Technologies and Key Policy Trends

Technology And Threats Overview

Cyberthreats have emerged as a major concern and have been growing rapidly over the past decade. Between 2010 and 2016, the number of incidents reported to the U.S. Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team increased sixfold.1 In 2016, the energy sector was the third most targeted industry, accounting for 20% of reported incidents.2 The consequences of a cyberattack on the electricity system could be serious: disrupting power or fuel supplies, damaging specialized equipment and jeopardizing public welfare. Traditional generation and transmission that use internet-connected supervisory control and data acquisition systems (SCADAs) can be vulnerable to attack. Clean energy technology can also be vulnerable, given that many of those technologies are also internet connected or supported by internet- connected devices.3,4

Cyberattacks on U.S. energy infrastructure have had limited consequences so far because they have mainly targeted personal information rather than operating units,5,6,7 but there have been significant cyberattacks globally. The most notable cyberattacks occurred
in Ukraine in 2015 and 2016. In 2015, cyberattackers manipulated circuit breakers across multiple distribution operators to cause a 3.5-hour power outage for 225,000 people. In 2016, malicious hackers created and deployed modular malware specifically targeting industrial control systems and were able to take 200 megawatts (MW) offline.

The United States has thus far avoided cyberattacks of consequence, but major incidents of concern have occurred. In 2017, several nuclear power generation sites experienced cyberintrusions.8 These intrusions did not extend beyond the business systems, did not affect power delivery or cause safety concerns, but targeting of U.S. nuclear power plants is cause for concern. In March 2019, a cyberattack in the Western Interconnection temporarily eliminated visibility into SCADAs. The affected utilities were able to maintain adequate electricity supply, but the attack did interrupt internal operations9 and represented the first successful attack on U.S. grid operations.

New threats continue to emerge. According to statements made by the Director of National Intelligence during the Worldwide Threat Assessment to Congress in 2019, malicious actors and nation-states have the ability to disrupt U.S. electric and gas distribution systems “with the goal of being able to cause substantial damage.”10

In addition, physical threats caused by nature have always been a concern for governors and the energy sector alike. Potential earthquakes along major fault lines like the San Andreas in California, Cascadia in the Pacific Northwest and New Madrid in the Midwest, have posed longstanding dangers, alongside hurricanes, heavy snow and other storms, wildfires and floods. These threats are in addition to longstanding grid incidents involving animals and drivers, vandalism and physical attacks on grid infrastructure by bad actors.

In the past decade, natural threats have grown more intense. The overall number of hurricanes has remained the same, but the storms have increased in intensity and caused record-breaking levels of damage.11 Rising sea surface temperatures cause increased wind speeds during storms, and rising sea levels amplify storm surges. The 2017 hurricane season resulted in a historic $282 billion in damages.12 Similarly, wildfires have increased in frequency and duration. In fact, 61% of all fires ever recorded in the West have occurred since 2000, and the number of fires that burn more than 100,000 acres has climbed steadily in the past 20 years.13 The frequency of flooding is also expected to increase. A Federal Emergency Management Agency report on the National Flood Insurance Program estimated that U.S. floodplains will grow by 45% by the end of the century.14 At the same time, deaths attributed to flooding have risen. Over the past 30 years, flooding had killed on average 86 people annually. In the past 10 years, this average increased to 95, and there were more than 100 deaths each year in 2015, 2016 and 2017.15

Key Policy Trends

  • Establishment of the U.S. Department of Energy (DOE) Office of Cybersecurity, Energy Security, and Emergency Response (CESER)

  • Growth and development of energy industry information sharing and analysis centers (ISACs)

  • Increased importance of cybersecurity in energy industry subsector coordinating councils

  • Establishment of state resilience officers

  • Updating energy assurance plans with resilience in mind

  • Increased deployment of distributed generation and distributed energy resources to enhance resiliency

Opportunities, Challenges
 and State Solutions


Clean energy and the technologies that accompany it, such as battery storage, present unique opportunities to increase resiliency and address the rising number of cyber and physical attacks. In the event that a storm or cyberattack takes a large-scale power generator offline, distributed generation in the community could be used to provide power to critical customers in the interim or help provide “black start” services (i.e., when a generator starts from a total or partial shutdown). Distributed energy resources can also be used in microgrids to enable communities or critical assets to operate apart from the larger grid during emergencies caused by cyber or physical events.

