The National Institute of Standards and Technology (NIST) has developed smart grid cybersecurity guidelines as tasked by Congress, but major gaps still need to be addressed; furthermore, the Federal Energy Regulatory Commission (FERC) has failed to develop a coordinated approach for monitoring if and how the standards are being followed by industry, a new report from the Government Accountability Office (GAO) says.

The GAO’s report, “Electricity Grid Modernization: Progress Being Made on Cybersecurity Guidelines, but Key Challenges Remain to be Addressed,” was commissioned by Rep. Bennie Thompson (D-Miss.) and Yvette Clarke (D-N.Y.). The lawmakers had asked the GAO to assess the extent to which NIST had developed smart grid standards and evaluate FERC’s approach for adopting and monitoring smart grid cybersecurity. The GAO was also asked to ascertain which challenges the industry faced concerning smart grid cybersecurity.

NIST had issued in August 2010 the first version of its smart grid cybersecurity guidelines, developing security guidelines for entities such as power companies involved in implementing smart grid systems, the GAO said. In doing this, the organization addressed key cybersecurity elements such as an assessment of the cybersecurity risks associated with smart grid systems and the identification of security requirements (i.e., controls) essential to securing such systems. However, NIST did not address, mostly because of time constraints, how entities would address the risk of attacks that use both cyber and physical means—“an important element essential to securing smart grid systems,” the GAO said.

The federal watchdog also applauded FERC’s initiative, begun in 2010, to consider an initial set of smart grid interoperability and cybersecurity standards for adoption, but it said the regulatory agency had not developed a coordinated approach to monitoring the extent to which industry follows the standards. One issue was that “while the [Energy Independence and Security Act of 2007 (EISA)] gives FERC authority to adopt smart grid standards, it does not provide FERC with specific enforcement authority,” the GAO said. This means that standards will remain voluntary unless regulators are able to use other authorities—such as the ability to oversee the rates electricity providers charge customers—to enforce them.

“The voluntary standards and guidelines developed through the NIST and FERC processes offer promise,” the GAO said. “However, a voluntary approach poses some risks when applied to smart grid investments, particularly given the fragmented nature of regulatory authority over the electricity industry.”

The GAO said that generally, regulatory fragmentation complicated oversight of smart grid interoperability and cybersecurity. “Oversight responsibility is divided among various regulators at the federal, state, and local level, and FERC’s authority is limited to certain parts of the grid, generally the transmission system,” it said. “As a result, state regulatory bodies and other regulators with authority over the distribution system will play a key role in overseeing the extent to which interoperability and cybersecurity standards are followed since many smart grid upgrades will be installed on the distribution system. Such regulatory fragmentation can make it difficult for individual regulators to develop an industry-wide understanding of whether utilities and manufacturers are following voluntary standards.”

It concluded, however, that “FERC has not developed an approach coordinated with other regulators to monitor whether industry is following the voluntary smart grid standards it adopts,” the agency said, adding, “FERC officials said they have not yet determined whether or how to do so.”

During discussions with experts, several challenges to securing smart grid systems were prominent, but six were key, the GAO found. These included:

  • Aspects of the regulatory environment may make it difficult to ensure smart grid systems’ cybersecurity.
  • Utilities are focusing on regulatory compliance instead of comprehensive security.
  • The electric industry does not have an effective mechanism for sharing information on cybersecurity.
  • Consumers are not adequately informed about the benefits, costs, and risks associated with smart grid systems.
  • There is a lack of security features being built into certain smart grid systems.
  • The electricity industry does not have metrics for evaluating cybersecurity.

The report comes just months after the “Stuxnet” worm reportedly infected computers at Iran’s Bushehr nuclear reactor, forcing it to shut down. Stuxnet is a sophisticated malware that attacks Siemens’ supervisory control and data acquisition (SCADA) systems at power plants, factories, and military installations. The New York Times reported this week, citing unnamed military sources, that Israel, with U.S. cooperation, had conducted tests of the destructive worm over two years in a complex in the Negev desert.

Sources: GAO, New York Times, POWERnews