- State adversaries such as Russia, China, and Iran possess the resources and potential political will to launch sophisticated attacks designed to cripple the American economy and impede military deployment.
- While the Department of Energy has established a five-year plan to bolster grid defenses, experts express concern that budget cuts and staffing reductions may prevent the agency from effectively managing the expanding threat landscape.
The United States energy grid is in an extremely vulnerable position. Aging and underfunded, the grid is already being stressed to its limits by skyrocketing energy demand on the part of data centers as well as increasingly complicated energy flows introduced by solar and wind power. Building and maintaining a resilient energy grid will require a huge investment into expanding, reinforcing, and updating the grid – but in the meantime, all that expansion leaves the United States extremely vulnerable to cyberattack, according to security experts.
Any of the U.S. energy system’s three primary pillars – power generation, transmission, and distribution – could all be a target. “You have a growing surface of attack on which our adversaries can target us,” Alexander Fitzsimmons, the Acting Undersecretary of Energy, said in a recent exclusive with nonpartisan news outlet Semafor. “The threat landscape is certainly escalating and intensifying.”
The federal government is aware of the risks, and has been proactive about protecting the United States power grid from hackers. So far, they’ve managed to avoid a major breach – but Fitzsimmons says it is entirely possible that hackers have already infiltrated IT networks upholding critical infrastructure including military installations, and are simply waiting for the right moment to wreak havoc. Many military installations are located in remote places with small grids, making them particularly vulnerable to attack. In some of these places, says Fitzsimmons, “you have one person working on IT, and they’re expected to secure their network against foreign adversaries.”
Experts have been warning of this growing risk for years. In 2017, the Council on Foreign Relations released a memorandum detailing the possible forms and growing likelihood of a crippling hack to the United States power grid, saying that it has “long been considered a logical target for a major cyberattack.” The impact of such an attack would cripple the economy, which is entirely reliant on the grid for all sixteen of its major sectors.
The report says that such an attack would be no easy feat, requiring “months of planning, significant resources, and a team with a broad range of expertise.” But while that means it would be unlikely for a terrorist and criminal organization to mount such an offensive, there is still considerable threat from state adversaries, who have the resources to carry out such an endeavor, and many of which have the political will to do so.
That 2017 report identified Iran as one of these potential political adversaries, a threat which is now much more prescient against the backdrop of the war being waged there by the United States and Israel. Russia has also been considered to be a primary threat in cyber warfare in the West, including the United States, spurred by the West’s condemnation of Putin’s war in Ukraine.
China, too, could be a major cyberattack risk. In 2024, the Annual Threat Assessment of the U.S. Intelligence Community found that “If Beijing believed that a major conflict with the United States were imminent, it would consider aggressive cyber operations against U.S. critical infrastructure and military assets.” The unclassified report went on to say that “such a strike would be designed to deter U.S. military action by impeding U.S. decisionmaking, inducing societal panic, and interfering with the deployment of U.S. forces.”
In response to the growing threat against the country’s energy infrastructure, this year the Department of Energy released a first-ever 5-year plan to build up the national grid’s defense against cyberattack. The three main priorities of the strategy are developing advanced grid-focused cybersecurity tech, girding existing infrastructure against cyber threats, and improving response times to threats and breaches.
However, critics question whether the DOE has the funding to carry out its plans, as the budget for the Office of Cybersecurity, Energy Security and Emergency Response (CESER) has shrunk under the Trump administration. “The plan assumes a partner agency operating at a capacity it no longer has,” Collin Hogue-Spears, senior director of solution management at Black Duck, was recently quoted. “Add the plan’s scope expansion across cybersecurity, physical security, counter-UAS and facility hardening, and CESER is asking 66 people to coordinate across more mission areas than 96 people managed before.”
By Haley Zaremba for Oilprice.com
