can go out. So if you have a widespread disruption in power that lasts a long time it can be very serious. [ Jacques Arsenault: ] And Nick, when we talk about the electric grid, why is cyber security important? [ Nick Marinos: ] Well, the grid powers not only our homes but all key critical infrastructure in the nation. And so when we think about cyber security and ensuring the cyber security of our nation, the grid is one of the most vital components to it. Since 1997, GAO has been on record as identifying cyber security as a High Risk Area, not only to the federal government but to the nation. And in 2003 we actually added the designation of protecting critical infrastructure from cyber threats as a key component to that High Risk Area. Most recently we've seen that cyber threat actors--these could be nations, criminals, terrorists--are actually becoming increasingly more capable of carrying out attacks on the grid. And in fact, in the 2019 World Wide Threat Assessment out of the Office of the Director for National Intelligence, we actually saw two countries get identified as having potential capabilities in this area. We saw China identified as having an ability to disrupt Natural Gas Pipeline for days or potentially weeks. And Frank mentioned that fuel as being very vital obviously to the grid. We also saw Russia be identified as having the ability to disrupt electrical distribution networks for at least a few hours. [ Jacques Arsenault: ] And you mentioned we first put this on the High Risk list in 1997 and then 2003. It seems like technology has advanced quite a bit since then. How have those advances in technology impacted this? [ Nick Marinos: ] The technology has brought great functionality. So the ability to remotely monitor and potentially even adjust configurations to these networks that really support the grid provide some great value, but at the same time also create vulnerability. And so we've seen over time these industrial control systems go from being more closed-off to now interconnected, not only again through this remote capability, but actually more integrated into the business systems of companies that maintain this stuff. And so when you have that interconnection, then there's potential for example, for business systems to actually get targeted and attacked through let's say a spearfishing attack. And that could create vulnerability also on the industrial control system itself. [ Jacques Arsenault: ] So with all those threats is there a national strategy for how we counteract these threats? [ Nick Marinos: ] Yeah, we've seen both at the national level and then by key federal agencies that there have been efforts to outline a strategy. So in September 2018, we saw the release by the White House that the National Cyber Strategy as part of that national strategy, securing critical infrastructure was a key component of it and specifically within energy and power. We've also seen the Department of Energy over the last few years come out with a few plans and assessments that are intended to outline some of how the department itself is going to help coordinate efforts to reduce the risks to the grid. [ Jacques Arsenault: ] So Frank, from what we know does this strategy address those risks and their potential effects? [ Frank Rusco: ] Well DOE plans are a step in the right direction. What they have done right is they have identified the purpose and the scope, and to some extend the way that they're going to achieve security of energy infrastructure and particularly the grid. But they have a lot of steps that they haven't taken. And key among these are that DOE has not fully even assessed the cyber security threats to the grid. Without such assessment we cannot adequately plan or even take mitigating steps. [ Background Music ] [ Jacques Arsenault: ] It sounds like the Department of Energy has plans for addressing grid cyber security risks to this important segment of the infrastructure, but some of their assessments may be based on incomplete or outdated information. Frank, have there been examples of cyber attacks on electric grids in other countries? [ Frank Rusco: ] Yes, there have. For example, in 2015 a cyber attack on the Ukrainian grid, which is believed to have been caused by Russian operatives, took out power for 225,000 customers. The big concern here, as Nick mentioned, is if a cyber attack were to cause damage to key components of the grid such as transformers, this could cause widespread and long lasting power outages. In such a situation, the whole security of the country could be compromised because all the first responders, all of the key elements that lead to our security could run out of power indefinitely. [ Jacques Arsenault: ] So how can we avoid experiencing similar attacks here, Nick? [ Nick Marinos: ] Well, I think the recommendations on our report could help. So seeing the Department of Energy take steps to really build out their grid cyber security plan would really help here. So not only in really identifying and assessing what the key cyber security risks are to the nation, but really setting forward action through that plan. And then we've also made recommendations to the Federal Energy Regulatory Commission, FERC, which is the federal regulator for much of the electric grid. And really what we pointed to was the need for their own cyber security requirements to better reflect the cyber security risks that are facing the grid. [ Jacques Arsenault: ] So finally, what would you say is the bottom line of this report? [ Nick Marinos: ] You know, Jacques, I think this is a serious concern that we have, but it's not time to panic. The recommendations that we're making are building on efforts that are already underway. So, DOE has a plan in place but really needs to build it out more. And we need to see FERC take its current requirements and make sure that they reflect what are the most concerning cyber security risks out there. At the end of the day for, again, our daily lives to remain normal, we need power. We need our infrastructures to be powered. And so it's vital for the federal government to really take a strategic approach towards ensuring the protection of the electricity grid. [ Frank Rusco: ] I agree, and the only thing I will add is that the problem is getting more complicated, not less. So all the devices that are coming out, we have smart meters, we have smart thermostats, all of these things are internet-connected. And so anytime there's an internet connection there's a potential threat of malfeasance. And so to the extent that everything is becoming more interlinked and interconnected, the risk is growing and it's not shrinking so that's -- as Nick said, we need to get busy and fix this problem. [ Jacques Arsenault: ] Frank Rusco and Nick Marinos were talking about their GAO Report, which reviewed the cyber security of the National Electrical Grid. Thank you both for your time. [ Frank Rusco: ] Thank you. [ Nick Marinos: ] Thanks a lot, Jacques. [ Background Music ] [ Jacques Arsenault: ] And thank you for listening to the Watchdog Report. To hear more podcasts, subscribe to us on Apple Podcasts. For more from the congressional watchdog, the U.S. Government Accountability Office, visit us at gao.gov.