Smart and digitally connected grid technologies have been critical enablers of clean energy expansion. Everything from smart meters to new sensors to home monitoring systems make it easier to effectively integrate and optimize the use of clean energy. These elements can also be helpful in the event of a storm or cyberattack that disrupts grid operations (see Figure 1). Increased awareness and visibility from sensors and smart meters could facilitate dynamic system reconfiguration to route around comprised assets. Smart building and home energy management systems could be used for demand response to reduce the burden on the energy system during an incident, making recovery easier and faster.


Clean energy technologies present many opportunities to increase resiliency, but they also introduce vulnerabilities. Much clean energy technology is integrated with or enabled by smart technology. Most smart technology used to enable clean energy technology is internet connected. Every new connection to the internet presents a new access point for malicious hackers to infiltrate.

In addition to the internet connectivity issue, smart technology presents supply chain risks. Most smart devices are sourced and manufactured all over the world. It is often difficult to know where each component of a device originated. If the firmware or hardware in the device is compromised during manufacturing, it could make the device more vulnerable when deployed in the field. Threat actors may use this approach to gain access to energy infrastructure around the world.

The variable nature of some clean energy generation can also be a challenge if inverter technology becomes compromised. Inverters are used to convert direct current output of a clean resource into utility frequency alternating current output — a critical step in ensuring that grid frequency does not fluctuate outside the feasible range. When grid frequency deviates from its set range, it can cause grid outages. If an inverter is compromised and the current conversion is altered, those fluctuations in current can lead to outages.

Compromised electric vehicles (EVs) and EV infrastructure can also create grid reliability problems. The introduction or removal of one EV and its charging demands from the electric grid is usually not a concern. However, if a network of EVs or charging infrastructure were to become compromised, that network could be used as a vector to spread malware throughout a system, transferring malware to chargers or buildings every time an EV charges. If a network of charging stations were compromised, the sudden introduction or removal of many charging EVs could cause wide power deviations, prompting a grid outage.

State Solutions

Governors are supporting a variety of policies to counter rising cyber and physical threats. State solutions include the following:

  • Coordinate preparedness and planning efforts

  • Establish cybersecurity governance bodies focused on energy industry issues

  • Protect sensitive information, including classified threat information and critical energy infrastructure information, to encourage private sector information sharing

  • Collaborate with utility regulators to enhance their cybersecurity oversight

  • Participate in cyberexercises

  • Assess resiliency capabilities and gaps

  • Encourage the growth of microgrids and energy storage

State Solutions Spotlights

Governors have supported a range of state actions to counter growing cyber and physical threats.

Coordinate preparedness and planning efforts

All states conduct energy preparedness and planning efforts through their state energy assurance plans, generally created under the leadership of state energy offices. These plans are often coordinated with the electricity sector to ensure smooth operations during emergencies. As the threat of physical and cyberattacks rise, states should begin to incorporate a resilience mindset and cyberdisruption planning into their energy assurance plans. States will want to define roles and responsibilities, establish communication guidelines and coordinate response efforts to ensure that they are prepared for a cyberincident. Consider the following state spotlights:

  • Oregon

  • Montana

  • Oklahoma

Establish cybersecurity governance bodies focused on energy industry issues

Cybersecurity governance bodies take many forms, but their overall mission is to identify cyberthreats facing the state and develop solutions to mitigate those threats. As of 2017, 22 state cybersecurity governance bodies were in existence.5 Some of those bodies established committees specifically to study critical infrastructure or the energy industry. In some cases, governance bodies have been established exclusively to study and develop solutions for cybersecurity in the energy industry. These bodies can be critical to supporting the industry and addressing growing cyberthreats. Consider the following state spotlights:

