America's power grid too vulnerable to cyberattack, US report finds
The utility industry and US regulators need to boost computer-security standards to fend off a cyberattack on the power grid, says a tough new report from the Energy Department.
America's power grid remains vulnerable to cyberattack, a result of sluggish implementation of weak computer security standards and insufficient federal oversight, says a tough new report from the US Department of Energy Inspector General.Skip to next paragraph
Subscribe Today to the Monitor
The North American Electric Reliability Corp. (NERC), the lead grid-reliability organization for the power industry, has had approved standards in place since January 2008. Power companies were to have fully implemented those "critical infrastructure protection" (CIP) cyberstandards a year ago, but the standards still aren't doing an effective job, the inspector general's audit found.
"Our testing revealed that such standards did not always include controls commonly recommended for protecting critical information systems," including tough password and log-in protections, the report said. The plodding implementation is "not adequate to ensure that systems-related risks to the Nation's power grid were mitigated or addressed in a timely manner."
Among its other findings are the following:
• The new CIP standards set weaker requirements for password and log-in protections than is common for other types of critical infrastructure.
• The Federal Energy Regulatory Commission (FERC), which approved the security standards that NERC developed, is partly to blame. The commission ultimately "did not have authority to implement its own reliability standards or mandatory alerts in response to emerging threats or vulnerabilities," the report said. In instances where FERC did have authority to strengthen CIP standards, "the commission had not always acted to ensure that cyber security standards were adequate."
• The standards don't "clearly define what constituted a critical asset or critical cyber asset," the report found. Instead, utilities "were permitted to use their discretion when identifying critical assets and critical cyber assets...." As a result, "if an entity determined that no critical assets or critical cyber assets existed, it was exempt from the remaining original CIP standards," the report said.
How to define "critical infrastructure" is a big part of the problem. "Lack of stringent requirements for defining critical assets contributed to a significant underreporting of these assets," the IG found. Both the federal commission and NERC officials said power companies had probably undercounted their critical assets and associated critical cyberassets.