No cyber or physical attacks against the power grid were successful last year, but that doesn't mean the country's electric supply is safe, according to the nation's electric reliability watchdog.
"While there were no reportable cyber security incidents during 2016 and therefore none that caused a loss of load [or power], this does not necessarily suggest that the risk of a cyber security incident is low," said the North American Electric Reliability Corporation in its 2017 State of Reliability report released Thursday.
"In fact, the number of cyber security vulnerabilities continues to increase as does the number of threat groups," the report's executive summary stated.
NERC was officially chartered by Congress in the 2005 energy law to devise mandatory electric reliability standards that the industry can be fined up to $1 million per day for violating. The group was set up as a link between the federal government and the industry in response to the 2003 East Coast blackout. The Federal Energy Regulatory Commission, the nation's lead grid and energy regulatory, oversees its work. It also develops standards to prevent cyber and physical attacks against the nation's wholesale electric grid in coordination with FERC.
The report showed that there were "a few nonmandatory reports of cyber incidents in 2016, such as phishing and malicious software, found on enterprise (noncontrol) computers," which aren't used in power plant operations. "While none of these incidents resulted in load loss, they are a reminder that cyber security risks are ever present."
NERC is recommending a new level of vigilance from the industry in response to growing numbers of malicious groups looking to target the nation's grid network.
While it said the risks of attack are increasing, less activity was directed at the federally overseen interstate electric grid last year. But that isn't exactly good news because it appears the state-run grid that manages the electric distribution grid in towns, cities and neighborhoods is being targeted more.
"Both mandatory and voluntary reporting [by industry] indicate that distribution-level events are more frequent than those affecting [Bulk Electric System] equipment," the report stated.
NERC said it is working with the Department of Energy to develop a system that allows them to scan for hackers targeting both power plant and electricity control systems, in addition to data flowing from corporate and business systems.
"NERC, in collaboration with the Department of Energy and its national laboratories, is exploring ways control system traffic could be directly captured in a passive and nondisruptive manner in addition to the large data sets of information flowing from the corporate or business systems," the report stated. "These initiatives will assist in developing a better picture of the [bulk power systems'] security state."