The GAO issued a report that found critical shortfalls in the proposed guidelines for modernizing the smart grid; the proposed guidelines, released by NIST and the FERC, contained several shortcomings that would leave the nation’s security grid vulnerable to cyber attack; “missing pieces” in the guideline include a lack of metrics to evaluate cyber security, no enforcement mechanisms, and no coordination of disjointed oversight bodies; NIST and FERC agreed with the findings and is moving to address them in their next set of guidelines
The Government Accountability Office (GAO) issued a report earlier this month that found critical shortfalls in the proposed plans for modernizing the United States’ electricity grid.
The electricity industry is updating its infrastructure by incorporating advanced information technology components to increase efficiency and reliability in what it calls the smart grid.
Government officials are concerned that incorporating these components may open up the electrical grid to attack by malicious hackers.
The GAO report focuses on the guidelines that the National Institutes for Standards and Technology (NIST) and the Federal Energy Regulatory Commission (FERC) developed for cyber security in August 2010. In particular, the report is concerned that the FERC lacks enforcement authority to ensure that the standards it develops are being implemented properly. As a result, compliance to the standards is voluntary.
Additionally, oversight of cyber security is complicated by the fragmentation of regulatory bodies, with federal, state, and local entities each having their own jurisdictions. The FERC has not developed a coordination mechanism to work with these various agencies to monitor if the industry is adopting the voluntary guidelines.
The report found six critical challenges to securing smart grid systems including:
- “the electricity industry does not have metrics for evaluating cyber security
- “there is a lack of security features being built into certain smart grid systems”
- “utilities are focusing on regulatory compliance instead of comprehensive security”
- “the electric industry does not have an effective mechanism for sharing information on cyber security”
To ensure security, the report calls on the NIST to fully address gaps in its cyber security guidelines and fill in key “missing elements” while the FERC should “develop a coordinate approach to monitor voluntary standards and address any gaps in compliance.”
Both organizations agreed with these findings and will seek to address these issues in their next set of guidelines.