Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Haste makes waste: Energy Department's smart grid review leaves cybersecurity in the lurch

The DOE's rush to distribute Recovery Act funds may have led to some cybersecurity gaps
The DOE's rush to distribute Recovery Act funds may have led to some cybersecurity gaps

In the American Recovery and Reinvestment Act of 2009, DOE received $3.5 billion to fund smart grid projects, which the department awarded to 99 recipients.

As part of the grant process, DOE required recipients to submit cybersecurity plans describing controls they intended to implement as part of their smart grid. An internal DOE review found 36 of the 99 plans fell short in one or more areas, but the grants were awarded anyway, according to the IG report.

The IG reviewed a sample of five cybersecurity plans submitted by grant recipients and found that three of them were incomplete.

“In our review of security plans, we noted that the plans did not always include sufficient information related to risk assessments and/or other important elements, and, that they did not fully address many of the weaknesses initially identified by the Department”, the IG report said.

The IG attributed the shortcoming in the cybersecurity plan review to the DOE’s accelerated planning, development, and deployment approach for the Smart Grid Investment Grant (SGIG) program.

“Officials approved cyber security plans for Smart Grid projects even though some of the plans contained shortcomings that could result in poorly implemented controls. We also found that the Department was so focused on quickly disbursing Recovery Act funds that it had not ensured personnel received adequate grants management training”, the IG report found.

Responding for the department, Patricia A. Hoffman, head of the Office of Electricity Delivery and Energy Reliability, said that DOE has a thorough process for reviewing cybersecurity plans. She noted that there are no federal or state standards or regulations that define cybersecurity process or practices for electric distribution systems.

“The intent of the OE’s requirement for recipients to develop CSPs [cybersecurity plans] is to document cyber security methodologies and approaches in sufficient detail to understand the overall approach but retain flexibility to meet the unique aspects of each project”, she said.