Top 5 Stories


Haste makes waste: Energy Department's smart grid review leaves cybersecurity in the lurch

26 January 2012

The US Department of Energy’s (DOE) accelerated approach for approving funding of smart grid projects led to inadequate review of cybersecurity plans, warned the DOE’s Inspector General (IG).

In the American Recovery and Reinvestment Act of 2009, DOE received $3.5 billion to fund smart grid projects, which the department awarded to 99 recipients.

As part of the grant process, DOE required recipients to submit cybersecurity plans describing controls they intended to implement as part of their smart grid. An internal DOE review found 36 of the 99 plans fell short in one or more areas, but the grants were awarded anyway, according to the IG report.

The IG reviewed a sample of five cybersecurity plans submitted by grant recipients and found that three of them were incomplete.

“In our review of security plans, we noted that the plans did not always include sufficient information related to risk assessments and/or other important elements, and, that they did not fully address many of the weaknesses initially identified by the Department”, the IG report said.

The IG attributed the shortcoming in the cybersecurity plan review to the DOE’s accelerated planning, development, and deployment approach for the Smart Grid Investment Grant (SGIG) program.

“Officials approved cyber security plans for Smart Grid projects even though some of the plans contained shortcomings that could result in poorly implemented controls. We also found that the Department was so focused on quickly disbursing Recovery Act funds that it had not ensured personnel received adequate grants management training”, the IG report found.

Responding for the department, Patricia A. Hoffman, head of the Office of Electricity Delivery and Energy Reliability, said that DOE has a thorough process for reviewing cybersecurity plans. She noted that there are no federal or state standards or regulations that define cybersecurity process or practices for electric distribution systems.

“The intent of the OE’s requirement for recipients to develop CSPs [cybersecurity plans] is to document cyber security methodologies and approaches in sufficient detail to understand the overall approach but retain flexibility to meet the unique aspects of each project”, she said.

This article is featured in:
Compliance and Policy  •  Internet and Network Security  •  Public Sector


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×