The OIG audit found that cybersecurity standards approved by FERC did not include a number of cybersecurity controls recommended for government and industry systems. “For instance, the standards did not include essential security requirements and effective practices such as defining what constituted critical assets and implementation of strong logical access controls.”
Under the Federal Power Act, FERC is responsible for approving cybersecurity standards proposed by the North American Electricity Reliability Corporation (NERC), a nonprofit industry body, as well as monitoring the implementation of the standards through NERC’s regional entities.
The audit warned that FERC’s implementation schedule was not timely and “ultimately limited the standards’ usefulness in facilitating responses to emerging threats." The OIG faulted FERC for an implementation schedule that focused on preparing documentation rather than reducing risks to information systems. “For example, implementation of technical controls related to system access, patch management, and malware prevention were delayed, while documentation requirements such as reporting cybersecurity incidents and creating a recovery plan were given priority.”
The OIG concluded: “Without improvements, the Commission may not be able to provide adequate oversight to ensure that cybersecurity vulnerabilities within the power grid are identified and mitigated."
In response to the audit, FERC said that the OIG’s criticism of its approval of deficient cybersecurity standards failed to recognize the commission’s limited authority in developing standards, which is the responsibility of NERC. In addition, FERC said that the OIG’s criticism of slow implementation of the standards did not take into account the “complexities inherent in imposing, for the first time, mandatory cybersecurity standards on the diverse entities that make up the users, owners, and operators of the bulk electric system.”
FERC called on Congress to grant it additional authority so that it could “quickly, comprehensively, and effectively respond to cybersecurity threats.”
Comments
Jack Warner says:
23 March 2011
Recent Congressional testimony, the Stuxnet virus attack, and the little - publicized RSA hack are current reminders of the vulnerability of the U.S. electric power grid to digital attack and malicious shutdown. With this as background, ValidTech is pleased to have completed its contract to install its VSSA user authentication product for the Israel Electric Corporation, the sole electric service provider for the State of Israel. The government -owned IEC, which has considerable successful experience with operational security issues, selected VSSA after a worldwide search and investigation of user authentication alternatives.
From a U.S. perspective, it is instructive and somewhat disquieting to recognize the difference between the U.S. and Israeli approaches: nominally responsible U.S. public and industry officials talk; the Israeli’s act.
Note: The majority of comments posted are created by members of the
public. The views expressed are theirs and unless specifically stated are not those
Elsevier Ltd. We are not responsible for any content posted by members of the public
or content of any third party sites that are accessible through this site. Any links
to third party websites from this website do not amount to any endorsement of that
site by the Elsevier Ltd and any use of that site by you is at your own risk. For
further information, please refer to our Terms & Conditions.
Comment on this article
You must be registered and logged in to leave a comment
about this article.