GAO Report: Grid Security Remains Jumbled

Wednesday, January 19, 2011 @ 05:01 PM gHale


Smart grid: Just those two words conjure up thoughts of a new, different and better power grid helping solve energy issues for the years and decades to come.

A series of issues remain, however, as the idea of who will supervise cyber security for the smart grid still remains a mystery.

That is essentially one of the thoughts behind a new smart grid cyber security report issued from the U.S. Government Accountability Office (GAO) last week.

The report, “Electricity grid modernization: Progress being made on cyber security guidelines, but key challenges remain to be addressed,” looks at challenges to adequate cyber security.

In addition to jurisdictional issues, other issues are the lack of information consumers have about smart grid’s cost, benefits and risks; a utility focus on compliance rather than on comprehensive security; lack of security features built into smart grid gear; the lack of industry-wide information-sharing mechanisms and the lack of metrics for assessing cyber security.

The National Institute of Standards and Technology (NIST) in August issued a first version of its smart grid cyber security guidelines, the GAO report said. The agency “largely addressed” important issues but failed to address the risk of attacks that use both cyber and physical means. It also failed to address issues of synchrophasor security and of cryptography. Until it does so, “there is an increased risk that smart grid implementations will not be as secure as otherwise possible,” the report said.

The Federal Energy Regulatory Commission (FERC) last year began considering adopting an initial set of smart grid interoperability and cyber security standards, but it has not developed a way to monitor whether the industry is following those standards, the report said. Nor has it determined whether to do so and, if so, how. That means the standards will remain voluntary unless other regulators can enforce them.

When it comes to cyber security, co-ops and municipal utilities in the U.S. do not face regulation by state or federal agencies, so their own boards may be responsible for overseeing the voluntary standards, the report said. FERC has not worked with the state regulators on how to monitor whether anyone is following the voluntary standards. Nor has FERC coordinated with groups representing co-ops and municipals. Unless it does so, “it will be difficult to know whether a voluntary approach to standards-setting is effective,” the report said.



Leave a Reply

You must be logged in to post a comment.