The vulnerability of the U.S. energy system to cyberattacks has taken on new urgency due to the ongoing war in Ukraine, where recent attacks have targeted the country’s energy infrastructure. The vulnerability of these critical systems to physical and cyberattacks highlights the need for coordinated government action to protect them.
This spring, President Joe Biden underscored the seriousness of the Russian threat in letters to state governors, urging them to exercise their authority to “prepare your critical infrastructure to withstand a cyberattack.”
State legislatures considered at least 46 measures in 2021 related to the cybersecurity of energy systems.
Attacks targeting critical U.S. energy infrastructure have been a constant concern for businesses and lawmakers in recent years. In one of the most well-known attacks, Colonial Pipeline’s IT network was infected with ransomware in 2021, forcing it to shut down its gasoline, diesel and jet fuel pipeline operations—totaling 3 million barrels of fuel per day—for nearly a week. After the incident, media reports cited long lines at gas stations and fears of panic buying.
Recent events have prompted federal and state governments to focus on improving the cybersecurity of energy infrastructure. In August, the Department of Energy announced a $45 million investment in research, development and demonstration projects to create next-generation tools and technologies to address emerging threats and reduce disruptions to energy systems from cyberattacks and $250 million in grants and technical assistance to rural and municipal utilities to protect against cyberthreats.
State Actions
In addition to the federal government’s response, state legislatures considered at least 46 measures in 2021 related to the cybersecurity of energy systems.
In recent years, at least 30 states have increased state agency capacity to prevent and respond to cyber-threats. Utah and Colorado have enacted legislation to ensure state agencies have the capacity to protect critical infrastructure. And this year, Utah created a new Cybersecurity Commission to identify cyberthreats and vulnerabilities to energy and other critical infrastructure. Also this year, the New York Power Authority signed a deal to work directly with the private sector to bolster its cybersecurity. In announcing the deal, the public power utility cited the rise in sophisticated cyberattacks as the motivation for municipal utilities to strengthen security systems.
Other states have passed recent measures to protect their infrastructure. Texas, for example, enacted legislation in 2019 to provide cybersecurity monitoring for electric utilities. Tennessee this year enacted legislation requiring utilities, including co-ops and municipal utilities, to prepare and implement cybersecurity plans to protect their facilities and electronic data.
The Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response, also known as CESER, has determined that energy infrastructure constitutes a key target for cyberattacks and that the frequency and sophistication of threats are increasing. Accenture surveyed private sector executives, including 210 in the energy industry, and found that attacks per company were up 31% between 2020 and 2021. State legislatures are responding to these threats by building capacity and requiring utilities to prepare critical infrastructure for potential cyberattacks.