Electricity Grid Modernization: Progress Being Made on Cybersecurity Guidelines, but Key Challenges Remain to be Addressed
Highlights
The electric industry is increasingly incorporating information technology (IT) systems into its operations as part of nationwide efforts--commonly referred to as smart grid--to improve reliability and efficiency. There is concern that if these efforts are not implemented securely, the electric grid could become more vulnerable to attacks and loss of services. To address this concern, the Energy Independence and Security Act of 2007 (EISA) provided the National Institute of Standards and Technology (NIST) and Federal Energy Regulatory Commission (FERC) with responsibilities related to coordinating the development and adoption of smart grid guidelines and standards. GAO was asked to (1) assess the extent to which NIST has developed smart grid cybersecurity guidelines; (2) evaluate FERC's approach for adopting and monitoring smart grid cybersecurity and other standards; and (3) identify challenges associated with smart grid cybersecurity. To do so, GAO analyzed agency documentation, interviewed responsible officials, and hosted an expert panel.
NIST has developed, and issued in August 2010, a first version of its smart grid cybersecurity guidelines. The agency developed the guidelines--for entities such as electric companies involved in implementing smart grid systems--to provide guidance on how to securely implement such systems. In doing this, NIST largely addressed key cybersecurity elements that it had planned to include in the guidelines, such as an assessment of the cybersecurity risks associated with smart grid systems and the identification of security requirements (i.e., controls) essential to securing such systems. This notwithstanding, NIST did not address an important element essential to securing smart grid systems that it had planned to include--addressing the risk of attacks that use both cyber and physical means. NIST also identified other key elements that surfaced during its development of the guidelines that need to be addressed in future guideline updates. NIST officials said that they intend to update the guidelines to address the missing elements, and have drafted a plan to do so. While a positive step, the plan and schedule are still in draft form. Until the missing elements are addressed, there is an increased risk that smart grid implementations will not be secure as otherwise possible. In 2010, FERC began a process to consider an initial set of smart grid interoperability and cybersecurity standards for adoption, but has not developed a coordinated approach to monitor the extent to which industry is following these standards. While EISA gives FERC authority to adopt smart grid standards, it does not provide FERC with specific enforcement authority. This means that standards will remain voluntary unless regulators are able to use other authorities--such as the ability to oversee the rates electricity providers charge customers--to enforce them. Additionally, although regulatory fragmentation--the divided regulation over aspects of the industry between federal, state, and local entities--complicates oversight of smart grid interoperability and cybersecurity, FERC has not developed an approach coordinated with other regulators to monitor whether industry is following the voluntary smart grid standards it adopts. FERC officials said they have not yet determined whether or how to do so. Nonetheless, adherence to standards is an important step toward achieving an interoperable and secure electricity system and establishing an approach for coordinating on standards adoption could help address gaps, if they arise. With respect to challenges to securing smart grid systems, GAO identified the following six key challenges: (1) Aspects of the regulatory environment may make it difficult to ensure smart grid systems' cybersecurity. (2) Utilities are focusing on regulatory compliance instead of comprehensive security. (3) The electric industry does not have an effective mechanism for sharing information on cybersecurity. (4) Consumers are not adequately informed about the benefits, costs, and risks associated with smart grid systems. (5) There is a lack of security features being built into certain smart grid systems. (6) The electricity industry does not have metrics for evaluating cybersecurity. GAO recommends that NIST finalize its plan and schedule for updating its cybersecurity guidelines to incorporate missing elements, and that FERC develop a coordinated approach to monitor voluntary standards and address any gaps in compliance. Both agencies agreed with these recommendations.
