In its report Electricity Grid Modernization: Progress Being Made on Cybersecurity Guidelines, but Key Challenges Remain to be Addressed, the GAO said that both the National Institute for Standards and Technology (NIST) and the Federal Energy Regulatory Commission (FERC) have failed to fully develop and adopt smart grid cybersecurity guidelines and standards.
In the first version of its smart grid cybersecurity guidelines, NIST failed to consider the threat to the smart grid system posed by a combined cyber and physical attack. NIST has said it will update the guidelines to address this issue and other missing elements.
“Until the missing elements are addressed, there is an increased risk that smart grid implementation will not be secure”, the GAO said.
Also, the government watchdog said that FERC has not developed a coordinated approach to monitor whether industry is following smart grid cybersecurity standards. GAO noted that while the Energy Industry and Security Act of 2007 gives FERC authority to adopt smart grid cybersecurity standards, it does not give the agency specific enforcement authority.
“This means that standards will remain voluntary unless regulators are able to use other authorities – such as the ability to oversee the rates electricity providers charge customers – to enforce them”, the GAO said.
GAO also said that FERC has failed to develop a plan to coordinate the authorities of the federal, state, and local governments over regulation of smart grid cybersecurity. The result is “regulatory fragmentation”, the watchdog said.
In its report, the GAO identified six key challenges to securing the nation’s smart grid system: aspects of the regulatory environment may make it difficult to ensure smart grid systems’ cybersecurity; utilities are focusing on regulatory compliance instead of comprehensive security; the electricity industry does not have an effective mechanism for sharing information on cybersecurity; consumers are not adequately informed about the benefits, costs, and risks associated with smart grid systems; there is a lack of security features being built into certain grid systems; and the electricity industry does not have metrics for evaluating cybersecurity.
The GAO recommended that NIST finalize its plan and schedule for updating its cybersecurity guidelines to incorporate missing elements. It also suggested that FERC develop a coordinated approach to monitor standards and address any gaps in industry compliance.