Cybersecurity has become a core issue for the U.S. power system, as important as the supply of raw materials used to generate electricity, a senior official at the grid’s watchdog said, as government officials push to shore up critical infrastructure from hackers.
“Security is at the heart of our operations, and one of the highest priority items right next to changing resource mix,” said John Moura, director of reliability assessment and performance analysis at the North American Electric Reliability Corp., a standards-setting and enforcement body for the energy industry.
The electric grid didn’t suffer any loss of output as a result of cyberattacks in 2020, according to NERC’s State of Reliability report, published Tuesday. Intelligence sharing among companies through the Electricity Information Sharing and Analysis Center, which NERC operates, grew by 96% in 2020 compared with 2019, with about 2,600 pieces of information shared. Suspicious activity reports, cyber-related reports, and information on phishing scams and software vulnerabilities made up the bulk of the data, the report said.
NERC’s growing focus on cyber reflects a broader push by the Biden administration, which launched a 100-day plan in April to identify and remediate vulnerabilities in the power grid. The Energy Department, Cybersecurity and Infrastructure Security Agency and nongovernment organizations such as NERC have helped electric utilities upgrade their defenses, providing a blueprint the White House hopes to replicate across other sectors.
Mr. Moura said cyberattacks had been a particularly serious concern for NERC since hackers last year penetrated SolarWinds Corp. software and proceeded to break into systems at private companies and federal agencies. The U.S. has blamed Russian intelligence services for launching the attack, which Moscow denies.
“Unlike weather or some of our other risks, this is much more difficult to manage,” he said. “The persistence that we’ve seen and the level of sophistication more recently, especially with SolarWinds at the end of the last year, really highlighted the capability of the threat actors.”
Fears of cyberattacks against the energy sector came to fruition on May 7, when a ransomware attack against Colonial Pipeline Co. shut down a key East Coast fuel artery for six days. In June, Energy Secretary Jennifer Granholm said that U.S. adversaries had developed cyber capabilities that could take down the power grid.
Reflecting growing concerns about the state of cybersecurity in critical economic sectors, a bipartisan infrastructure bill passed by the Senate on Aug. 10 earmarked $1.9 billion in funding for cybersecurity improvements.
While the bill is a step in the right direction, power lobbyists say, much more investment is needed to secure systems in the future, particularly given the vulnerabilities posed by aging operational technology.
“Tens of billions of dollars more will be needed to adequately fund needed cybersecurity improvements,” said Jim Cunningham, president of the power advocacy group Protect Our Power. Critical areas include upgrading communications systems, enhancing supply chain security and providing funds for smaller power companies that might have limited cyber budgets.
“We have a once-in-a-generation opportunity to repair and rebuild our infrastructure,” he said.
Write to James Rundle at [email protected]
Copyright ©2021 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8