GAO warns over continuing cyber vulnerability of US energy sector

The US electricity grid’s distribution systems are increasingly at risk from cyberattacks, according to the Government Accountability Office (GAO).

The systems carry electricity from transmission systems to consumers and are regulated primarily by states.

However, they are growing more vulnerable, in part because of industrial control systems’ increasing connectivity, according to the GAO. As a result, threat actors can use multiple techniques to access those systems and potentially disrupt operations.

The GAO pointed out that the US Department of Energy, as the lead federal agency for the energy sector, has developed plans to help combat these threats and implement the national cybersecurity strategy for the grid. However, it said:

“DOE’s plans do not address distribution systems’ vulnerabilities related to supply chains. By not having plans that address the improvement to grid distribution systems’ cybersecurity, DOE’s plans will likely be of limited use in prioritizing federal support to states and industry.”

Instead, the GAO recommends that, in developing plans to implement the national cybersecurity strategy for the grid, DOE coordinates with the Department of Homeland Security, states, and industry to more fully address risks to the grid’s distribution systems from cyberattacks.

The vulnerability of the US energy sector to cyberattacks has been a live issue since 2021, when the CEO of US energy company Colonial Pipeline acknowledged that his company paid a multi-million ransom to cyber-criminals.

Speaking to the Wall Street Journal at the time, Joseph Blount justified the $4.4 million payment by saying that executives were unsure how badly its systems were breached or how long it would take to restore the pipeline.

The 5,500-mile Colonial Pipeline Co system was temporarily closed after one of the most disruptive cyberattacks on record, preventing millions of barrels of gasoline, diesel and jet fuel from flowing to the East Coast from the Gulf Coast.

The ransomware attack came just ahead of the Memorial Day holiday weekend at the end of May, the traditional start of peak-demand summer driving season.

The Southeast US bore the brunt of the outage, as the region is almost entirely without refineries.

According to reports, panic buying caused 90% of fuel stations in Washington, DC to run out. Outages in North Carolina fell to about 50%, and outages in South Carolina, Georgia and Virginia were under 50%, GasBuddy said.

The FBI officially confirmed that DarkSide was responsible for compromising Colonial Pipeline’s networks, saying that it was continuing to work with the firm and other government agencies on the investigation.