Top 5 Stories


Audit criticizes FERC for lapses in electric grid cybersecurity standards

22 February 2011

The Federal Energy Regulatory Commission (FERC) approved flawed cybersecurity standards for the US national power grid and failed to adequately monitor their implementation, according to an audit by the Department of Energy’s Office of the Inspector General (OIG).

The OIG audit found that cybersecurity standards approved by FERC did not include a number of cybersecurity controls recommended for government and industry systems. “For instance, the standards did not include essential security requirements and effective practices such as defining what constituted critical assets and implementation of strong logical access controls.”

Under the Federal Power Act, FERC is responsible for approving cybersecurity standards proposed by the North American Electricity Reliability Corporation (NERC), a nonprofit industry body, as well as monitoring the implementation of the standards through NERC’s regional entities.

The audit warned that FERC’s implementation schedule was not timely and “ultimately limited the standards’ usefulness in facilitating responses to emerging threats." The OIG faulted FERC for an implementation schedule that focused on preparing documentation rather than reducing risks to information systems. “For example, implementation of technical controls related to system access, patch management, and malware prevention were delayed, while documentation requirements such as reporting cybersecurity incidents and creating a recovery plan were given priority.”

The OIG concluded: “Without improvements, the Commission may not be able to provide adequate oversight to ensure that cybersecurity vulnerabilities within the power grid are identified and mitigated."

In response to the audit, FERC said that the OIG’s criticism of its approval of deficient cybersecurity standards failed to recognize the commission’s limited authority in developing standards, which is the responsibility of NERC. In addition, FERC said that the OIG’s criticism of slow implementation of the standards did not take into account the “complexities inherent in imposing, for the first time, mandatory cybersecurity standards on the diverse entities that make up the users, owners, and operators of the bulk electric system.”

FERC called on Congress to grant it additional authority so that it could “quickly, comprehensively, and effectively respond to cybersecurity threats.”

This article is featured in:
Internet and Network Security  •  Public Sector



Jack Warner says:

23 March 2011
Recent Congressional testimony, the Stuxnet virus attack, and the little - publicized RSA hack are current reminders of the vulnerability of the U.S. electric power grid to digital attack and malicious shutdown. With this as background, ValidTech is pleased to have completed its contract to install its VSSA user authentication product for the Israel Electric Corporation, the sole electric service provider for the State of Israel. The government -owned IEC, which has considerable successful experience with operational security issues, selected VSSA after a worldwide search and investigation of user authentication alternatives.

From a U.S. perspective, it is instructive and somewhat disquieting to recognize the difference between the U.S. and Israeli approaches: nominally responsible U.S. public and industry officials talk; the Israeli’s act.

Note: The majority of comments posted are created by members of the public. The views expressed are theirs and unless specifically stated are not those Elsevier Ltd. We are not responsible for any content posted by members of the public or content of any third party sites that are accessible through this site. Any links to third party websites from this website do not amount to any endorsement of that site by the Elsevier Ltd and any use of that site by you is at your own risk. For further information, please refer to our Terms & Conditions.

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×