As discussed previously in this blog, physical attacks against substations have been on the rise. However, the U.S. power grid[1] is also vulnerable to cyberattacks from U.S. adversaries, which includes hostile foreign governments, as well as individual bad actors such as insiders and criminals. Although there have been more physical attacks than cyberattacks on the electrical grid this year (see also Department of Energy annual summaries), the potential for harm is great by either approach.

Furthermore, physical vulnerabilities can be used to create and exploit cyber vulnerabilities. For example, in 2017 the University of Tulsa in Oklahoma demonstrated how they could stop the turbines on an entire wind farm by first physically breaching a pin-and-tumbler lock on one turbine’s metal door and then hacking unsecured servers inside the turbine that were connected to all other turbines on the project. The vulnerability of wind farms continues to be a concern. Unlike legacy power plants that are isolated (“air gapped”) from the commercial Internet, small renewable installations in Europe often run on diverse third-party systems that are digitally connected to the power grid. In fact, according to Wall Street Journal reporting in April of 2022, three European renewable energy companies reported cyber incidents following Russia’s invasion of Ukraine.

Given the potential of such combined physical and cyberattacks, the historical reliance on protecting cyber systems by having an air gapping where systems are disconnected from wireless networks and the Internet is coming into question, given successful attacks that implemented both approaches. Some examples include: (i) the U.S. Department of Homeland Security alert that Russian “cyber actors” had gained the ability to disable U.S. electrical grids and had breached the “air gap” through spear-fishing and other tactics; (ii) the announcement by Microsoft and cyber security agencies from the United States and four other governments that a Chinese government hacking group had acquired a significant foothold inside critical infrastructure environments; and (iii) the Stuxnet virus that in part relied on the physical use of infected USB drives to disable Iranian nuclear facilities.

On September 12, 2023, the U.S. Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) announced $39 million of funding for nine new National Laboratory projects addressing cybersecurity concerns affecting distributed energy resources, which include utility-scale solar, wind, storage and other clean technologies, as well as behind-the-meter systems and devices. The focus on protecting renewable systems reflects a growing international concern about the vulnerability of these resources to cyberattacks.

Government regulations continue to evolve to anticipate and respond to these cyber and physical threats to the bulk power system. Pursuant to 16 U.S.C. Section 824o, the Federal Energy Regulatory Commission (Commission or FERC) has authority to oversee the reliability of the bulk power system, which includes authority to approve mandatory cybersecurity reliability standards. FERC certified the North American Electric Reliability Corporation (NERC) as the United States’ Electric Reliability Organization. In Order 706, FERC approved Critical Infrastructure Protection (CIP) Reliability Standards developed by NERC and directed NERC to further modify those standards. In June of 2023, NERC issued its 2023 State of Reliability which found, in part, that physical and cyber attacks are increasing, reinforcing the need for further development and adaptation of reliability standards and guidelines.

Husch Blackwell will continue to monitor regulatory issues related to energy security and compliance.

[1] The U.S. power grid is technically several interconnected grids that span the U.S. and Canada, except that the grid occupying most of Texas is not fully interconnected with the other U.S./Canada power grids.