Feds: Grid Security Needs a Boost

Monday, March 5, 2012 @ 10:03 AM gHale


It is time to get smart about the smart grid.

That means the feds and the private sector need to work together to build security into smart grid devices.

RELATED STORIES
Execs Unaware of Security Risks
Security to Industry: Time to Wake Up
Study: Integrated Need for Security
Cyber Threat Forecast for 2012
DHS Unveils Cyber Strategy Plan

That was just one of the messages on how the federal government can improve cyber security of the electric grid, investigators told a House panel Tuesday. Part of what the federal government can do is coordinate oversight of industry compliance with voluntary security standards, implement an effective information-sharing system with the electric industry, and encouraging companies to build security into smart grid devices.

The Government Accountability Office (GAO) also presented previous recommendations the Federal Energy Regulatory Commission (FERC) should improve its coordination with other government regulators in the monitoring of cyber security compliance by electric companies. Without sharing and coordinating their observations, federal agencies have no way of knowing if voluntary standards are effective, experts warned in their testimony.

FERC, the primary oversight agency for the electric industry, also lacks an effective information-sharing mechanism to communicate with companies, said Gregory Wilshusen, GAO director of information security, and David Trimble, GAO director of natural resources and environment, before a House Energy and Commerce subcommittee.

The electric industry has an information-sharing center, but it has not used it to address the sharing of cyber security information. Electric utilities cannot protect themselves from cyber attacks if they do not safely and securely share relevant information, the GAO directors said.

There was blame to go around as companies have not produced devices that have a high level of security built into them to support the electric smart grid, the GAO said.

“According to a panel of experts convened by GAO, smart meters had not been designed with a strong security architecture and lacked important security features. Without securely designed systems, utilities would be at risk of attacks occurring undetected,” Wilshusen and Trimble said.

In addition, the electric industry doesn’t have metrics to evaluate the effectiveness of their cyber security measures, therefore it’s hard for anyone to estimate how investments in cyber security have protected the smart grid, investigators said.

Information technology systems that improve reliability and efficiency of electrical systems also bring with them opportunities for cyber attacks, the GAO said. While smart meters may promise fewer power outages and lower rates for electricity, they may present hackers with more vulnerabilities to attack and exploit, thereby destroying critical electrical infrastructure.

Federal agencies have been slow to coordinate with each other and with industry on electric cyber security despite concern from the director of national intelligence, expressed in February 2011, that the presence of malicious software had tripled since 2009, dramatically boosting attacks on U.S. information systems.



Leave a Reply

You must be logged in to post a comment.