Over the past several years, the energy sector has become a prime target for hacking and ransomware attacks, with over 40 attacks on the industry since 2017. Cyber attacks have only continued to rise, with a record high of 13 reported attacks in one year occurring in 2022.
Physical Security Threats to U.S. Energy Infrastructure
A new type of threat against the energy sector crystallized at the end of 2022: physical attacks on the grid. On December 3, two substations in Moore County, North Carolina were attacked and tens of thousands of customers were left without power. Several weeks later, a similar event occurred in Tacoma, Washington, with three substations deliberately targeted and damaged, causing more than 14,000 outages. These were far from the only attempts to physically attack the grid in 2022, although these were the most impactful—for instance, several other substations in the Washington and Oregon area were attacked with less impact on the grid, and as early as February 2022, three men pleaded guilty for conspiring to provide material support to attacks on power grids.
The Department of Homeland Security (“DHS”) has been warning of the possibility of these types of attacks for some time. In January 2022, news outlets reported that DHS issued a bulletin warning that domestic violent extremists have “developed credible, specific plans to attack electricity infrastructure since at least 2020, identifying the electric grid as a particularly attractive target given its interdependency with other infrastructure sectors.” Among various possible plans, DHS noted the existence of a 14-page guide on executing low-tech attacks, including attacks on the power grid using guns, was released in 2020 and circulated on a variety of extremist communication outlets.
On November 30, 2022, just days before the North Carolina attack, DHS released an additional bulletin that warned of the threat of extremist attacks on a variety of targets, including U.S. critical infrastructure.
DHS is not the only agency that has acted in the wake of these attacks. On December 15, the Federal Energy Regulatory Commission (“FERC”) ordered the North American Electric Reliability Corporation (“NERC”) to consider increasing physical security standards, including requiring physical risk assessments at more transmission stations, substations, and associated control centers.
Throughout 2023 we expect to continue to see agencies introducing new regulations and guidance to prepare for and respond to these threats, and the industry will need to act to protect its assets from targeted physical attacks.
Cyber Security Threats to U.S. Energy Infrastructure
Cyberattacks on the energy sector were at an all-time high in 2022, and while the federal government has spent the past month scrambling to respond to the physical threats to energy infrastructure that dominated the news cycle in the final months of 2022, it spent the majority of 2022 focused on bulking up cybersecurity protections for the energy sector, including:
- DOE raised the alarm on cybersecurity vulnerabilities in distributed energy resources (“DER”), with DOE releasing a report in October identifying that, while an attack on DERs may be negligible today, as the capacity of DERs is growing substantially, such an attack could have significant impacts in just three years.
- NERC also noted these concerns in its Distributed Energy Resource Strategy released in November, flagging the lack of security requirements in resources such as rooftop solar systems.
- FERC has continued to focus on increasing utilities’ investments in cybersecurity. In September, it proposed new incentives for utilities to make voluntary investments in cybersecurity, including an extra 2% return on equity on expenditures. However, FERC is also continuing to consider whether mandatory standards will be needed to address these concerns.
- DOE announced in August that it will direct $45 million to support “next-generation” cybersecurity research, development, and demonstrating projects to reduce cyber risks for energy delivery infrastructure.
- DOE also unveiled in June its National Cyber-Informed Engineering Strategy: a plan to strengthen the energy sector’s ability to respond to cyber threats, including increased cyber resilience in design, implementation, operation, and maintenance of energy infrastructure.
Based on these actions, we anticipate continued focus on the development of DERs in a manner to ensure robust security as this capacity grows. Agencies are also increasing the amount of funds available to the industry for beefing up their cybersecurity. With the increasing vulnerabilities in both cyber and physical security in the energy sector, we imagine agencies will be eager to find more ways encourage (or, as FERC is considering, require) industry actors to improve their cybersecurity technology.
Similarly, the National Security Agency (“NSA”) has also raised concerns that Russia may launch cyber attacks on the global energy sector as a tactic in the ongoing war, with the Cyber Director indicating that Russia has already been instigating attacks on countries neighboring Ukraine, such as Poland. As the war in Ukraine shows no signs of winding down, this issue too is likely to continue to require vigilance.