Grid Security

Protecting the bulk electric system (or “power grid”) from both physical and cyberattacks is known as “grid security.”

Risks and Threats

In 2023, the U.S. Department of Energy (DOE) reported at least 175 instances of physical attacks or threats against critical grid infrastructure, including incidences of theft and vandalism. In 2024, Check Point Research documented 1,162 cyberattacks on utilities, a 70 percent increase compared with the same period in the prior year.

While few of these attacks have had an impact on the grid, the North American Electric Reliability Corporation (NERC) reported that points of susceptibility continue to increase as the grid expands and incorporates new technologies—with the number of susceptible points increasing by approximately 60 per day. With these ever-increasing vulnerabilities, coupled with the outdated software that many utilities use, a coordinated attack could be devastating to the power grid and the essential services it supports.

Regulating Authority

The Energy Policy Act of 2005 authorized the Federal Energy Regulatory Commission (FERC) to oversee the reliability of the power grid. FERC certified NERC as the nation’s electric reliability organization to develop and enforce reliability standards, subject to FERC approval. These standards are referred to as the Critical Infrastructure Protection standards.

Preparedness

The Electricity Subsector Coordinating Council (ESCC) is the liaison between the electric power industry and the federal government, and it is responsible for preparing for and responding to threats and disasters. Among other things, the ESCC manages a Cyber Mutual Assistance program to help utilities restore critical computer systems following significant cyber incidents.

The electric power industry employs a strategy called “defense-in-depth,” which focuses on preparation, prevention, response, and recovery for “all hazard” threats to electric grid operations. Aspects include emergency exercises, such as NERC’s biannual GridEx program. Utilities also share transformers and other equipment through programs like SPAREConnect, Spare Transformer Equipment Program, and Grid Assurance.

Recent Legislation

The 2021 Infrastructure Investment and Jobs Act, now known as the Bipartisan Infrastructure Law (BIL), provided $27.0 billion to the DOE to modernize the electrical grid and make it more resilient to extreme weather and resistant to cyberattacks. Under the BIL, the DOE created the Grid Deployment Office and established several grant programs, including the Rural And Municipal Utility Advances Cybersecurity Grant and Technical Assistance Program. The BIL also required states to submit revised state energy security plans by September 30, 2023.

In March 2022, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) was signed into law. CIRCIA requires covered critical infrastructure entities to report cyber incidents within 72 hours and ransomware payments within 24 hours to the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency.

In Kansas statute, KSA 66-1234 through 66-1236 is known as the Kansas Energy Security Act. The Act became law in 2003 and deals only with recovery of security expenditures after the 9/11 terrorist attacks.