The Federal Energy Regulatory Commission (FERC) did not coordinate with other regulators to identify strategies for monitoring compliance with voluntary cybersecurity standards in the industry the Government Accountability Office (GAO) identified in 2011, at which time GAO said it recommended “a number of challenges to securing the electricity grid against cyber threats.”
“As a result, FERC does not know the extent to which such standards have been adopted or whether they are effective,” GAO said in a new audit report this week. “Given the increasing use of information and communications technology in the electricity subsector and the evolving nature of cyber threats, continued attention can help mitigate the risk these threats pose to the electricity grid.”
Continuing, GAO reported that, “Given the increasing use of information and communications technology in the electricity subsector and the evolving nature of cyber threats, continued attention can help mitigate the risk these threats pose to the electricity grid.”
Since 2011, GAO reported, “additional efforts have been taken to improve cybersecurity in the sector, such as NERC in 2013 issuing updated standards to address” a variety of “cybersecurity challenges. NIST also updated its smart grid cybersecurity standards in 2014” and “developed a cybersecurity framework for critical infrastructure.”
In addition, the Department of Homeland Security (DHS) and Department of Energy (DOE) have efforts under way to promote its adoption, and FERC assessed whether these and other challenges should be addressed in its ongoing cybersecurity efforts, GAO said.
However, GAO reported, in its 2011 report, GAO recommended the National Institute of Standards and Technology (NIST) improve its cybersecurity standards; FERC assess whether challenges identified by GAO should be addressed in ongoing cybersecurity efforts; and FERC coordinate with other regulators to identify strategies for monitoring compliance with voluntary standards.
“The agencies agreed with the recommendations, “but FERC has not taken steps to monitor compliance with voluntary standards,” GAO informed Congress.
GAO said in 2011 it “identified a number of challenges to securing the electricity grid against cyber threats,” which included:
- Monitoring implementation of cybersecurity standards: GAO found FERC had not developed an approach, coordinated with other regulatory entities, to monitor the extent to which the electricity industry was following voluntary smart grid standards, including cybersecurity standards.
- Clarifying regulatory responsibilities: The nature of smart grid technology can blur traditional lines between the portions of the grid that are subject to federal or state regulation. In addition, regulators may be challenged in responding quickly to evolving cybersecurity threats.
- Taking a comprehensive approach to cybersecurity: Entities in the electricity industry (e.g., utilities) often focused on complying with regulations rather than taking a holistic and effective approach to cybersecurity.
- Ensuring that smart grid systems have built-in security features: Smart grid devices (e.g., meters) did not always have key security features such as the ability to record activity on systems or networks, which is important for detecting and analyzing attacks.
- Effectively sharing cybersecurity information: The electricity industry did not have a forum for effectively sharing information on cybersecurity vulnerabilities, incidents, threats, and best practices.
- Establishing cybersecurity metrics: The electricity industry lacked sufficient metrics for determining the extent to which investments in cybersecurity improved the security of smart grid systems.
