America's power grid too vulnerable to cyberattack, US report finds
The utility industry and US regulators need to boost computer-security standards to fend off a cyberattack on the power grid, says a tough new report from the Energy Department.
(Page 2 of 2)
"Much of the problem stems from ... lack of definition," says Michael Assante, former chief security officer for NERC. "The concepts of what need to be protected have not been firmly established."Skip to next paragraph
Subscribe Today to the Monitor
Critical assets could include, for instance, control centers, transmission substations, and power generators. But on a compliance self-survey, only 29 percent of power generators and less than 63 percent of transmission owners identified one or more critical assets, NERC reported in April 2009.
The IG's office also found that NERC and eight other regional electricity reliability organizations appear to have ignored federal demands to toughen the original CIP standards. One FERC official noted that 95 percent of the changes the commission requested of NERC had not been addressed, the IG said.
The result is that federal regulators have made little progress toward accurately assessing what needs protecting on the grid. The IG's office recommends these fixes: that Congress give FERC greater authority to ensure grid cybersecurity; that tougher cybersecurity standards be adopted; that FERC intensify its oversight of NERC and other grid-reliability entities; that FERC adopt measurements to assess the performance of NERC and the other regional overseers.
"We found that these problems existed, in part, because [FERC] had only limited authority to ensure adequate cyber security over the bulk electric system," the IG report states.
In a response to the IG's report, FERC chairman Jon Wellinghoff agreed with most of its recommendations.
Mr. Assante, now president of the National Board of Information Security Examiners, a standards-setting body for cybersecurity experts, characterizes the CIP standards as only "a minimum set of sound security practices that reinforces the need for utilities to protect themselves and each other."
Given the advent of cyberweapons that can destroy computer-controlled critical infrastructure, such as the Stuxnet worm that was aimed at Iran's nuclear facilities, the IG's report correctly identifies the issues needed to improve grid security, say grid cybersecurity experts.
"The standards have not been implemented with a strong sense of risk in mind," Assante says. "The complexity of enacting a new regulatory regime has taken our collective eye off security and turned it toward administrative issues and compliance."