With America’s electrical infrastructure getting zapped daily by an unprecedented number of cyberattacks, the federal government is taking action to prevent a potentially crippling hack of the grid.
A 100-day plan was announced Tuesday by the U.S. Energy Department to harden security systems for the country’s electrical infrastructure and increase the ability to detect and neutralize cyber threats.
“The United States faces a well-documented and increasing cyber threat from malicious actors seeking to disrupt the electricity Americans rely on to power our homes and businesses,” Energy Secretary Jennifer Granholm said in a statement. “It’s up to both government and industry to prevent possible harms — that’s why we’re working together to take these decisive measures so Americans can rely on a resilient, secure, and clean energy system.”
The electric industry was among those hit by recent cyberattacks and data breaches targeting Solar Winds and Microsoft Exchange software, but officials stress the timing of Tuesday’s announcement is not directly tied to those events.
The U.S. government has blamed Russia’s spy agency for the Solar Winds attack. Microsoft said vulnerabilities in its mail and calendar software for corporate and government data centers were primarily exploited by the so-called Hafnium group in China.
The North American Electric Reliability Corporation, a non-profit regulatory authority that oversees utilities in the United States and Canada, said about 25 percent of electric utilities on the North American power grid downloaded the SolarWinds backdoor.
“Given the sophisticated and constantly changing threats posed by adversaries, America’s electric companies remain focused on securing the industrial control systems that operate the North American energy grid,” said Tom Kuhn, president of the Edison Electric Institute, which represents all U.S. investor-owned electric companies.
Kuhn said the new initiative is appreciated and indicates “the Biden administration is making cybersecurity for operations a high priority.”
Tuesday’s announcement comes after some industry criticism that funding for grid security was not included in the recent infrastructure package announced by President Joe Biden.
The 100-day plan includes “aggressive but achievable milestones and will assist owners and operators as they modernize cybersecurity defenses, including enhancing detection, mitigation, and forensic capabilities,” said National Security Council Spokesperson Emily Horne in a statement.
Among the fears—that an enemy of the United States or a cybercriminal group could replicate what happened in Ukraine in 2015 when the information systems of the country’s three energy distribution companies were remotely accessed by Russia, causing 200,000 consumers to lose power. A year later in Ukraine, a power transmission station was knocked offline by Russian hackers who were able to trip circuit breakers after planting malware in the network of the national grid operator.
"The safety and security of the American people depend on the resilience of our nation's critical infrastructure," said Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security.
Officials describe this effort to harden the power system against cyberattacks as a pilot project of the Biden administration before such measures are enacted for other vulnerable sectors of the country’s infrastructure.
A Government Accountability Office report issued last month warned that the U.S. grid’s distributions systems “are growing more vulnerable, in part because their industrial control systems increasingly allow remote access and connect to business networks.”
The Biden administration also is lifting a temporary ban on acquiring and installing bulk-power systems that serve critical defense systems, while the Energy Department receives industry input for a new executive order on guidelines for purchasing equipment.
Last May, then-President Donald Trump signed an executive order declaring “the unrestricted foreign supply of bulk-power system electric equipment” an “unusual and extraordinary threat to national security.” The order restricted purchases and use of such foreign equipment.
The large, interconnected bulk electric system consists of facilities necessary for operating the power transmission network and maintaining a balance of generation and demand from second to second.
Biden, in his first day in office, suspended Trump’s order for 90 days and directed the Energy Department and the Office of Management and Budget to “jointly consider whether to recommend that a replacement order be issued.”