In a recent report, the GAO noted that smart grid systems are ripe with cybersecurity vulnerabilities, particularly in smart meters and industrial control systems.
The government watchdog related that the FBI has investigated complaints from utilities about widespread power theft by attackers who have hacked into smart meters. The hackers change the power consumption recording settings using software available on the internet.
In addition, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) reported that it found malware at an electric bulk provider and electric utility, which was deployed through spearphising attacks launched by a “sophisticated threat actor”, the GAO related.
Despite these proven vulnerabilities, industry has failed to build cybersecurity into smart grid systems. “Experts told us that certain currently available smart meters had not been designed with a strong security architecture and lacked important security features, including event logging and forensics capabilities that are needed to detect and analyze attacks”, the GAO explained.
“In addition, our experts stated that smart grid home area networks – used for managing the electricity usage of appliances and other devices in the home – did not have adequate security built in, thus increasing their vulnerability to attack. Without securely designed smart grid systems, utilities may lack the capability to detect and analyze attacks, increasing the risk that attacks will succeed and utilities will be unable to prevent them from recurring”, the agency stressed.
Government inaction on smart grid cybersecurity has resulted from jurisdictional disputes between federal and state regulators, the watchdog noted.
“While jurisdictional responsibility has historically been determined by whether a technology is located on the transmission or distribution system, experts raised concerns that smart grid technology may blur these lines”, it said.
“For example, devices such as smart meters deployed on parts of the grid traditionally subject to state jurisdiction could, in the aggregate, have an impact on those parts of the grid that federal regulators are responsible for – namely the reliability of the transmission system”, the GAO concluded.