  • Texas

  • Vermont

Protect sensitive information, including classified threat information and critical energy infrastructure information, to encourage private sector information sharing

The federal government enacted the Cybersecurity Information Sharing Act (CISA) in 2015 to make it easier for private companies to share cyberthreat information with the federal government. CISA also introduced protections to exempt that information from being disclosed in response to a Freedom of Information Act request. Many states have similar laws to protect cyberthreat information and critical energy infrastructure information from being subject to disclosure. The National Governors Association issued a paper detailing how state laws and court rules have been protecting critical energy infrastructure information against public disclosure.10 These protections help encourage private companies to share critical information with states and the federal government. Consider the following state spotlights:

  • Idaho

  • Louisiana

Collaborate with utility regulators to enhance their cybersecurity oversight

PUCs are key to improving energy cybersecurity through their oversight of parts of the electrical utility industry, their ability to authorize cost recovery for investments and their roles during restoration and response activities. States can support grid cybersecurity by directing or encouraging PUCs to examine the adoption and deployment of new technologies or processes by regulated utilities and to direct regulated entities to conduct cybersecurity assessments and audits to better understand their cybersecurity efforts. Consider the following state spotlights:

  • Connecticut

  • New Jersey

Participate in cyber exercises

Exercises simulating cyberattacks can help government and utilities practice coordinated responses, identify gaps or misalignments in plans, strengthen communication channels and address areas for improvement.19 They can be an efficient way to test security and response with limited resources.20 Some utilities conduct internal cyber exercises or partner with other organizations, including academia, technology companies, vendors and other utilities, to identify vulnerabilities and response strategies where results can be reported to state regulators.21 Other exercises test coordination more broadly across industry, federal, state, local and international entities. One well-recognized cross-sector exercise, GridEx, convenes thousands of industry and government participants over multiple days every two years to test the electricity sector’s ability to respond to cyber and physical attacks.22 Consider the following state spotlights:

  • New York

Assess resiliency capabilities and gaps

Governors play a critical role in helping enhance resiliency in the wake of increasing physical threats: to withstand disasters better, respond and recover more quickly and excel under new conditions. Given the interdependency of the energy sector, such efforts, even if specific to electricity delivery only, call for a cross-agency effort to assess current capabilities and gaps. The National Governors Association has created the State Resiliency Assessment and Planning Tool (SRAP Tool) as the first-ever tool for state policy makers that uses a self-assessment rating scale encompassing a series of 41 questions across five categories. The tool is currently being revised based on feedback from states and is due to be released in Spring 2020. Governors can explore the use of that that tool or similar assessments.24

Encourage the growth of microgrids and energy storage

Microgrids and energy storage can increase resiliency during and after a cyberattack or a weather-related incident by giving communities the ability to provide their own power if electrical service is disabled. Many states are pursuing energy storage targets and deploying microgrids to increase overall system resiliency. Various approaches exist for implementing these targets. California established an energy storage target through legislation. Connecticut and Massachusetts are encouraging the growth of microgrids through grant programs. Other states, including Connecticut, Massachusetts, New Jersey and New York, are changing regulatory statues and using public-private partnerships to encourage and finance “public purpose” microgrids. Consider the following state spotlights:

  • California

  • Massachusetts

  • Puerto Rico

Download The Full Toolkit

NGA’s State Energy Toolkit offers ideas to help governors respond to trends as they take action in their states.

  • Overviews of Technologies & Policy Trends

    Understand the landscape and see what’s on the horizon.

  • Opportunities, Challenges & State Solutions

    Meet state goals for advancing clean energy.

Download Toolkit
Clean Energy Report