Recommendations
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Department of Commerce | To reduce the risk that NIST's smart grid cybersecurity guidelines will not be as effective as intended, the Secretary of Commerce should direct the Director of NIST to finalize the agency's plan for updating and maintaining the cybersecurity guidelines, including ensuring it incorporates (1) missing key elements identified in this report, and (2) specific milestones for when efforts are to be completed. Also, as a part of finalizing the plan, the Secretary of Commerce should direct the Director of NIST should assess whether any cybersecurity challenges identified in this report should be addressed in the guidelines. |
In March 2011, the National Institute of Standards and Technology (NIST) issued a three-year plan for the Cyber Security Working Group (CSWG), which is responsible for updating and maintaining the cybersecurity guidelines. The plan provided actions and milestones for addressing, among other things, missing key elements and other remaining tasks to be completed. For example, to address the threat of cyber-physical attacks (a missing key element identified in our report), the plan called for the working group during 2011 and 2012 to pursue collaborations and research with other organizations that had ongoing efforts to address combined cyber-physical attacks. As a result of this collaboration and research, NIST in 2014 issued updated guidelines, which addressed the threat of cyber-physical attacks. In addition, the plan called for the guidelines to be reviewed every 18 months to determine if they needed to be updated.
|
Federal Energy Regulatory Commission | To improve coordination among regulators and help Congress better assess the effectiveness of the voluntary smart grid standards process, the Chairman of FERC, making use of existing smart grid information, should develop an approach to coordinate with state regulators to (1) periodically evaluate the extent to which utilities and manufacturers are following voluntary interoperability and cybersecurity standards and (2) develop strategies for addressing any gaps in compliance with standards that are identified as a result of this evaluation. To the extent that FERC determines it lacks authority to address any gaps in compliance that cannot be addressed through this coordinated approach with other regulators, the Chairman should report this information to Congress. |
Although FERC staff reported that they have taken actions to collaborate with stakeholders, including state regulators, to address smart grid and cybersecurity issues, FERC has not demonstrated that this collaboration resulted in evaluation of the extent to which manufacturers are following voluntary interoperability and cybersecurity standards or strategies to address any gaps in compliance identified. According to FERC staff, its efforts have been focused on evaluating whether stakeholder consensus is achieved during the standards development process rather than assessing whether specific standards have been implemented.
|
Federal Energy Regulatory Commission | To improve coordination among regulators and help Congress better assess the effectiveness of the voluntary smart grid standards process, the Chairman of FERC, making use of existing smart grid information, should develop an approach to coordinate with groups that represent utilities subject to less FERC and state regulation (such as municipal and cooperative utilities) to (1) periodically evaluate the extent to which utilities and manufacturers are following voluntary interoperability and cybersecurity standards and (2) develop strategies for addressing any gaps in compliance with standards that are identified as a result of this evaluation. To the extent that FERC determines it lacks authority to address any gaps in compliance that cannot be addressed through this coordinated approach, the Chairman should report this information to Congress. |
Although FERC staff reported that they have taken actions to collaborate with stakeholders, including groups that represent utilities subject to less FERC and state regulation, to address smart grid and cybersecurity issues, FERC has not demonstrated that this collaboration resulted in evaluation of the extent to which manufacturers are following voluntary interoperability and cybersecurity standards or strategies to address any gaps in compliance identified. According to FERC staff, its efforts have been focused on evaluating whether stakeholder consensus is achieved during the standards development process rather than assessing whether specific standards have been implemented.
|
Federal Energy Regulatory Commission | The Chairman of FERC, working with NERC as appropriate, should assess whether any cybersecurity challenges identified in this report should be addressed in commission cybersecurity efforts. |
Consistent with our recommendation, the Federal Energy Regulatory Commission took the following actions. First, in 2011, it began evaluating whether cyber security challenges, including those identified in our report, should be addressed under the agency's existing cyber security authority and efforts. As a part of this effort, the Commission directed the North American Electric Reliability Corporation (NERC) to revise the electricity industry's critical infrastructure protection (CIP) standards with the aim of addressing, among other things, cyber security challenges identified in our report. In November 2013, NERC issued updated CIP standards to address these and other cyber security challenges. Second, the Commission held a technical conference in 2011 in which it solicited feedback from industry stakeholders to help inform the agency's cyber security efforts. Third, in September 2012, the Commission established an Office of Energy Infrastructure Security, which is to, among other things, help mitigate cyber security threats to electricity industry facilities, and to improve cyber security information sharing.
|